Authentication using One Time Password (OTP)



The point of two-factor authentication is to prevent attackers from getting access to your account. Two-factor authentication requires that two tokens be provided for proof of ownership of the account. The first token is something that we're all familiar with- a username and a password. The second token is a bit more elusive, however. It should be something you have, and only you. No one else should be able to come into possession with the same token. The same should be true for usernames and passwords, but we've seen how easily broken a single-factor authentication system is. 

The traditional way of just memorizing the password to validate one’s identity is not enough and web sites and applications are now expecting one to possess email Id or a smartphone to communicate with another short-lived randomized password, One Time Password (OTP), as one more factor to the authentication.


The first approach in the implementation of the two factor authentication mechanism is to authenticate the first factor using the conventional Username and Password based authentication. There needs to be an authentication manager which will authenticate against the User data store .

The OTP service will generate an OTP using the algorithm as per TOTP algorithm which can be stored in user session or the persistent store. The generated authentication token can be sent using the OTP sender service on the smartphone or the email. The sequence diagram below depicts the entire flow of the first factor authentication and OTP generation




The flow in the above sequence diagram is:

  • LoginController handled the user requests and passes the credentials to the AuthenitcationManager for authentication.
  • On successful authentication of the user credentials, the session is established and the request to OTPService is sent to generate the OTP token.
  • The OTP token is stored in the user session or persisted in the database.
  • LoginController then sends the OTP token to the user using the registered mobile number or the email ID.
  • User is displayed the next page to provide the OTP authentication token and complete the authentication.
  • Till the time, User can be assigned a role of pre OTP authenticated user (e.g. PRE_OTP_AUTHENITCATED_USER) to allow limited access of the protected resources.

The second step in the entire flow is to validate the OTP token provided by user. 
The OTP authentication filter authenticates the token and if the token is valid and matches against the one stored in the user session or the persistent store, it provides the access to the protected resources.


The steps to complete the 2nd factor authentication flow are:



  • User provides the OTP token and submits the token to the server.
  • The OTPAuthenticationFilter validates the token and authenticates against the one stored in the user session by calling the OTPService.
  • UserDetailsService loads the details of the user in the session and the user Principal is created in security context.
  • User is assigned the role of authenticated user (e.g. AUTHENITCATED_USER) to access the protected domain resources.

Comments

Post a Comment

Popular posts from this blog

JIT Compiler

Image
The Just-In-Time (JIT) compiler is a component of the Java Runtime Environment that improves the performance of Java applications at run time. Java programs consists of classes, which contain platform neutral bytecode that can be interpreted by a JVM on many different computer architectures. At run time, the JVM loads the class files, determines the semantics of each individual bytecode, and performs the appropriate computation. The additional processor and memory usage during interpretation means that a Java application performs more slowly than a native application. The JIT compiler helps improve the performance of Java programs by compiling bytecode into native machine code at run time.  Nothing in the JVM affects performance more than the compiler, and choosing a compiler is one of the first decisions made when running a Java application whether you are a Java developer or an end-user. The JIT compiler is enabled by default, and is activated when a Java method is c
Read more

JWT to Secure REST API with Spring Boot

Image
JWT Working Flow T o Secure your Rest services and the way to handle users Authentication/Authorization, First Approach is sending basic HTTP auth headers (username/password) for every request, but that would require to keep those credentials in memory and the service would have to check those credentials .So this’s not the best way. This is why REST services typically use a token system. A standard token system returns a 'token' (just a long unique string of random characters, for example a GUID) on successful login. The client in turn then sends this token in every request’s Authorization header. The service, on every request, 'rehydrates' its context by looking up the context on the server side. This context can be stored in a DB, retrieved from a Redis cache or simply stored in memory in a hash table. The downside of this approach is that for every REST method you will need to do this lookup in the database or cache. And then comes JSON Web Tokens, or JWT
Read more