diff --git a/readme.md b/readme.md index a05ec9a..d58aa48 100644 --- a/readme.md +++ b/readme.md @@ -2,5 +2,31 @@ This web application demonstrates how to add multi-factor authentication to your web login/signup systems, based on the Time-based One Time Password standard (TOTP). +# TOTP Explantion and need of implementation +Explain- +{If your website features a username+password authentication system, you owe it +to your users to offer 2-factor authentication (or 2fa for short) as an additional +measure of protection for their accounts. If you're unfamiliar with 2fa, it's that +step in the login sequence that asks the user for a (typically) 6-digit numeric code +in order to complete user authentication. The 6 digit codes are either sent to the user's +phone as a text message upon a login attempt or generated by an app such as Google Authenticator. +Codes have a short validity period of typically 30 or 60 seconds. This will show you how +to implement such a system using java in a way that is compatible with Google Authenticator.} + + +Implementation- +{Your first idea for implementing the server side component of a 2fa system might be to randomly +generate 6 digit codes with short validity periods and send them to the user's phone in response +to a login attempt. One major shortcoming with this approach is that your implementation wouldn't +be compatible with 2fa apps such as Google Authenticator which many users will prefer to use. +In order to build a 2fa system that is compatible with Google Authenticator, we need to know what +algorithm it uses to generate codes. Fortunately, there is an RCF which precisely specifies the algorithm. +RFC 6238 describes the "time-based one-time password" algorithm, or TOTP for short. The TOTP algorithm combines +a one time password (or secret key) and the current time to generate codes that change as time marches forward. +RFC 6238 also includes a reference implementation in java under the commercial-friendly Simplified BSD license. +This tutorial will show you how to use code from the RFC to build a working 2fa system that could easily be adapted +into your java project.} + + ## Running the example To run the example just execute `mvn exec:java` in the project folder.