Two-factor authentication

Category:

What is two-factor authentication?

Search for the answer with Google: Two-factor authentication is a system that uses time synchronization technology. It uses a one-time password based on the three variables of time, event and key to replace the traditional static password. Each dynamic password card has a unique key, which is stored on the server side at the same time. During each authentication, the dynamic password card and the server are based on the same key, the same random parameters (time, event) and the same The algorithm calculates the dynamic password for authentication to ensure the consistency of the password, thus realizing the authentication of the user. Because the random parameters are different for each authentication, the dynamic password generated each time is also different. Since the randomness of the parameters in each calculation ensures the unpredictability of each password, the security of the system is guaranteed in the most basic password authentication link. Solve the major losses caused by password fraud, prevent malicious intruders or man-made sabotage, and solve the intrusion problem caused by password leakage.

In fact, this is not completely correct. To be precise, this is too one-sided and not comprehensive enough. As the name suggests, “two-factor” is to add a factor to the original “username + static secret” to determine the user’s identity to ensure It is the user who logs in. At present, all I know are: dynamic password, scan code, message push, email authentication, fingerprint, face, iris, voice, U disk certificate, etc., so dynamic password is one of two-factor authentication , It’s just the most widely used at present.

The core of two-factor identity lies in “identity determination”! So simply speaking, it can add a factor to determine identity on the basis of username + static password, which can be called two-factor authentication.

Let’s talk about the two-factor authentication methods mentioned above:

The first is the dynamic password:

Dynamic password is currently the most widely used two-factor authentication method. When we log in to various websites or APPs, we usually need SMS verification codes to determine whether it is personal operation. This is the most common among individual C-side users. It is also the most effective way. But among B-end enterprise users, SMS verification codes are rarely used! First, the SMS verification code is completely dependent on the operator’s signal, which is poor in timeliness. Furthermore, the mobile phone SMS has the risk of being hijacked and the security level is low.

Companies generally use the following token forms when using dynamic passwords:

Hardware token

APP token

WeChat Applet Token

Nail token

PC token

WeChat Official Account Token

 

Although the same is a dynamic password token, the authentication logic and process are different. The mobile phone verification code and WeChat official account token authentication principles are similar: the client applies for a dynamic password to the authentication server, and the authentication server generates the dynamic password and sends it through SMS The gateway or WeChat official account server sends it to the client in the form of a short message verification code or WeChat official account message. The general login process is as follows (SMS as an example):

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The SMS gateway and the authentication system are connected;

Certification process:

The user enters the user name + static password to apply for access to the business system;

The business system sends the request information to the enterprise user source for preliminary verification through the API interface;

The enterprise user source verification is successful and the verification is passed;

The business system applies to the authentication system for a dynamic password through the API interface;

Generate a dynamic password and let the SMS gateway send the dynamic password to the mobile phone number bound to the applying user;

The SMS gateway executes the dynamic password sending instruction;

The user’s mobile phone receives the SMS verification code;

The user enters the verification code for a second access application (secondary verification of identity);

The business system sends the request information to the authentication system through the API interface for dynamic password verification;

The certification system is successfully verified and passed the verification;

Successfully log in to the business system.

Note:

1. The WeChat official account authentication process is the same as the SMS authentication. The user account is bound to the WeChat server and the SMS gateway is replaced with the WeChat server;

2. The email authentication process is the same as the SMS authentication, and the SMS gateway is replaced with a mail server;

Hardware tokens, APP tokens, WeChat applet tokens, and PC tokens are very similar. The logic is: built-in encryption algorithm, clock, secret key, and constantly generate new passwords as time changes. The authentication server with the same encryption algorithm, clock, and secret key performs password comparison to achieve dynamic password verification. The general login process is as follows:

Prerequisites for certification:

The business system and the authentication server complete the docking;

Enterprise user source and complete docking;

The authentication token is bound to the user;

Rough login process:

The user enters “username + static password + dynamic password” to access the target host;

The target host simultaneously sends the user name and static password to the enterprise user source for static authentication through Radius Client or API, and sends the user name and dynamic password to the authentication server for dynamic authentication;

User source and feedback on certification respectively;

If and only if the static password authentication and dynamic password authentication pass at the same time, the access can be successful, otherwise the login fails;

Let’s talk about scan code login

Scan code login is also widely used. For example, the commonly used WeChat PC terminal uses mobile phone terminal scan code login, shopping websites use mobile phone APP scan code login, and some various websites use WeChat scan code login. The basic principle is: Complete the user identity confirmation on the mobile APP, and then authorize login by scanning the code. This is similar to the mobile phone APP token and WeChat applet token mentioned above, and the mobile phone is used as the basis for judgment. However, the enterprise-level scan code login is different. The general process of scan code login is as follows;

