When you’re accessing services over the WEB – let’s pick GMail as an example – couple of things have to happen upfront:
Multi-Factor Authentication (MFA) is about using 2 or more of the approaches described above. Typically, you’d set up username/password together with e.g. Google Authenticator (or other app). Of course for What you have approach you have more options. E.g. FIDO2, which I find much more convenient. But here we’re focusing on apps like Google Authenticator that use something called TOTP algorithm.
We have to come up with an algorithm that will prove that the user has physical access to their smartphone running the app at the time of being authenticated. How can we do that?
The 1st thing that comes to mind is, let’s embed a sort of secret – e.g. a password – in the app on the phone. Then, every time the user logs it, let’s ask the user to open the app and type the password that the app is showing.
For example our app has a password: $3cr3tP4$$ in it. When we are logging in, the server (GMail) is asking us to provide username and password. We enter it. Then, as a 2nd step, server is asking us to type the password that the app is displaying and type it into on the web page. If we entered correct username and password in the 1st step, and later we entered $3cr3tP4$$ – because this is what the app showed us – we’re successfully authenticated and, therefore, logged in.