Skip to content

karimow0/3_factor_auth_system

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

# Triple Factor Authentication for Social Media

I built this project for my system security course to see how multi-factor authentication works under the hood. The goal was to make a secure, from-scratch login system that needs 3 different pieces of evidence before letting a user inside. 

Instead of relying on big external authentication providers, I wanted to handle the cryptography, the data pipelines, and the database myself to understand how it all connects.

## How It Works

The system is broken down into 3 different authentication layers, followed by a secure token:

* **Factor 1 (What you know):** Standard username and password login. I used `bcrypt` to salt and hash all passwords before they touch the database. This stops hackers from reading raw passwords if they steal the database, and it protects against dictionary attacks because bcrypt is intentionally slow.
* **Factor 2 (What you have):** Time-based One-Time Password (TOTP). I used `pyotp` to generate a secure secret key for each user. The frontend turns this key into a QR code so the user can scan it with Google Authenticator. The server and the phone independently verify the 6-digit code without needing an internet connection between them.
* **Factor 3 (What you are):** Biometric face verification. I built a data pipeline that captures a live webcam frame on the frontend using HTML5 canvas, encodes it into a Base64 text string, and sends it to the backend inside a standard form submission. 
* **Session Management (JWT):** The server decodes this Base64 data back into a binary image, changes it into a NumPy array, and reads it using OpenCV. Then, it uses the `DeepFace` library (with the `VGG-Face` model) to compare the live face with the master photo from registration. If they match, the server gives the user a JSON Web Token (JWT) that lasts for 30 minutes to keep them logged into the dashboard securely.

## Database Design

The system uses a MySQL database with a table called `users`. It stores:
* `username`: To identify the account.
* `password_hash`: The safely hashed password string.
* `mfa_secret`: The shared secret for the 6-digit phone codes.
* `face_img_path`: The folder path where the user's registration image is stored on the server disk (we don't store raw images directly in the database to keep it fast).

## Project Setup

1. **Database:** Open your MySQL terminal or workbench and run the code inside `database.sql` to set up the database and tables.
2. **Environment Variables:** Create a file named `.env` in the main directory and add your local setup details:
   ```env
   DB_HOST=localhost
   DB_USER=your_mysql_user
   DB_PASSWORD=your_mysql_password
   DB_NAME=auth_users
   FLASK_SECRET_KEY=make_up_a_random_secret_string
   JWT_SECRET_KEY=make_up_another_secret_string

3. Insall Libraries: 
pip install -r requirements.txt
4. Run the Project: 
python app.py

About

A Triple Factor Authentication login system for a social media simulator. Built from scratch to show how OTP, cryptotools, and JWT work together to protect user accounts.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors