Authentication with login and password is known and common approach for user identification in the internet and accessing resources in the web. However, nowadays, with existing computing powers, cyber attackers have facilities for testing billions of password combinations in a second. More than that, statistics says that 65% of people use the same password, usually simple password, everywhere. This means that stealing your credentials or picking them up via brute-force attack is not a complicated task anymore.
Two-factor authentication (also known as 2FA) is a method of confirming a user’s identity in which user is granted access only after successfully presenting two pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know – login&password, PIN code, etc), and possession (something they and only they have). The possession factors may be – ID card, security token, smartphone, etc – something that is not a logical thing you know but a physical entity.
In this post I would like to show how to implement two-factor authentication for web application using Google Authenticator as a possession security factor.