Two-Factor Authentication (2FA) System with TOTP – Python Overview

This project demonstrates a basic Two-Factor Authentication (2FA) system using Time-based One-Time Passwords (TOTP). It combines password authentication with a one-time code generated by an authenticator app (such as Google Authenticator), improving account security beyond passwords alone.

This project is intended for educational purposes and to showcase secure authentication concepts.

Project Objectives

The goals of this project are to:

Demonstrate how 2FA enhances authentication security

Teach the fundamentals of TOTP-based authentication

Show how authenticator apps integrate with backend systems

Practice secure authentication design in Python

Build hands-on skills relevant to cybersecurity and secure software development

How the System Works

A user has:

A username

A password

A shared secret key

A QR code is generated from the secret key

The user scans the QR code using Google Authenticator (or any TOTP app)

During login:

The user enters their username and password

The system requests a 6-digit OTP

The OTP is validated using the TOTP algorithm

Access is granted only if both factors are correct

Features

Password-based authentication

Time-based One-Time Password (TOTP)

QR code generation for authenticator setup

OTP verification using industry-standard algorithms

Console-based and beginner-friendly implementation

Requirements

Python 3.x

Required libraries:

pyotp

qrcode

Install dependencies:

pip install pyotp qrcode[pil]

Usage First-Time 2FA Setup

Uncomment the setup function in the code:

setup_2fa("moses")

Run the script:

python3 2fa_system.py

A QR code image will be generated. Scan it with Google Authenticator.

second, Login with 2FA

After setup, comment out the setup function and run:

python3 2fa_system.py

You will be prompted for:

Username

Password

One-Time Password (OTP)

Security Notes

This project simulates a user database

Passwords are stored in plaintext for learning purposes only

Real-world systems must use:

Password hashing (bcrypt, Argon2)

Secure secret storage

Encrypted databases

Rate limiting and logging

Ethical & Legal Notice

This project is designed strictly for:

Learning

Demonstration

Secure authentication education

It should not be used as-is in production systems.

Learning Outcomes

By working through this project, you will understand:

Two-Factor Authentication (2FA)

TOTP and OTP concepts

Authenticator app integration

QR-based provisioning

Secure authentication design principles

Possible Improvements

Future enhancements could include:

Password hashing

Multiple users

Backup codes

Account lockout mechanisms

Web-based interface (Flask/Django)

Logging and monitoring

Author

Moses Ameh Aspiring Cybersecurity Analyst Secure Authentication & Identity Management Enthusiast

Final Note

Passwords alone are no longer enough. This project highlights how 2FA significantly improves account security and reduces the risk of compromise