[question] who provide the QR code when adding a website

Bubka / 2FAuth

A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes

https://docs.2fauth.app/

GNU Affero General Public License v3.0

2.33k stars 153 forks source link

[question] who provide the QR code when adding a website #60

Closed laoshanxi closed 2 years ago

laoshanxi commented 2 years ago

Hi, I am new to 2FA and looking at this helpful project.

I wonder to known the process of 2FA, when adding a website( E.g Github, Facebook) for a user, who response to generate the QR code (by my understanding, the QR code should contain the information of github url and user name, not sure what else there). if the website itself provide the QR code?

Thanks in advance.

Bubka commented 2 years ago

Hi,

The QR code is generated by the website where 2FA is enabled. It contains, at least, a secret used to generate password using cryptography functions. This secret is known only by you and the website.

The common process is:

You enable 2FA from the user account of the website
The website generates (and records) a secret just for you and encodes it into a QR code. It shows you the QR code.
You scan the QR code with an authentication app, i.e 2FAuth
2FAuth decodes the QR code and records the secret
Each time you need to sign in the website, 2FAuth uses the secret to generate a password (generally a 6 digits password)
You provide the password to the website during sign in process. As the website also knows the secret, it generates a password from its side and compares it to the one you send. If they match you are authenticated.

See https://allthingsauth.com/2018/04/20/a-medium-dive-on-the-totp-spec/ for more (tech) information.

laoshanxi commented 2 years ago

Thanks for the kindly explanation, so the website (like github) need record the secret carefully in order to verify the code, and the secret should be kind of confidential that should not leak to another body, when the user register again, the secret will be updated to a new one. is my understanding correct.

I am trying to implement a TOTP backend for https://github.com/laoshanxi/app-mesh , and will try to use this project to generate the 2FA code.

Bubka commented 2 years ago

when the user register again, the secret will be updated to a new one. is my understanding correct.

Yes. A secret is valid for a user account until this account is deleted or 2FA is disabled.

I am trying to implement a TOTP backend for https://github.com/laoshanxi/app-mesh , and will try to use this project to generate the 2FA code.

app-mesh is mostly written in C#, 2FAuth use PHP plus a framework (Laravel) so not sure this is the best approach. Have a look to those repos: https://github.com/search?l=C%23&o=desc&q=totp&s=stars&type=Repositories

laoshanxi commented 2 years ago

app-mesh is written with c++, I found a library (http://www.nongnu.org/oath-toolkit/) to help implement the backend totp logic.

thanks so much.