karimow0/3_factor_auth_system
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
# Triple Factor Authentication for Social Media I built this project for my system security course to see how multi-factor authentication works under the hood. The goal was to make a secure, from-scratch login system that needs 3 different pieces of evidence before letting a user inside. Instead of relying on big external authentication providers, I wanted to handle the cryptography, the data pipelines, and the database myself to understand how it all connects. ## How It Works The system is broken down into 3 different authentication layers, followed by a secure token: * **Factor 1 (What you know):** Standard username and password login. I used `bcrypt` to salt and hash all passwords before they touch the database. This stops hackers from reading raw passwords if they steal the database, and it protects against dictionary attacks because bcrypt is intentionally slow. * **Factor 2 (What you have):** Time-based One-Time Password (TOTP). I used `pyotp` to generate a secure secret key for each user. The frontend turns this key into a QR code so the user can scan it with Google Authenticator. The server and the phone independently verify the 6-digit code without needing an internet connection between them. * **Factor 3 (What you are):** Biometric face verification. I built a data pipeline that captures a live webcam frame on the frontend using HTML5 canvas, encodes it into a Base64 text string, and sends it to the backend inside a standard form submission. * **Session Management (JWT):** The server decodes this Base64 data back into a binary image, changes it into a NumPy array, and reads it using OpenCV. Then, it uses the `DeepFace` library (with the `VGG-Face` model) to compare the live face with the master photo from registration. If they match, the server gives the user a JSON Web Token (JWT) that lasts for 30 minutes to keep them logged into the dashboard securely. ## Database Design The system uses a MySQL database with a table called `users`. It stores: * `username`: To identify the account. * `password_hash`: The safely hashed password string. * `mfa_secret`: The shared secret for the 6-digit phone codes. * `face_img_path`: The folder path where the user's registration image is stored on the server disk (we don't store raw images directly in the database to keep it fast). ## Project Setup 1. **Database:** Open your MySQL terminal or workbench and run the code inside `database.sql` to set up the database and tables. 2. **Environment Variables:** Create a file named `.env` in the main directory and add your local setup details: ```env DB_HOST=localhost DB_USER=your_mysql_user DB_PASSWORD=your_mysql_password DB_NAME=auth_users FLASK_SECRET_KEY=make_up_a_random_secret_string JWT_SECRET_KEY=make_up_another_secret_string 3. Insall Libraries: pip install -r requirements.txt 4. Run the Project: python app.py