Multi-factor authentication (MFA)

Our MFA (Multi-Factor Authentication) system is architected around a time-based one-time password (TOTP) mechanism, leveraging the otplib package in Node.js to deliver robust security enhancements. The core architecture involves the generation of time-sensitive OTPs, which are facilitated by an authenticator application such as Google Authenticator or Authy. During the initial MFA setup, a shared secret is generated and securely provisioned to the user's authenticator app via a QR code. This shared secret is crucial as it is used in conjunction with the current time to generate the TOTP.

The authenticator app utilizes the TOTP algorithm, which combines the shared secret with the current Unix timestamp, hashed using HMAC (Hash-based Message Authentication Code) and truncated to a six-digit code. This code, which refreshes every 30 seconds, forms the basis of the second authentication factor.

When a user attempts to authenticate, they must provide both their primary credentials (email and password) and the TOTP. The server-side implementation, powered by the otplib library, independently calculates the expected TOTP using the stored shared secret and the current timestamp. It then compares the user-submitted TOTP with the server-generated TOTP. Only if both values match within the allowed time window is the user granted access. This time-based synchronization ensures that the authentication process is resistant to replay attacks and provides an additional layer of security beyond static passwords. Additionally, this method mitigates risks associated with phishing and credential stuffing attacks.

Each login session remains active for 7 days, providing a balance between security and user convenience. We utilize this TOTP-based MFA to protect access to critical user accounts, administrative consoles, and sensitive data repositories, ensuring that even if an attacker compromises a user's primary credentials, they cannot authenticate without the dynamically generated TOTP. However, public-facing services and resources that handle non-sensitive information are not subject to MFA (e.g., company website, marketing materials, help and support documentation, roadmaps, etc.), as these are designed to remain easily accessible and do not pose significant security threats. This delineation allows us to balance user convenience with stringent security measures where they are most needed.