Diagrams

Setup authenticator app

@startuml

actor Alice #green

Alice->Wallet: Create Primary account Wallet->Alice: Primary account public key

Alice->Wallet: Create Recovery account Wallet->Alice: Recovery account public key

Alice->2FAServer: Get ARC-14 realm (/v1/Multisig/GetRealm) 2FAServer->Alice: Return realm (2FA#ARC14)

Alice->Wallet: Sign ARC-14 Tx with Primary account Wallet->Alice: SendSigned Auth Tx

Alice->2FAServer: Request 2FA secret, auth with primary account, secondary account as param (/v1/Multisig/SetupAuthenticator) 2FAServer->Alice: Returns QR code 2FAServer->Alice: Returns error if previously stored

Alice->2FAServer: Confirm 2FA secret, auth with primary account, secondary account as param, pin as param (/v1/Multisig/ConfirmSetupAuthenticator) 2FAServer->Alice: Ok if stored correctly

@enduml

Person creates primary account and recovery account. It is recommended that two accounts are created using different technologies, and recovery account is cold storage account.

In first request person request the 2FA server for the realm. He signs the authentication transaction, and uses it further with communication with 2FA server. 2FA server now knows the user has private key to the primary account.

To create 2FA account, user calls SetupAuthenticator method with parameter of recovery account. Server responds with QR code and manual entry key.

For increased user friendliness user can call this method as many times he wants until he call ConfirmSetupAuthenticator. When server stores information that this primary account and recovery account is used, it does not show sensitive qr code any more.

Server uses hash of its own secret with primary account and secondary account as seed for 2FA account.

Sign transaction with authenticator app

@startuml

actor Alice #green

Alice->Wallet: Sign msig tx with primary account Wallet->Alice: Signed msig tx

Alice->2FAServer: Get ARC-14 realm (/v1/Multisig/GetRealm) 2FAServer->Alice: Return realm (2FA#ARC14)

Alice->Wallet: Sign ARC-14 Tx with Primary account Wallet->Alice: SendSigned Auth Tx

Alice->2FAServer: Request to sign msig tx. Tx is in parameter, primary account is identified by auth tx, secondary account is parameter, pin is provided in parameter (/v1/Multisig/SignWithTwoFactorPINMsigTx) 2FAServer->Alice: Signed msig tx

Alice->Blockchain: Send msig tx

@enduml

Alice can sign transaction only if she has access to the primary account private key and when she has access to the 2FA device to request pin.

PreviousAlgorand 2FA Auth DocumentationNextRecovery

Last updated