How it works
What is Two-Factor Authentication?
Two-factor authentication (2FA / MFA) is a security mechanism that provides an extra level of protection for online accounts. 2-factor authentication involves using an additional factor, such as a smartphone or a hardware OTP token, to confirm the user’s identity.
Through the requirement of this additional factor, unauthorized individuals are prevented from accessing the account, even if the password has been breached. This provides enhanced security and mitigates the danger of unsanctioned account access.
How Two-Factor Authentication Works?
- The user submits the password.
- The user provides the one-time code from the hardware OTP token or phone.
- The one-time code is sent through the API to Protectimus.
- Protectimus verifies the one-time code in real time, and your application instantly receives a positive or a negative response.
- If both passwords are correct, the user is granted access to their account.
What Is the Purpose of Using Two-Factor Authentication?
With the increase in online threats such as phishing, social engineering, hacking, and identity theft, relying on passwords alone is no longer sufficient to safeguard confidential data. Hackers often fraudulently access passwords through theft, guessing, or hacking techniques without the user being aware.
This is where two-factor authentication comes in. 2FA adds an extra level of protection, making it much more difficult for unauthorized individuals to gain access to an account even if passwords are compromised. One-time passwords used as a second layer of protection are unique and valid for only a short period, typically 30 seconds.
Moreover, if you use 2FA chatbots in messaging apps, push, email, or SMS as the second authentication factor, users are immediately notified on their phone if an unauthorized login attempt is detected.
What 2-Factor Authentication Methods Do We Support?
We offer several authentication methods, giving you the option to choose the most convenient and reliable for your users.
See the Tokens section for more information.
- iOS 2FA application Protectimus SMART OTP;
- Android 2FA application Protectimus SMART OTP;
- Programmable hardware OTP tokens Protectimus SLIM and Protectimus FLEX;
- Classic hardware OTP tokens Protectimus TWO;
- Chatbots in messaging apps Messenger, Telegram, and Viber;
- SMS authentication;
- Email authentication.
What Authentication Algorithms Do We Use?
The Protectimus two-factor authentication solution supports all standard Initiative for Open Authentication (OATH) algorithms – HOTP, TOTP, and OCRA. As a coordinating member of the Initiative for Open Authentication and by leveraging OATH standards, we ensure our MFA solution is open, secure, and easy to use.
- HOTP (HMAC-based One-Time Password) is an event-based algorithm that generates one-time passcodes based on a secret key and a counter.
- TOTP (Time-based One-Time Password) generates OTP codes based on a secret key and the current time. The TOTP password is valid only for a short period, typically 30 seconds, and a new password is generated automatically after that period.
- OCRA (OATH Challenge-Response Algorithm) is an algorithm that combines a challenge (a randomly generated value) and a secret key to generate a one-time password. This algorithm is highly versatile and is used for login authentication and transaction verification. The Protectimus Confirm What You See (CWYS) feature is based on the OCRA algorithm. CWYS function allows verifying and signing data and transactions.
How Do I Set It Up?
- Registering in Protectimus Cloud Service or downloading and installing Protectimus On-Prem Platform.
- Activating the API in one click.
- Adding users or synchronizing the Protectimus 2FA system with AD/LDAP.
- Enrolling tokens and assigning tokens to users.
- Integrating Protectimus into your infrastructure through existing plugins, libraries for major programming languages, or a well-documented API.
- Find more information in the Integrations and Guides sections.
Knowledge Base
What does ОТРmean?
Can a one-time password be hacked?
A one-time password is generated with a secret key that is ‘built into’ your token and that is known only to our service. No other device can generate the correct one-time password without the knowledge of secret and securely protected information. We use password generation algorithms that virtually eliminate the possibility of a password getting hacked.
Since a token is not connected to a server in any way, it is impossible to intercept a password while it is being transferred.
A potential intruder may try to simply come up with the correct password by trying various combinations of characters, but the system is well protected against this type of attack – after a certain number of attempts, an account is locked for 5 minutes, which renders such an attack ineffective.
Is the two-factor authentication mechanism reliable?
I’ve read that biometric authentication is the most reliable type of authentication; is that correct?
The problem with biometric authentication is that a parameter verified can be copied, but it can’t be modified. It is easy to obtain a person’s fingerprint and make a copy of it, but a person’s fingerprint cannot be changed or modified, unlike a token that can be re-issued. Besides, how would you even know that your biometric data was copied?
Of course, many attempts have been made to improve the mechanism, and it is not as easy to trick the modern scanners – they are smart enough to distinguish between a real person and a mechanical copy. But it makes little sense to try to outsmart a scanner, because in the end the scan result is transformed into a set of digital characters. And, as already mentioned above, biometric parameters do not change, which means that once such data is lost, your authenticators (your fingerprints, your eye retina, etc.) are compromised forever.
Besides, biometric authentication always involves assessment that’s probabilistic in nature; it is aimed at assessing a tested sample’s equivalence to the reference standard. Therefore, depending on the settings, there is either a chance that access to the system will be given to a person with similar characteristics or a chance that a valid user will not be given access to the system.
Moreover, when one considers all the various ways in which potential intruders can gain access to one’s biometric data, one begins to doubt whether it is reasonable to use biometric data at all.
ОТРs eliminate the possibility of all the situations described above.In our opinion, biometrics can serve as an effective identification tool, but the task of authentication is best left to ОТРs.
