OTP (Two Factor) Authentication

Introduction: Security is a major concern today in all sectors such as banks, governmental applications,
military organization, educational institutions, etc. There are several issues when it comes to security
concerns in these numerous and varying industries with one common weak link being passwords. The
rapid growth in the number of online services leads to an increasing number of different digital identities
each user needs to manage. But passwords are perhaps the most common type of credential used today.
To avoid the tedious task of remembering difficult passwords, users often behave less securely by using
low entropy and weak passwords. Most systems today rely on static passwords to verify the user’s
identity. However, such passwords come with major management security concerns. Users tend to use
easy-to-guess passwords, use the same password in multiple accounts or store them on their machines,
etc. Furthermore, hackers have the option of using many techniques to steal passwords such as shoulder
surfing, snooping, sniffing, guessing, etc. Moreover passwords can be written down, forgotten and stolen,
guessed deliberately being told to other people. Two factor authentication (commonly abbreviated 2FA)
adds an extra layer of security to your user’s account login by requiring two forms of authentication:
something user knows and something they have.

How Does Two Factor Authentication Keep Users Secure? The classic authentication approach for web
applications requires a user to enter a username and password. However, things like password reuse,
poorly encrypted passwords, social hacking and hacked databases make even a secure password
vulnerable. By requiring users to add a second factor to their authentication flow, an account with a
compromised password will still be secure.

Mobile phone 2FA has become the industry standard, as most people carry their mobile phones at all
times. It’s a user-friendly flow, and dynamically generated passcodes are safe to use and users can receive
special tokens through SMS or a dedicated app.

How Does Two Factor Authentication Work?

Approach for 2FA: Below flow chart displays the flow of 2FA while logging into the system:

Salient Features of 2FA:

 Post providing User Id & Password, user is authenticated in the database and
corresponding registered mobile number is fetched from the system
 At Next Step, user is displayed the screen to Submit/Resend the OTP to Registered
Mobile Number
 User enters the OTP and is validated & moved to main system screen
 In Case user clicks on resend, OTP is sent again to users mobile number and user
continues to second last step

During the entire life cycle, HMAC* (we use HMAC as this is the One of the best available Algorithms till
date) Algorithm Server & Finacle Server are continuous communicating regarding the authentication
status of User Id in focus. User is allowed only when authentication that too from a proper channel is
made. Hence, making the combination as one of the most secured 2FA for Banking Applications.

* HMAC algorithm works continuously to lessen down predictability of OTP by a person other than user