Multi-Factor Authentication: Backup Code Generation

Introduction

Welcome back! In the previous lesson, we laid the groundwork for understanding Multi-Factor Authentication (MFA) and its role in enhancing security. Today, we'll focus on a critical component of MFA: backup codes. These codes act as a safety net when primary authentication methods are unavailable. By the end of this lesson, you'll learn how to generate secure backup codes, understand potential vulnerabilities, and implement them securely in a FastAPI application. Let's get started!

Understanding Backup Codes

Backup codes are a set of one-time-use codes that serve as an alternative authentication method when users cannot access their primary MFA device. Imagine losing your phone or being in a location with no internet access; backup codes ensure you can still access your account. They help maintain access while minimizing — but not eliminating — security trade-offs, as backup codes are static and can be copied if not properly protected.

Generating Secure Backup Codes

To generate secure backup codes, we must follow best practices to ensure they are both unique and random. This involves creating codes that are difficult to guess and limiting their usage to prevent unauthorized access.

In this code snippet, we define a method to generate a specified number of backup codes. We use a set to ensure each code is unique. The secrets module provides cryptographically strong random strings, which are then converted to uppercase for consistency. The method returns a list of these unique codes. Now, let's implement backup code generation in a FastAPI application. We'll walk through the process step by step.

Step 1: Define a Route to Set Up MFA

In this step, we define a route to set up MFA. We first check for a valid username to ensure the request is legitimate.

Step 2: Generate Secret and Auth URL

Here, we generate a secret and an OTP auth URL for the user. This information is crucial for setting up MFA with an authenticator app.

Step 3: Generate QR Code

We generate a QR code from the OTP auth URL, which the user can scan with their authenticator app to complete the MFA setup.

Step 4: Generate Backup Codes

Backup codes are generated using the method we discussed earlier. These codes provide an alternative authentication method if the primary method is unavailable.

Step 5: Store the Secret and Backup Codes

In this example, we store the user's secret and backup codes in simple Python dictionaries for demonstration purposes. Important: In a production application, these sensitive values must be persisted in a database with proper encryption. The secret should be encrypted before storage, and backup codes should be hashed (similar to how passwords are hashed) before being saved. This ensures that even if your database is compromised, the attacker cannot directly use these values. Additionally, using a database ensures the codes persist across application restarts, which is essential for real-world usage.

Step 6: Return the QR Code URL and Backup Codes

Finally, we return the QR code URL and backup codes to the user, allowing them to complete the MFA setup.

Important Security Note: Backup codes should be displayed to the user only once during the setup process. After the initial setup, these codes should never be retrievable in plain text. If a user loses their backup codes, the only secure option is to generate and replace them with a fresh set. This prevents potential security risks where an attacker could repeatedly request to view backup codes. Treat backup codes with the same level of security as passwords — display them once, then store them securely in a hashed format.

What Happens When All Backup Codes Are Used or Expired?

Backup codes are designed to be used only once. Each time a backup code is used, it is invalidated and cannot be used again. If a user uses all of their backup codes, or if the codes are expired (for example, if you implement an expiration policy), the user will no longer be able to use backup codes for authentication. In this situation, the user must generate a new set of backup codes. This typically involves going through the MFA setup process again or using an account recovery process provided by your application. It's important to inform users when they are running low on backup codes and provide a secure way to regenerate them.

Securing and Validating Backup Codes

To protect against potential vulnerabilities, it's crucial to implement defensive strategies. Let's explore how to secure backup codes effectively.

We verify the provided token against both the TOTP and backup codes. If a backup code is used, it is immediately invalidated to prevent reuse.

Ensure backup codes are stored securely, such as in a database with encryption. Regularly audit and update your code to address any potential vulnerabilities.

Conclusion and Next Steps

In this lesson, we explored the importance of backup codes in MFA, learned how to generate them securely, and implemented them in a FastAPI application. We also examined potential vulnerabilities and strategies to mitigate them. As you move on to the practice exercises, remember the key points discussed today. In the upcoming lessons, we'll continue to explore other MFA methods and integrations. Keep up the great work!

Previous Lesson

Next Lesson: Multi-Factor Authentication Integration

Join the 1M+ learners on CodeSignal

Be a part of our community of 1M+ users who develop and demonstrate their skills on CodeSignal