Two-factor authentication

Introduction

Two-factor authentication (2FA) adds another layer of protection to login process. In addition to normal login, 2FA uses Time-based One Time Password (TOTP) calculated password from the user.

Process

When the two-factor authentication is enabled in myDBR and user logs in myDBR checks if user has taken the 2FA in use by registering the QR-code in their device (usually a smartphone). User then registers with the QR-code/token and the secret value is stored into the device and into myDBR. The secret value is used as basis to calculate the time-based one time password.

When a user whose 2FA setup is done, logs in, the one time time-based password is asked.

The secret value for an user can be reset from admin's user list. In case the admin secret is lost and 2FA prevents the login, one can reset the secret value by removing the admin's row from mydbr_twofa_secrets-table.

Sample TOTP apps

As TOTP is a standard (RFC 6238), there are plenty of apps to choose from. Here is the list few common ones:

  1. Google Authenticator
  2. Authy
  3. LastPass
  4. OTP Auth
  5. FreeOTP
  6. Duo Mobile
  7. Microsoft Authenticator

Limiting when 2FA is used

2FA can be limited only to external IP addresses and/or to admin only. This way one can require use of 2FA when user is using system from outside the internal network or it can also be limited to admin accounts providing further security for admins.