DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • In-App Browsers in Mobile Apps: Benefits, Challenges, Solutions
  • Does Your App Accept Digital Wallets?
  • Enhancing Security with Two-Factor Authentication: An Introduction to TOTP and HOTP
  • Secure API Design With OpenAPI Specification

Trending

  • How To Develop a Truly Performant Mobile Application in 2025: A Case for Android
  • Performing and Managing Incremental Backups Using pg_basebackup in PostgreSQL 17
  • Creating a Web Project: Caching for Performance Optimization
  • Cosmos DB Disaster Recovery: Multi-Region Write Pitfalls and How to Evade Them

Implementing Multifactor Authentication

In this article, we will go over why we should implement multifactor authentication and the different ways to implement it.

By 
Prosper Otemuyiwa user avatar
Prosper Otemuyiwa
·
Dec. 11, 16 · Opinion
Likes (3)
Comment
Save
Tweet
Share
10.9K Views

Join the DZone community and get the full member experience.

Join For Free

Multifactor authentication involves providing an extra layer of security by ensuring users provide more than one piece of information for identification. It typically requires a combination of something the user knows (such as pins, passwords, secret questions) and something the user has (such as cards, hardware tokens, phone). Noteworthy is that two-factor authentication is the most used type of multifactor authentication (MFA). More information about Multifactor Authentication (MFA) can be found here.

In this article, we will go over why we should implement multifactor authentication and the different ways to implement it.

Why Should We Implement Multifactor Authentication?

There have been several cases of stolen and hacked passwords. Systems with just simple username and password combinations getting hacked have been on the rise. In this situation, implementing multifactor authentication will prevent hackers from gaining access to your accounts even if your password is stolen. The extra layer of protection that MFA offers ensure that your account is more secure!

What Are the Different Ways to Implement Multifactor?

I'll highlight various ways to implement multifactor below and an in-depth analysis of the process will be provided in the later part of this post. I'll cover multifactor via:

  • Time-based One-Time Password (TOTP)
  • Short Message Service (SMS)
  • Electronic Mail (Email)
  • Push Notifications

How Time-based One-Time Passwords Work

TOTP involves the generation of a one-time password from a shared secret key and the current timestamp using a specific kind of cryptographic function. These cryptographic functions can vary across the board. A simple example of a cryptographic function is SHA-256. TOTP is defined in RFC 6238. The process flow for a typical multifactor application using TOTP involves the enrollment and login processes.

The enrollment process is as follows:

  • A user logs into a website/app with a username and password.
  • If the credentials are valid, the next stage involves enabling two-factor authentication for the user.
  • A shared-key is requested (in form of text or QR code)
  • The key is stored by an app that implements TOTP such as Google Authenticator, or Auth0 Guardian
  • Two-factor authentication is enabled.

The login process is as follows:

  • A user logs into a website/app with a username and password.
  • If the credentials are valid, the user is directed to another form where he/she is required to enter a one-time code generated from Google Authenticator or Auth0 Guardian.
  • The server verifies that the code is valid and finally authenticates the user.

Multifactor Flow Chart

An alternative implementation is the use of RSA Keys. RSA authentication is basically based on two factors: A password/pin and an authenticator. The authenticator might be a hardware or software token, which is assigned to a user. During login, after entering the password/pin, the user clicks on the token and an authentication code is generated at fixed intervals (usually about 60seconds) using a built-in clock and the device's factory-encoded random key. The key is different for each token and is loaded into the corresponding RSA Authentication Manager.

Software Token

Note: The generated codes are time-based so the client and the server need to synchronize their clocks for this to work efficiently.

How Short Message Service (SMS) Works

The process for a typical multifactor application using SMS also involves the enrollment and login stages.

The enrollment process is as follows:

  • A user logs into a website/application with a username and password.
  • A user is asked to enter a valid phone number, probably in the settings page.
  • A unique one-time code is generated on the server and then sent to the phone number.
  • The user enters the code into the app and multifactor is enabled.

The login process is as follows:

  • A user logs into a website/application with a username and password.
  • A unique one-time code is generated on the server and then sent to the registered user's phone number.
  • The user enters the code into the app.
  • If it's valid, the user is authenticated and a session is initiated.

SMS Multi-factor Authentication

How Electronic Mail (Email)

The process for a typical multifactor application using email is as follows:

  • A user logs into a website/application with a username and password.
  • A unique one-time code is generated on the server and sent via email to the user.
  • The user retrieves the code from the email and enters the code into the app.
  • If it's valid, the user is authenticated and a session is initiated.

How Push Notifications Work

The process for a typical multifactor application using push notification is as follows:

  • A user logs into a website/application with a username and password.
  • Typically, push notifications work with applications such as Auth0 Guardian. A push notification is sent to the Guardian app on your mobile device.
  • This notification is a login request.
  • It includes information such as the application name, the OS, and browser of the request, the location and the date of the request.
  • The user accepts the request and automatically the user is logged in.

Push Notifications with Auth0 guardian

Different Ways to Implement Multifactor with Auth0

Implementing multifactor with Auth0 is a breeze. The various ways to implement multifactor with Auth0 are as follows:

  • Push Notifications with Auth0 Guardian: Guardian offers a frictionless approach to implementing MFA for your apps, and provides a full MFA experience without requiring integration with third-party utilities. You can find out how to implement push notifications with Auth0 Guardian
  • SMS: Auth0 supports sending an SMS with a one-time password code to be used for another step of verification.
  • TOTP with Google Authenticator and Duo: Learn how to enable Google Authenticator and Duo Security
  • Custom Providers such as Yubikey
  • Contextual MFA with custom scripted rules

Conclusion

We have now covered the different ways to implement multifactor authentication in an application and how they work.

authentication mobile app One-time password Google Authenticator

Published at DZone with permission of Prosper Otemuyiwa, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • In-App Browsers in Mobile Apps: Benefits, Challenges, Solutions
  • Does Your App Accept Digital Wallets?
  • Enhancing Security with Two-Factor Authentication: An Introduction to TOTP and HOTP
  • Secure API Design With OpenAPI Specification

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!