The 2FA Login plugin enables applications built with Backendless to provide an authentication option where a user can login using the TOTP (Time-based One Time Password) form of two-factor authentication (2FA).
With this approach, users of your Backendless-powered app can use a TOTP authenticator app such as Google Authenticator, Twilio’s Authy, and Microsoft Authenticator apps to login with a password generated by those apps. The 2FA Login plugin introduces a workflow with the APIs to coordinate the login process, which you can explore further in the docs.
2FA provides one more layer of security for your app, and the plugin is a powerful additional to our comprehensive suite of User Management tools.
Two-factor authentication (2FA) is an authentication process that requires two factors to login: something you know (like a password) and something you have (like a phone or security token).
2-factor authentication is a designed to improve app data security. Adding 2FA support to your app can help protect your data from unauthorized access in case a user’s login identity (username, email, etc.) and password are compromised.
What is TOTP?
TOTP is a method of authentication that uses an app on the user’s mobile device to confirm the user’s login before allowing access to their account. TOTP can be used to protect accounts that hold sensitive information, such as bank accounts, cloud storage accounts, and email accounts.
TOTP is a type of two-factor authentication that uses a six-digit code (or one-time passcode, OTP) or one-time tokens generated by an authenticator app. The code changes every 30 seconds, so it’s unique for each login attempt.
How Does TOTP Work?
TOTP is based on the time and a secret key, so the server can generate the same code as the authenticator app. To complete the login process, the user manually enters the time-based code from the authenticator app into the app built with Backendless, which confirms the code before authenticating the user.
Codes generated by the authentication process become inactive after the time lapses, acting as an additional layer of security.
To enable two-factor authentication in your application, you’ll need to use the 2FA Login plugin and its APIs. You can add the plugin for free by visiting Backend >Marketplace > API SERVICES > All Services in your Backendless app.
To verify the installation, visit the Cloud Code section of your backend and you should see the TOTP service in your list of API services.
The 2FA plugin supports 2FA at the individual user level. You can enable 2FA for the entire app or individual users can individually enable it (through your app).
Implementing TOTP With 2FA
In a TOTP app, the user needs to scan a QR code or enter a “secret” code to add your application to the TOTP app. The 2FA plugin in Backendless provides both a QR code as well as a “secret” code as a part of the user registration process.
The API supported by the 2FA Login plugin can be used either via REST, using a Backendless SDK, or with Codeless. Supported frontend languages include:
You can generate the client-side library for the API using the Code Generator as shown below. This will enable you to use the API with the corresponding SDK.
If your frontend language is not available, you can access the plugin via REST API.
Google Authenticator is a popular two-factor authentication app that’s available on both Android and iOS.
The technology behind Google Authenticator began as an open-source project, but when Google created a proprietary version, it became known as the familiar and simple alternative to newer 2FA systems. For individuals who use the Google suite of services, Google Authenticator has become a popular choice.
Google Authenticator is available for free on the Google Play Store and Apple App Store.
Microsoft Authenticator is another popular two-factor authentication app that’s available on both Android and iOS. It supports a wide range of applications, most notably including the complete Microsoft suite of products such as Office 365, Azure AD, and many more.
Microsoft Authenticator supports PIN and biometric authentication like TouchID tied to the user’s device, adding an additional layer of security to the login process.
Microsoft Authenticator is available for free on the Google Play Store and Apple App Store.
Twilio Authy is a popular two-factor authentication app that’s available on both Android and iOS. While Authy may not connect with as many third-party apps as Google Authenticator, it supports many devices other than Android and iOS devices. Authy also works with Apple Watches and desktop computers running Windows, Linux, or macOS. It is easy to set up since one account easily links to multiple devices.
Like Microsoft Authenticator, Authy also supports PIN and biometric authentication, providing addition security compared to Google Authenticator.
Twilio Authy is available for free on the Google Play Store and Apple App Store.
The 2FA Login plugin from Backendless is a great way to enable two-factor authentication for your app by enabling you to interact with a variety of authenticator apps.
The plugin enables 2FA via TOTP for increased data and account security. It is just one more tool from Backendless to protect yourself and your uses from unauthorized account access.
Download and install the plugin for free from the Marketplace section of your Backendless backend today!
What is TOTP Authenticator?
A TOTP authenticator is an app used for user authentication to allow access to a secure account. The authenticator uses a phone app which receives and validates a code generated by a server before allowing access to the account.
For example, Google Authenticator is a TOTP app that can be used to protect a Google account including Google drive, Google email, etc.
How Do I Set Up TOTP?
To set up TOTP for your Backendless app using the 2FA Login plugin, follow the instructions laid out in the plugin’s documentation.
HOTP vs. TOTP
HOTP stands for HMAC-based One-Time Password. It is the original standard that TOTP was based on. One of the inputs to both methods is a secret key, but TOTP uses the system time for the other input, whereas HOTP utilizes a counter that increments with each new validation. Both parties increment the counter and use it to compute one-time passwords using HOTP.
Does the 2FA Plugin support push notifications with the TOTP code?
Many authenticator apps provide features such as one-tap push authentication for easier access. These notifications originate from the authenticator app, not Backendless itself.
Many authenticator apps also include cloud backup for your accounts via platforms such as Google Drive. This is also controlled by the authenticator service, not hosted within Backendless.