MFA adding multifactor authentication

MFA is a technique that builds a stronger authentication....

As of version 1.2, that is in development now, PHsPeed will support MFA using any TOTP authenticator. That might sound very technical, but within PHsPeed, the only thing you need to do is to put a component on your form. But what does this method do, and why is it so important?

Hackers are everywhere. It's not a matter of hacking big companies, for many it's a habit of hacking anything they can. Using usernames and passwords is currently not strong enough anymore. In the 'good old days' MD5 was used to hash your password, but this method is considered not to be safe. There are databases with hashes of the most used passwords and in general, it doesn't take that long to guess the password, unless you use very strong passwords. PHsPeed still supports MD5 but uses the standard PHP method by default, which is much stronger. Even two people using the same password will not have the same hash in the database. To use MD5 you just took the password, calculated the MD5, and compared the result with the content of the database. In the PHP standard method this has changed and the data of the database, in the combination with the hashed result is offered together to the PHP algorithm, to see if there is a match. That's why PHsPeed edit fields contain the 'original value' property.

Now, this is safer, but you can make the login procedure even more safe by using multi-factor authentication, by using a TOTP authenticator, ie. Microsoft authenticator or Google authenticator. After logging in with the user id and password, you get an additional dialog that requests a digit code. This code is generated by the authenticator and changes every 30 seconds. If the entered number is correct, then the system continues, otherwise, you are rejected.

How does this work? Well, quite simple but effective. The application has its own code, called 'account' in the authenticators. The authenticator needs a key that is unique to the user. Usually the email or user-id of the user is used. The user needs to set up the authenticator before it can be used. After login into your application, he/she will be forced to set up this authentication by scanning a generated QRCode on the form by the authenticator of wish. The application account in combination with the user id will be stored in the authenticator and used to generate temporary codes. The application has both fields as well and is thus able to verify the keys in the same way as the key was generated by the authenticator.

The MFA component of PHsPeed manages all. Setting up the authenticator and verifying the entered code is just a matter of setting properties. No code involved.

11 Feb 2021 Blog None