2 Factor / Multi-Factor Authentication Technical Documentation
- Preeti Yadav
Two-Factor/Multi-Factor Authentication (2FA/MFA)
Two-Factor Authentication (2FA) is an enhanced security mechanism that adds an extra layer of protection to user accounts. It requires users to verify their identity using two distinct authentication factors. The first factor is something the user knows, such as a password, and the second factor is something the user possesses, such as a one-time password (OTP) sent via email or SMS. This approach significantly reduces the risk of unauthorized access, even if an attacker gains access to the user's password.
Approach for 2FA Implementation
In our application, we are implementing SMS and Email-based Two-Factor Authentication to enhance security. This additional layer ensures that only authorized users can access their accounts.
Process Flow:
User Login Attempt - The user enters their username and password on the login screen.
Credential Verification - The system validates the provided credentials against stored records.
OTP Generation and Dispatch - If the credentials are correct, the system generates a One-Time Password (OTP) and sends it to the registered email or mobile number via SMS.
User Input for OTP Verification - The user is prompted to enter the received OTP on the authentication screen.
Validation of OTP - The system verifies the OTP entered by the user.
Successful Authentication - If the OTP matches, the user is granted access; otherwise, the authentication process fails, and the user must retry.
Challenges in 2FA Implementation
One of the key challenges we face in implementing 2FA is that some of our users (Agents, Supervisors) are passcode-based . For these users, we do not have their registered email ID or mobile number, making it unable to send an OTP for verification. To address this challenge, we need to mandate that either an email or mobile number be provided at the time of user creation. For existing users, we must register their email or contact number to enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
Technology Stack & Implementation
We are integrating this 2FA mechanism into our product using Spring Security.
OTP Generation & Validation: A secure and time-sensitive OTP mechanism will be used.
Communication Channels: OTPs will be sent through an SMS gateway and email service (such as AWS SES, Twilio, or any other provider).
Spring Security Configuration: Custom authentication providers and filters will be used to incorporate the OTP verification step into the authentication flow.
Flowchart of 2FA Process:
+-------------------------+
| User Login |
+-------------------------+
|
+-------------------------+
|Verify Username |
| and Password |
+-------------------------+
|
+------------------------+
| Generate OTP |
+------------------------+
|
+------------------------+
| Send OTP via |
| Email / SMS |
+------------------------+
|
+------------------------+
| User Enters OTP|
+------------------------+
|
+------------------------+
| Validate OTP |
+------------------------+
|
+------------------------+
| Grant Access |
| or Deny Login |
+------------------------+
By implementing this approach, we significantly enhance security and mitigate risks associated with password-based authentication, providing a robust defense against unauthorized access attempts.
This document has been developed by Phonon.io for the sole and exclusive use of the customer / prospective customer with whom this document is being shared. Further, this document has been provided by Phonon.io to the recipient in good faith and based on request from the recipient for the same. This document is a confidential document and contains confidential product technology, workflow and commercial details that are for the sole usage of the intended recipients of this document. Recipients are advised not to share this document with any third party that is not the intended recipient of this document and neither to bring this document in full or parts into the public domain. Any unauthorized access may be brought to Phonon.io’s notice immediately. Phonon.io is free to take any legal action it deems necessary against any person or entity that violates this confidentiality agreement. Phonon.io is bound and governed by the rules of the state of Gujarat in India. In case you are not in agreement with the terms set in this clause or are not an intended recipient of this document, please destroy the document and intimate us of the same at info@phonon.io.