How does this two factor authentication work?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
tc101
Posts: 2943
Joined: Tue Feb 20, 2007 3:18 pm
Location: Atlanta - Retired in 2004 at age 54

How does this two factor authentication work?

Post by tc101 » Thu Sep 21, 2017 5:35 pm

I have a schwab account. I requested 2 facotor authentication, with a device they sent me. When I log in, after entering my password it asks for a number. I press a button on the device, get a number, and enter it. How does this work? How does the website know what number the device gives?
. | The most important thing you should know about me is that I am not an expert.

User avatar
LiveSimple
Posts: 933
Joined: Thu Jan 03, 2013 7:55 am

Re: How does this two factor authentication work?

Post by LiveSimple » Thu Sep 21, 2017 5:40 pm

The RSA SecurID authentication mechanism consists of a "token" — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed". The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purc

User avatar
LiveSimple
Posts: 933
Joined: Thu Jan 03, 2013 7:55 am

Re: How does this two factor authentication work?

Post by LiveSimple » Thu Sep 21, 2017 5:43 pm

Basically the company in your case Charles Schawb will have in their computers what sequence of numbers will he displayed at what time, based on the serial number if the device they shipped.

The easy way to think is both the sequence of numbers will match, one from your device and in the company's computer

Each device will generate a random sequence, hence difficulty to duplicate

bluebolt
Posts: 555
Joined: Sat Jan 14, 2017 9:01 am

Re: How does this two factor authentication work?

Post by bluebolt » Thu Sep 21, 2017 6:36 pm

LiveSimple wrote:
Thu Sep 21, 2017 5:43 pm
Basically the company in your case Charles Schawb will have in their computers what sequence of numbers will he displayed at what time, based on the serial number if the device they shipped.

The easy way to think is both the sequence of numbers will match, one from your device and in the company's computer

Each device will generate a random sequence, hence difficulty to duplicate
Pseudo-random, not random, correct? Otherwise, how could they both generate the same number?

Spirit Rider
Posts: 6865
Joined: Fri Mar 02, 2007 2:39 pm

Re: How does this two factor authentication work?

Post by Spirit Rider » Thu Sep 21, 2017 6:48 pm

bluebolt wrote:
Thu Sep 21, 2017 6:36 pm
Pseudo-random, not random, correct? Otherwise, how could they both generate the same number?
Nit picking. It is a distinction without a difference for security purposes. RSA SecureID is secure.

chuppi
Posts: 131
Joined: Sat Jun 16, 2012 9:47 am

Re: How does this two factor authentication work?

Post by chuppi » Thu Sep 21, 2017 6:58 pm

I could be wrong but I thought that the program that loads the page, generates the number and texts it to the number provided at sign-up. When the user enters the number that came in the text, the program just checks if it matches with the one it generated and texted.

Nthomas
Posts: 66
Joined: Fri Jul 15, 2016 8:46 am

Re: How does this two factor authentication work?

Post by Nthomas » Thu Sep 21, 2017 7:00 pm

once you activate the Symantec device to use the code, how does the iPhone app work? Do you need to use the key to log into the app as well?

User avatar
DaftInvestor
Posts: 3437
Joined: Wed Feb 19, 2014 10:11 am

Re: How does this two factor authentication work?

Post by DaftInvestor » Thu Sep 21, 2017 7:21 pm

chuppi wrote:
Thu Sep 21, 2017 6:58 pm
I could be wrong but I thought that the program that loads the page, generates the number and texts it to the number provided at sign-up. When the user enters the number that came in the text, the program just checks if it matches with the one it generated and texted.
This is true if your cell phone or smart phone are used as the second factor of authentication (first factor being a password). In the case of the OP his second factor is NOT his cell phone nor a number that is texted. The second factor is the device that Schwab sent it him. The device Schwab sent to him generates a unique code every minute and Schwab's computer can calculate the same code that the device calculates for a given minute (and these codes are unique for the OP). If the two match - then authentication happens.

bluebolt
Posts: 555
Joined: Sat Jan 14, 2017 9:01 am

Re: How does this two factor authentication work?

Post by bluebolt » Thu Sep 21, 2017 8:30 pm

Spirit Rider wrote:
Thu Sep 21, 2017 6:48 pm
bluebolt wrote:
Thu Sep 21, 2017 6:36 pm
Pseudo-random, not random, correct? Otherwise, how could they both generate the same number?
Nit picking. It is a distinction without a difference for security purposes. RSA SecureID is secure.
Wasn't attempting to nit-pick. Was honestly inquiring to try and understand how it works.

But it is an important distinction I would think. Pseudo-random with a seed is the only way to get the numbers to match up while being secure. I guess you could have a one time pad, but that seems impractical.

User avatar
Kenkat
Posts: 3913
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: How does this two factor authentication work?

Post by Kenkat » Thu Sep 21, 2017 8:37 pm

Spirit Rider wrote:
Thu Sep 21, 2017 6:48 pm
bluebolt wrote:
Thu Sep 21, 2017 6:36 pm
Pseudo-random, not random, correct? Otherwise, how could they both generate the same number?
Nit picking. It is a distinction without a difference for security purposes. RSA SecureID is secure.
Well except when the algorithm got stolen and they had to replace all of the hardware devices several years ago... :wink:

Here's a good explanation of how it works plus a description of how it got hacked:

https://arstechnica.com/information-tec ... mpromised/

It is currently secure but this also demonstrates that all security measures have their vulnerabilities.

Post Reply