The Palos Publishing Company

Follow Us On The X Platform @PalosPublishing
Categories We Write About

Build a personal 2FA system

Written by

Bernardo Palos

in

Building a personal Two-Factor Authentication (2FA) system is a great way to increase the security of your accounts and applications. The idea behind 2FA is to add an additional layer of security beyond just a username and password by requiring a second form of verification. This can involve something you know (like a password), something you have (like a phone or hardware key), or something you are (biometrics).

To build your own personal 2FA system, here’s a step-by-step guide:

1. Understand the Components of 2FA

2FA typically involves two parts:

  1. Something you know: A password or PIN.

  2. Something you have: This can be a physical device (e.g., phone, hardware key) or a code generated by an app (e.g., Google Authenticator, Authy).

For your personal 2FA system, the second factor could be a Time-Based One-Time Password (TOTP), which is commonly used for 2FA implementations.

2. Choose a Method for the Second Factor

There are several methods for implementing the second factor. Some of the most common options are:

  • SMS-based 2FA: A code is sent to your phone via text message.

  • Authenticator apps (e.g., Google Authenticator, Authy, or any TOTP-based app): These apps generate time-sensitive codes.

  • Push notifications: Some systems send push notifications for verification (like with Auth0 or Okta).

  • Hardware tokens: Devices like YubiKeys that generate codes or provide authentication via USB, NFC, or Bluetooth.

For simplicity and strong security, I recommend using a TOTP-based system, as it’s secure and widely adopted.

3. Set Up a TOTP-based System

For this, you’ll need:

  • A TOTP library for your preferred programming language (e.g., pyotp for Python, otplib for JavaScript).

  • A way to store secrets securely (e.g., in an encrypted database or a secure file).

Here’s a simple guide for setting up a TOTP-based 2FA using Python and the pyotp library.

Step 1: Install the pyotp library

bash
pip install pyotp

Step 2: Generate a secret key

The secret key is shared between the server and the client (you). It must be kept safe.

python
import pyotp

# Generate a secret key
secret = pyotp.random_base32()
print("Secret key:", secret)

This secret will be used to generate and verify the TOTP tokens.

Step 3: Generate a QR Code for Easy Enrollment

You’ll want to make it easy to set up your authenticator app (Google Authenticator, Authy, etc.). You can generate a QR code that will allow you to scan it in the authenticator app.

python
import pyotp
import qrcode

# Create a TOTP object with the secret
totp = pyotp.TOTP(secret)

# Generate a URL for the QR code
uri = totp.provisioning_uri("MyAppName@mydomain.com", issuer_name="MyApp")

# Generate and display the QR code
img = qrcode.make(uri)
img.show()

The QR code will be displayed, and you can scan it with your TOTP app. This associates the app with your secret key.

Step 4: Verify the 2FA Code

Now, to verify that the token generated by your TOTP app matches the expected value:

python
# Prompt the user for the code from the TOTP app
code = input("Enter the code from your app: ")

# Check if the entered code is valid
if totp.verify(code):
    print("2FA successful!")
else:
    print("Invalid code. Try again.")

This code asks the user to input the code generated by their authenticator app. It then verifies that the code matches the expected value based on the current time and the secret key.

4. Integrate with Your Application

Once the basic 2FA setup is working, you can integrate it into your existing authentication system. When a user logs in with their username and password, after that, prompt them for the 2FA code. If the user enters the correct code, allow access; if not, deny access and possibly ask them to retry.

5. Store the Secret Securely

Make sure to store the TOTP secret securely. If an attacker can access the secret, they can generate valid codes. You can:

  • Store the secret in a secure database field with encryption.

  • Use environment variables for server-side applications to keep secrets out of code.

6. Implement Backup Codes

If you lose access to your second factor (e.g., you lose your phone), you should have a backup system. One common method is to generate backup codes at the time of setup. These are one-time-use codes that can be used to bypass the 2FA check in emergencies.

You can generate these backup codes at the time of setting up the 2FA system and store them in a secure location.

7. Optional: Adding Multiple Factors

If you want to go beyond TOTP, you can also integrate more factors, like:

  • Hardware tokens: Integrate a USB security key (e.g., Yubikey) with WebAuthn or FIDO2 for hardware-based 2FA.

  • Biometrics: For mobile apps, use biometric authentication (e.g., fingerprint or face recognition).

  • SMS-based codes: This is generally less secure but can be used for an extra layer of verification.

8. Test the System

Make sure to thoroughly test the 2FA system to ensure that it works under various scenarios (e.g., correct code, expired code, incorrect code, and backup codes). Also, test how the system behaves when you lose access to your second factor.

Conclusion

By using TOTP-based 2FA, you add an important layer of security to your personal systems. You can expand it with backup codes, hardware tokens, or biometrics for additional security. Whether you’re securing personal applications or enhancing the protection of sensitive data, implementing 2FA is a step in the right direction.

Share this Page your favorite way: Click any app below to share.
See all the ways to share this page

Enter your email below to join The Palos Publishing Company Email List

We respect your email privacy

Check Out Our Newest Posts we wrote about

Categories We Write About