About Two-Factor Authentication

In this lecture, we want to learn about multifactor authentication or MFA and understand how it works. So normally to let people log into a system, either we ask about something that they know. For example, we ask for a combination of username and password. If the username and password match, then the user can log in. Sometimes on top of this we ask for something that people have. For example, normally people carry their mobile phone with them. So some websites, once you log in with your username password, they will send you a randomly generated code. They send it to your mobile phone and then they ask you to put that code back into a form. And if the code matches the randomly generated code, then you will be logged in. The third way of authentication is using your fingerprints or your facial attributes. For example, sometimes when you go to airports, they scan your face or normally the new devices, the new laptops or new mobile phones, they can be unlocked with your fingerprint. These normally are called biometric devices. So if you use two of these together, for example, a combination of username password with sending a random code to someone's mobile phone that is called two factor authentication or two for because you are using two different ways of authentication. If you use more than two ways, obviously that is multi-factor authentication or MFA, however too and MFA are used interchangeably. So don't be confused if you see two FA or MFA on the internet 99% of times when you see two FA or MFA, both mean only two factor authentication, and I haven't really seen many websites that they use more than two ways of authentication. In order to use two factor authentication. Using a randomly generated code, you have to use an authenticator application. A mobile application. The most common ones are Microsoft Authenticator app, which you can download from either Google Play store or Apple Store, or you can use Google Authenticator app. It doesn't matter which one you use, they both will do the same thing or the system can generate a random number and send it to your mobile phone via SMS. And then you put this number back in the form that the website provides to you. However, Microsoft doesn't recommend using SMS because it's not deemed to be the safest option. The safest option is always using a mobile application that generates a random code for you, and that is what we are going to do in this course. Now let's have a look at the flow where we enable multi-factor authentication, because to use multifactor authentication you need to set it up first and enable it and then you can use it in your login form. This sequence diagram shows how we enable multi-factor authentication. There are three actors in this diagram from left to right. We have the authenticator application. We have the user that wants to set up the multi-factor authentication with their mobile phone, and we have the web application which is based on ASP.Net Identity Core. So in order to set up a multi-factor authentication, first of all, the application has to generate a random code or token and the user goes to the mobile application and puts that random token in the mobile application. The mobile application uses that token to generate a code. This code is always valid. When that token is entered, it will not be valid for any other token, so the token is unique for that code. So the mobile application, the authenticator application will generate a code and then the user gets the code, puts it back into a form, for example, and it gets passed to your application. The application uses one of the methods of ASP.Net Identity Core, and if that method says the code is valid for the generated token, then it sends a accept method back to the user. And that means that multi-factor authentication is set up and the user can enable it in the user profile. So the next time they log in, the multi-factor authentication will be active in order to use multi-factor authentication. Again, we have the same actors, however they interact in a different order. So when user wants to log in, they have to use their mobile and use the authenticator application. The authenticator application, for example, Microsoft Authenticator will generate a random code for them. These are randomly generated code and they are time based and by default they are only valid for 30s. So every 30s these codes are regenerated, so you have 30s to use the code, otherwise it becomes invalid. So you grab the code and then you put it in a box, for example, in a text box on the login form and it gets passed to the application. The application validates it for you using the token that it has generated at the very beginning when you set up MFA. And then if it is valid, it lets you know and then you let the user to log in. Now let's go to the next lecture and we set up multi-factor authentication for our ASP.Net Core application.