How do Services recognise 2-Factor Authentication codes as correct?



  • Something about the flow of setting up 2-factor authentication is not clear to me.

    This is the flow of setting up a Service* to use a 2-factor auth app**:

    1. Choose setup 2-factor auth in the account security section. This shows up with a long key.

    2. This key is copied and entered when adding a service account in a 2-factor auth app** that allows for having 2-factor auth for multiple accounts of different services.

    3. When it is added, it spits out a time-limited code that is entered back into the service app and 2-factor auth is set up.

    4. Codes like those are then used every time to do 2-factor auth.

    What I don't understand is how does the service and a 2-factor auth app know/recognise each other in step 3.

    *Instagram, Amazon etc.

    **Duo Mobile, Microsoft Authenticator, 2FA



  • This is done by inference.

    The code the app creates is based on the current time and the key. The key is unique to your account on that service.

    When you enter a 2FA code (it doesn't matter when), the service checks that code against the key for your account and authenticates you (or, more technically, it authenticates the 2FA app, but that's a side issue).

    Step 3 in your process is only a convenience. If the code works, then the service can infer that 2FA was set up properly and can continue the process to mark your account as using 2FA. If this check was not done and something went wrong in setting up your 2FA app, then you could be locked out of your account. However, if the code works once, then the service can infer that all future codes should work, too.

    There is no "know/recognise each other" in this process. There is only checking the code against the key by the service.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2