Reputation: 667
Google Authenticator
I have question about the google authenticator or the general point of two factor authentification.
I have a website where an user can login with username + password. So when I add TFA, all user get an individual secret key to generate a QR code but when a hacker already know the username + password, all he has to do is to scan the qr code and enter the 6 digits. So what is the point of TFA?
Upvotes: 0
Views: 508
Answers (1)
Reputation: 73057
When you add TFA, you need to generate a secret with which you can then generate one time passwords.
The way you share that secret with your user is via a QR code. You should only need to show the user the QR code once and using an authenticator app like Google Authenticator or Authy, they read the QR code and store the secret.
Then, when they come to log in again, they need to use the app to generate a one time password based on the secret and the current time period.
You shouldn't show the QR code when logging your user in, only when setting up TFA in the first place.
Upvotes: 2
Related Questions
- How to add Google Authenticator to my website?
- google authenticator with asp.net core
- Two Factor Authentication using Google Authenticator in own asp.net project?
- FreeRADIUS Google Dual Factor Authenticator, Pam
- Enable two-factor auth in Google Cloud Plaform
- 2FA Authentication with google Authenticator
- 2FA login on ubuntu 16.04 LTS
- Google Authenticator my Android app
- Google authentication