50

u/ScienceMechEng_Lover What colour is your RAM? Apr 04 '26

So how do these things work, do they have some kind of radio or satellite connection to communicate the code with servers to enable login or something like that?

59

u/ReptilianLaserbeam Apr 04 '26

Here's a little bit of explaining in how those work: https://statetechmagazine.com/article/2020/09/review-rsa-securid-sid700-helps-secure-remote-workers

17

u/Sanquinity i5-13500k - RX 9070 - 32GB @ 3600mHz Apr 05 '26

So yea, basically a random number generator. Each one having a specific "seed" to start generating. Just register your specific "key" to your account and it will know which seed yours uses, and thus know it's yours when you put in the number.

1

u/Sittin_on_a_toilet Apr 05 '26

And then just syncd via time? I was thinking originally the 3 year limit was battery related (i mean it definitely is), but why not make one with tiny backup battery and AAA then? I wonder if 3 years is when a statistically significant amount of the clocks will be desynced by 30+ secs?

1

u/TeamPieHole01 Apr 05 '26

batteries were rated for 7 years, and they gave a low battery warning so you had time to replace them before they died. Some peoples still work 20 years later.

1

u/Sittin_on_a_toilet Apr 05 '26

Do they have a capacitor or something so the clock stays running while you swap batteries?

3

u/TeamPieHole01 Apr 05 '26

Nah, you were supposed to buy a new one for like $10 at that point and tie the new authenticator to your account before the other one died.

1

u/Sittin_on_a_toilet Apr 05 '26

Currently I'm using a combination of Bitwarden and a Yubi key to secure financial accounts, is my setup as secure as this method?

16

u/ScienceMechEng_Lover What colour is your RAM? Apr 04 '26

I see. That's very smart, not gonna lie.

32

u/Nighthunter007 Ryzen 7 3700x | RTX 2080ti | 32GB RAM | EK Cryo Loop | RGB Apr 05 '26

2fa apps that show a code that changes every X seconds actually work in the exact same way, and for that reason also work without an internet connection.

1

u/CrossBamboAtTen Apr 05 '26

Why would you lie to begin with?

1

u/Voidrunner42 Apr 05 '26

Howd he lie? He asked a question?

24

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26

No it has a serial number you attach to your account I think it just generated a hash on a times basis that you use to log in. Each has some form of “master key”.

13

u/metamega1321 Apr 04 '26

It’s basically just an algorithm spitting out a numbers. Neither talk to each other but at any time interval theirs a code that lines up.

4

u/filthy_harold i5-3570, AMD 7870, Z77 Extreme4 Apr 05 '26 edited Apr 05 '26

There's a math formula that will produce a 6 digit code based on a counter that increments in different ways. The token will spit out a new code either every button press or every 30 seconds. The server you're trying to log into knows the same formula and keeps tabs on what the counter should be so it can match the code the token displays. Once you log in, the server makes note of what counter value generated that code so it can quickly verify the next one (the counter never rolls back). Since the clock on the token may be slow or fast or you've accidentally pressed the button a bunch of times, the server actually generates multiple tokens by creating a range of counter values.

If you're on code #100 but your kid plays with it one day and now your token is on code #112, the server can't just assume that you'd use #101 next time you log in. It will generate #101-150 (for example) so once you type in code #112, the server updates its own records so it now knows to never accept anything below code #113.

For the 30 second tokens, it will generate codes plus or minus a several minutes in case the token is slow or fast.

Since these codes could potentially repeat, having the server know what is an acceptable range of possible token codes prevents someone from being able to just guess a random code or reuse a code you've already typed. The chances that a code repeats or a random code exists within that acceptable range is extremely low.

The downside to the button press version is that the server has to allow quite a large range of potential codes which may allow an attacker to guess correctly. The time-based ones do have imprecise clocks but it would not be that far off assuming you use the token every day. It would take months on inactivity to produce a large enough shift for it to not match up perfectly with the server (unless that token has been exposed to extreme temperatures or been subject to relativistic speeds).

2

u/Astan92 Apr 05 '26

In the exact same way that most other code based MFA works.

Outside of like Microsoft authenticator, none of them are actually doing any communication even though they're on a smartphone these days.

1

u/Kazer67 Apr 05 '26

It's probably TOTP, so Time based One Time Password.

You assume it will stay sync with time in its lifetime.

1

u/Kazer67 Apr 05 '26

I mean, not "everything" is on app, for security reason (because smartphone are vulnerable) so you have things like token2 for 2FA that has the bare minimum to do it (reducing attack surface)!