Two-factor authentication

Category:

What is two-factor authentication?

Search for the answer with Google: Two-factor authentication is a system that uses time synchronization technology. It uses a one-time password based on the three variables of time, event and key to replace the traditional static password. Each dynamic password card has a unique key, which is stored on the server side at the same time. During each authentication, the dynamic password card and the server are based on the same key, the same random parameters (time, event) and the same The algorithm calculates the dynamic password for authentication to ensure the consistency of the password, thus realizing the authentication of the user. Because the random parameters are different for each authentication, the dynamic password generated each time is also different. Since the randomness of the parameters in each calculation ensures the unpredictability of each password, the security of the system is guaranteed in the most basic password authentication link. Solve the major losses caused by password fraud, prevent malicious intruders or man-made sabotage, and solve the intrusion problem caused by password leakage.

In fact, this is not completely correct. To be precise, this is too one-sided and not comprehensive enough. As the name suggests, “two-factor” is to add a factor to the original “username + static secret” to determine the user’s identity to ensure It is the user who logs in. At present, all I know are: dynamic password, scan code, message push, email authentication, fingerprint, face, iris, voice, U disk certificate, etc., so dynamic password is one of two-factor authentication , It’s just the most widely used at present.

The core of two-factor identity lies in “identity determination”! So simply speaking, it can add a factor to determine identity on the basis of username + static password, which can be called two-factor authentication.

Let’s talk about the two-factor authentication methods mentioned above:

The first is the dynamic password:

Dynamic password is currently the most widely used two-factor authentication method. When we log in to various websites or APPs, we usually need SMS verification codes to determine whether it is personal operation. This is the most common among individual C-side users. It is also the most effective way. But among B-end enterprise users, SMS verification codes are rarely used! First, the SMS verification code is completely dependent on the operator’s signal, which is poor in timeliness. Furthermore, the mobile phone SMS has the risk of being hijacked and the security level is low.

Companies generally use the following token forms when using dynamic passwords:

Hardware token

APP token

WeChat Applet Token

Nail token

PC token

WeChat Official Account Token

 

Although the same is a dynamic password token, the authentication logic and process are different. The mobile phone verification code and WeChat official account token authentication principles are similar: the client applies for a dynamic password to the authentication server, and the authentication server generates the dynamic password and sends it through SMS The gateway or WeChat official account server sends it to the client in the form of a short message verification code or WeChat official account message. The general login process is as follows (SMS as an example):

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The SMS gateway and the authentication system are connected;

Certification process:

The user enters the user name + static password to apply for access to the business system;

The business system sends the request information to the enterprise user source for preliminary verification through the API interface;

The enterprise user source verification is successful and the verification is passed;

The business system applies to the authentication system for a dynamic password through the API interface;

Generate a dynamic password and let the SMS gateway send the dynamic password to the mobile phone number bound to the applying user;

The SMS gateway executes the dynamic password sending instruction;

The user’s mobile phone receives the SMS verification code;

The user enters the verification code for a second access application (secondary verification of identity);

The business system sends the request information to the authentication system through the API interface for dynamic password verification;

The certification system is successfully verified and passed the verification;

Successfully log in to the business system.

Note:

1. The WeChat official account authentication process is the same as the SMS authentication. The user account is bound to the WeChat server and the SMS gateway is replaced with the WeChat server;

2. The email authentication process is the same as the SMS authentication, and the SMS gateway is replaced with a mail server;

Hardware tokens, APP tokens, WeChat applet tokens, and PC tokens are very similar. The logic is: built-in encryption algorithm, clock, secret key, and constantly generate new passwords as time changes. The authentication server with the same encryption algorithm, clock, and secret key performs password comparison to achieve dynamic password verification. The general login process is as follows:

Prerequisites for certification:

The business system and the authentication server complete the docking;

Enterprise user source and complete docking;

The authentication token is bound to the user;

Rough login process:

The user enters “username + static password + dynamic password” to access the target host;

The target host simultaneously sends the user name and static password to the enterprise user source for static authentication through Radius Client or API, and sends the user name and dynamic password to the authentication server for dynamic authentication;

User source and feedback on certification respectively;

If and only if the static password authentication and dynamic password authentication pass at the same time, the access can be successful, otherwise the login fails;

Let’s talk about scan code login

Scan code login is also widely used. For example, the commonly used WeChat PC terminal uses mobile phone terminal scan code login, shopping websites use mobile phone APP scan code login, and some various websites use WeChat scan code login. The basic principle is: Complete the user identity confirmation on the mobile APP, and then authorize login by scanning the code. This is similar to the mobile phone APP token and WeChat applet token mentioned above, and the mobile phone is used as the basis for judgment. However, the enterprise-level scan code login is different. The general process of scan code login is as follows;

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The external network message server completes the docking with the authentication system;

The mobile APP has been activated for authentication;

Certification process:

Scan the QR code of the page with the mobile APP that has been activated and authenticated;

The mobile APP sends the authorized login information to the external network message server;

The external network message server forwards the login information to the authentication server;

The authentication server allows login;

Successfully logged in;

Then talk about message push

Speaking of the message push login method, what we usually do is that when WeChat logs in to the PC, it can be directly pushed to the mobile phone to confirm the login. This message push method of WeChat has a premise: you have logged in before, that is, you have authorized it, and then save User information will be pushed directly the next time you log in.

However, in the enterprise message push, a special APP needs to be activated and authenticated, and then the confirmation can be pushed directly when logging in. The basic principle of enterprise message push authentication is: when the client logs in to the system, it sends a login application to the server, and the server sends a login confirmation to the APP. The general login process is as follows:

The following content is visible to members

You do not have permission to read this content, click here to become a member and refresh this page to read it

Reviews

There are no reviews yet.

Be the first to review “Two-factor authentication”

Your email address will not be published. Required fields are marked *