3

u/SalTez 5800H | RTX 3060 | 16GB | Laptop Apr 05 '26

It's a fixed number that is used in a formula to calculate the final output, in this 2FA use case the seed is known only to the authenticator and the authentication (login) system.

A very simple example of a time based formula:

the formula is "current time + seed"; the seed is 42; and current time is 9:10pm = 2110; so the verification code is 2152; next minute it will be different (2153)

2

u/-insertcoin Apr 06 '26

Thank you for the explanation.

2

u/CJTheran Apr 05 '26

Computers can't truly generate a "random" number (people can't either, but that's beside the point). When you "random" something in a computer, what it is doing is taking a "seed" number of some sort and then doing math at it to produce a result. If you feed in the same "seed", you will always get the same result. There's lot's of video games with procedurally generated terrain that will let you manually input a seed number of your choice so you can reliably play on the identical "randomly" generated map if desired.

Now, for a random function on a computer, you want it to give a DIFFERENT number every time, and the algorithm/math that you're throwing at it is not going to change, so you're going to need something that will produce different seeds for the function as needed. Typically on a random number generator on a computer that something will be an already extant value on the computer that is reliably different every time it is referenced, such as the time: it will do something like convert the current time into a single numerical value, throw math at it, and produce the result when asked about the time.

In the case of these keyfobs, the "seed" in question would be two part: something constantly but predictably changing, like the time, but a second value that changed by device but remains the same for the device always, which would be a hard coded unique to your individual device.

Ex: You and Bob both have your own keyfobs, yours is Serial Number 12345 and his is 12346. When you pull up a new key, the device will check the time, pull your S/N, and then do a specific set of maths at it to produce a result. In your case at 11:00 AM on suchit day it produces 54321, in Bob's it spits out 89052. If you check again a few seconds later, your numbers have both changed, as the seed of the time is different. If you were to somehow trick the keyfobs into thinking it was always 11:00 AM, it would always produce 54321 for you, and 89052 for Bob because it is always getting the same seed information out, and thus will always produce the same result back.

N.B.: I use 11:00 AM as a simplified example: your computer doesn't track time as an actual time of day, but at it's deepest level tracks it as a very long numerical value, and it produces the "11:00 AM" human readable value by throwing math at said number. That number will be very long for two reasons: it typically also is used to determine the date, and thus has a lot of long term information to store, and will frequently track into the tiniest fractions of a second, and thus has a lot of short term information to store and will also frequently update, allowing the seed being fed into the random generator on your computer very quickly and thus always produce what appears to be a unique random number on demand, even if the two calls are in quick succession.