Wednesday, September 18, 2019

Use Google Authenticator for DFA

Double Factor Authentication (DFA) is one of the best methods to prevent brutal force attacks or password hijack, it allow the end user to have double factors to authenticate and login into any system i.e. password and OTP (One Time Password).

There are many ways to generate the one time password, the easiest is to send a random number to a pre-defined user mobile phone number so the user can use this random number to login into the system.
The random number here must be generated using a way that guarantee that no one can guess the number and able to by-pass such security way.

Another simple way is to use a known algorithm that generate a unique number based on some calculations and the user enter this number as OTP while login into the system, he can have a device that run this algorithm or as Google Authenticator a mobile app.

Google Authenticator is using a Time-based One-Time Password algorithm (TOTP) which is an extension of the HMAC-based One-time Password algorithm (HOTP) generating a one-time password by instead taking uniqueness from the current time.


In order to configure your web site to work with Google authenticator you need to modify your login screens and do some code that enable the DFA as following:

Enablement steps

1. Workflow Changes:

- User to go to profile management and request to enable double factor authentication (DFA) using OTP, 2 options can be implemented easily:
                          1. Google Authenticator
                          2. SMS
- SMS should be only enabled if we have SMS gateway configured in the system, so in this post we will discuss only Google Authenticator:

- User select one method, it route it to a new page which will contain:

[1] Links to Mobile Apps in Android & iOS, here is the links:
Google Authenticator App (Apple iOS)
Google Authenticator App (Google Android)



[2] QR code generated using either:
Google public service:  img src=URL
Java backend libraries which is the recommended way.


  •  The URL for google public service looks like: https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=200x200&chld=M|0&cht=qr&chl=otpauth://totp/osa@myCompany.com%3Fsecret%3DJBSWY3DPEHPK3PXP
  • Osama_oransa@myCompany.com=loginName@companyName.com for example
  • 3DJBSWY3DPEHPK3PXP=encoded secret code auto-generated to this user based on his profile e.g. name+timestamp or any random key
  • This URL will display an image that contains QR code or it can be generated by the Java backend.




[3] A statement displayed to the user: "Please scan this QR Code by Google Authenticator App"
[4] An Input field for OTP number
[5] A "Validate" button

Once the user scanner the QR code, the Google authenticator app will display OTP, the user will use it and click on validate button, if successfully matched with the value that we generate in the backend using the secret code, then DBA will be enabled for the user otherwise "OTP not matched" error will be displayed.

After 3 failed trials the user will be routed back to the profile management page with error message.
Once DFA is enabled the user profile page will now have disable DFA button instead of enable DFA (from security prospective, it is better to have this as re-configure DFA)

Note: For a better security some systems do not allow the user to disable the DFA once enabled.

2. Login Changes

- Once the user entered correct username and password a new page will be displayed
- The page will show a text field and validate button and request the user to enter the one time password.



- Once the user enter the value and click on validate button, the backend will calculate the existing value (based on the user secret code) and compare it to the user input.

- If successfully matched, the user will be directed to the home page otherwise he will be given 3 trials after that he will be logout and will be calculated as one invalid login trial.
-       Note: if the user exceed the max invalid login trials, the account should be locked.


3. Implementation Details

- DB Changes: 

  • 2 additional DB fields in the user/profile table: 
    • OTP_ENABLED (default No) 
    • OTP_SECRET_CODE (encrypted, default null)

- User interface changes: 

  • New pages as per the flow above in both DFA enablement and post successful login page.
  • Add button for Enablement of DFA in the profile management page in case the DFA is not enabled and a button for disablement of DFA in case the DFA is enabled.



4. Implementation Reference

All the logic will be in the Java backend, which will generate the secret code, the calculation, QR Code generation and validation as per the below reference in Java.
JavaScript library is listed here as it is the best reference to understand what is required for implementation.
- In JavaScript: can be tested easily in the browser with all code libraries:


- In Java:


- Reference for other languages: