← Back to Knowledge Base

Two-Factor Authentication Explained

Something You Know, Something You Have

Two-Factor Authentication (2FA) requires users to prove their identity using two distinct categories of evidence before granting access. The first factor is typically something you know (your password). The second factor is something you physically possess (your phone, a hardware key) or something you biologically are (fingerprint, face scan). Even if an attacker steals your password, they cannot access your account without also possessing the second factor.

TOTP (Time-based One-Time Password) is the most common 2FA implementation. During setup, the server shares a secret seed with your authenticator app. Every 30 seconds, both the server and your app independently compute HMAC-SHA1(seed, floor(current_unix_time / 30)) and truncate the result to a 6-digit code. Because both sides use the same seed and the same clock, they always generate matching codes without any communication.

SMS-based 2FA is significantly weaker. Attackers can intercept text messages through SIM-swapping attacks (convincing a mobile carrier to transfer your phone number to their SIM card), SS7 protocol vulnerabilities in the telecommunications infrastructure, or malware on your phone. Hardware security keys like YubiKeys provide the strongest second factor because they use cryptographic challenge-response protocols that are physically impossible to intercept remotely.

Everyday Example

Think of your front door having both a deadbolt lock (your password) and a fingerprint scanner (the second factor). If a burglar picks the lock, they still cannot get past the fingerprint scanner. If they somehow clone your fingerprint from a glass you touched, they still cannot pick the lock. They need both simultaneously. That dual requirement is what makes 2FA so dramatically more secure than a password alone.

The Deep Mathematics

TOTP is defined in RFC 6238. The algorithm computes: T = floor((Current_Unix_Time - T0) / X), where T0 = 0 and X = 30 seconds. The OTP = Truncate(HMAC-SHA-1(K, T)) mod 10d, where d = 6 digits and K is the shared 160-bit secret. The truncation function extracts a 4-byte dynamic binary code from the 20-byte HMAC output using the low-order 4 bits of the last byte as an offset. This provides 106 = 1,000,000 possible codes per 30-second window, yielding approximately 19.9 bits of security per attempt.

Discover how giovium protects your data

giovium leverages these very cryptographic principles to keep your passwords, files, and secrets completely safe. Try it for free on any platform.

Download giovium