# Multi-factor authentication (MFA) Our MFA (Multi-Factor Authentication) system is architected around a time-based one-time password (TOTP) mechanism, leveraging the `otplib` package in Node.js to deliver robust security enhancements. The core architecture involves the generation of time-sensitive OTPs, which are facilitated by an authenticator application such as Google Authenticator or Authy. During the initial MFA setup, a shared secret is generated and securely provisioned to the user's authenticator app via a QR code. This shared secret is crucial as it is used in conjunction with the current time to generate the TOTP. The authenticator app utilizes the TOTP algorithm, which combines the shared secret with the current Unix timestamp, hashed using HMAC (Hash-based Message Authentication Code) and truncated to a six-digit code. This code, which refreshes every 30 seconds, forms the basis of the second authentication factor. When a user attempts to authenticate, they must provide both their primary credentials (email and password) and the TOTP. The server-side implementation, powered by the `otplib` library, independently calculates the expected TOTP using the stored shared secret and the current timestamp. It then compares the user-submitted TOTP with the server-generated TOTP. Only if both values match within the allowed time window is the user granted access. This time-based synchronization ensures that the authentication process is resistant to replay attacks and provides an additional layer of security beyond static passwords. Additionally, this method mitigates risks associated with phishing and credential stuffing attacks. Each login session remains active for 7 days, providing a balance between security and user convenience. We utilize this TOTP-based MFA to protect access to critical user accounts, administrative consoles, and sensitive data repositories, ensuring that even if an attacker compromises a user's primary credentials, they cannot authenticate without the dynamically generated TOTP. However, public-facing services and resources that handle non-sensitive information are not subject to MFA (e.g., company website, marketing materials, help and support documentation, roadmaps, etc.), as these are designed to remain easily accessible and do not pose significant security threats. This delineation allows us to balance user convenience with stringent security measures where they are most needed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://data-policy.thepdfmaker.com/data-security/multi-factor-authentication-mfa.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.