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The external network message server completes the docking with the authentication system;

The mobile APP has been activated for authentication;

Certification process:

Scan the QR code of the page with the mobile APP that has been activated and authenticated;

The mobile APP sends the authorized login information to the external network message server;

The external network message server forwards the login information to the authentication server;

The authentication server allows login;

Successfully logged in;

Then talk about message push

Speaking of the message push login method, what we usually do is that when WeChat logs in to the PC, it can be directly pushed to the mobile phone to confirm the login. This message push method of WeChat has a premise: you have logged in before, that is, you have authorized it, and then save User information will be pushed directly the next time you log in.

However, in the enterprise message push, a special APP needs to be activated and authenticated, and then the confirmation can be pushed directly when logging in. The basic principle of enterprise message push authentication is: when the client logs in to the system, it sends a login application to the server, and the server sends a login confirmation to the APP. The general login process is as follows:

The following content is visible to members

[wc_pay_can_read   id=’2026,2029,2030′  tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The external network message server completes the docking with the authentication system;

The mobile APP has been activated for authentication;

Certification process:

The user enters the user name + static password to apply for access to the business system;

The business system sends the request information to the enterprise user source for preliminary verification through the API interface;

The enterprise user source verification is successful and the verification is passed;

The business system applies to the authentication system for login confirmation through the API interface;

The authentication system sends the login confirmation application to the external network message server;

The external network message server forwards the login confirmation application to the user’s mobile phone APP;

The user’s mobile APP receives the application and confirms the login;

The external network message server forwards the confirmation login information to the authentication server;

The authentication system returns to pass the authentication;

Successfully logged in;

Let me talk about biometrics

Fingerprint, face, iris, and voice authentication are all biometric authentication, which is the highest in terms of security level, especially fingerprint and face. The technology is relatively mature, and there are a large number of applications. The most common is mobile phone unlocking. , Check in and check attendance, and use biometrics as unique verification to ensure that it is the user himself.

Relatively speaking, there are very few iris and sound applications. In terms of iris authentication, the technical content is relatively high, the application cost increases, and the application threshold is relatively high. As for voice authentication, first, with the maturity of AI technology, voice simulation becomes more and more realistic, and voice authentication becomes more and more insecure; in addition, voice is easy to disturb others, so there are few applications.

The principle of biometric recognition is very simple: first enter the human body characteristics into the database through the biometric recognizer, and when applying for access, compare your own biological characteristics with the database, and log in successfully. The login process is as follows;

Prerequisites:

The business system and the certification system are connected;

The enterprise user source and authentication system are synchronized;

The user’s biological characteristics have been entered into the authentication server and the user binding has been completed;

Certification process:

The user enters the user name + static password to apply for access to the business system;

The business system sends the request information to the enterprise user source for preliminary verification through the API interface;

The enterprise user source verification is successful and the verification is passed;

The user uses fingerprint, face or iris for secondary authentication;

The business system sends the biometric authentication information to the authentication server through the API interface;

The authentication server confirms and returns the authentication passed;

Successfully logged in;

Finally, let’s summarize:

Two-factor authentication is to strengthen login security, so to put it simply: on the basis of user name + static password, it can add a safe and effective way to verify user identity, which can be collectively called two-factor authentication.

Common authentication methods are: dynamic password, scan code, message push, email authentication, fingerprint, face, iris, voice, U disk certificate, etc. The dynamic password will be divided into SMS tokens, hardware tokens, and APP tokens. , WeChat applet token, etc.

Different tokens also have different authentication principles and login methods, and their security levels are also different. Among them, biometric authentication has the highest security level, and SMS verification code authentication and email authentication have the lowest security level.

The most commonly used authentication methods in enterprises are: dynamic password authentication (hardware token, APP token, WeChat applet token, Dingding token), fingerprint authentication, face authentication, U disk certificate authentication, starting from cost considerations, Software dynamic password authentication is the best.

We are living in the Internet age, all things are interconnected, adding brilliance to our lives, but the same is full of risks of account hacking, ranging from leaking personal privacy to threatening the survival of the enterprise, and ignoring security will have a high probability of suffering. The price.

But the movie “Who am I: There is no absolutely safe system” tells us: there is no absolutely safe system! Objectively speaking, this is also a force to promote technological progress. What we can do is to protect the safety of our individuals and even the enterprise to the utmost extent, and win in the competition!

[/wc_pay_can_read]

Reviews

There are no reviews yet.

Be the first to review “Two-factor authentication”

Your email address will not be published. Required fields are marked *