Last Updated on July 21, 2024
2FA (Two-factor authentication) is one of the most secure authentication methods in the world.
How to enable 2FA? (Zampto Accounts)
You can enable 2FA on your Zampto account by going to your account’s security settings.
How does it work? [TOTP]
Two-Factor Authentication (2FA) is a security process that requires two different forms of identification to access an account or system. This method adds an extra layer of protection beyond just a password. One common type of 2FA is Time-Based One-Time Password (TOTP).
Here’s how TOTP works in a simple way:
- Setup: You link an authenticator app (like Google Authenticator) to your account. During this setup, the service provider generates a secret key.
- Secret Key: This secret key is shared between the service provider and your authenticator app. It’s crucial to keep this key safe. (You can scan a QR code that contains the TOTP key inside it from the authenticator app.)
- Time-Based Algorithm: The authenticator app uses the secret key and the current time to generate a unique code. This code changes every 30 seconds.
- Logging In: When you log in, after entering your password, you’re prompted to enter the current code from your authenticator app.
- Verification: The service provider, which has the same secret key and current time, verifies the code. If the code matches the one it generated, access is granted.
The beauty of TOTP is that even if someone steals your password, they can’t access your account without the time-based code, which only you have access to through your authenticator app.
TOTP works offline
The inputs to the TOTP algorithm are device time and a stored secret key. Neither the inputs nor the calculation require internet connectivity to generate or verify a token. Therefore a user can access TOTP via an app like Authy while offline.
TOTP’s offline support is ideal for users who might need to access their authentication while traveling abroad, on a plane, in a remote area, or otherwise without network connectivity.
How does it work? [EOTP]
EOTP (Email One-Time Password) is a secure method for two-factor authentication (2FA) that enhances the security of your account.
In the explanation we will write OTP in some parts as EOTP and simply with the addition of an “E” which stands for “Email” therefore the One-Time password for example unlike the TOTP which is generated based on the Secret Key, the EOTP system randomly generates a One-Time password which is subsequently sent via Email and therefore does not work offline.
Here’s how it works:
- Log in Attempt:
- When you try to log in, you will enter your usual username and password.
- Email Verification:
- After entering your username and password correctly, an email with a One-Time Password (OTP) will be sent to your registered email address (After you click the send button on the 2FA-EOTP page).
- Enter (EOTP) OTP:
- Open your email, find the message with the (EOTP) OTP, and enter it into the provided field on the login screen.
- OTP Validation:
- The system will verify the OTP. If the OTP is correct, you will be logged in successfully.
- The OTP is valid only for 12 to 24 hours for security reasons. If you don’t use it within this timeframe, it will expire, and you’ll need to request a new one.
This extra step helps ensure that even if someone knows your password, they won’t be able to access your account without also having access to your email.
Advantages of EOTP:
- Enhanced Security: Adds an extra layer of protection to your account.
- Easy to Use: Simple process involving just checking your email and entering the OTP.
- Time-Limited: OTPs expire within 12 to 24 hours, reducing the risk of unauthorized access.
By using EOTP, you help keep your account secure from unauthorized access and ensure that only you can log in.
What is better between TOTP and EOTP 2FA?
TOTP:
- Mechanism: Generates codes based on a combination of a shared secret key and the current time.
- Code Lifespan: Codes are valid for a short period, typically 30 seconds.
- Use Case: Ideal for scenarios where time synchronization is reliable.
- Security: Provides strong security as codes expire quickly, reducing the window for potential misuse.
EOTP:
- Mechanism: Generates codes based on events, such as user actions (e.g., clicking a button), and based on the action a random EOTP is generated.
- Code Lifespan: Codes remain valid until used or if it is not used within 12-24 hours it automatically becomes invalid.
- Use Case: Useful when time synchronization is difficult or unreliable, or for specific actions that don’t happen frequently.
- Security: Can be less secure if not used promptly, as codes don’t expire based on time.
Which is Better?
- For most situations, TOTP is generally better due to its time-based expiration, which offers stronger security by limiting the time window for potential attacks.
- EOTP can be more suitable for specific applications where events rather than time dictate the need for a one-time password.