• Core Concept: 2FA adds a second layer of security by requiring something the user knows (password) and something they possess (a device generating codes).
• Offline Functionality: The most interesting technical aspect is that 2FA applications (like Google Authenticator or Aegis) work entirely offline after an initial secret key exchange.
• HOTP (HMAC-based One-Time Password):
  • Relies on a Secret Key (K) known by both the server and the client.
  • Uses a Counter (C) that increments every time a new code is generated.
  • The code is generated using an HMAC function (typically with SHA-1) and a process called Dynamic Truncation (DT) to turn a large hash into a readable 6-digit number.
• TOTP (Time-based One-Time Password):
  • This is the standard for most modern apps. It is essentially HOTP, but replaces the manual counter with the current time (T).
  • Time is measured in steps (usually 30 seconds), allowing the server and phone to stay synchronized without communicating.
• Security Considerations:
  • Secret Key: If the secret key (often shared via QR code) is intercepted, an attacker can generate codes indefinitely.
  • Algorithm Integrity: Standard 2FA relies on SHA-1, which, while technically "broken" for some cryptographic uses, remains secure for the short-lived, 6-digit nature of OTPs.
• Implementation Steps: For a programmer, implementing 2FA involves:
  1. Generating and storing a unique secret key for a user.
  2. Displaying it as a QR code (Base32 encoded).
  3. Verifying the user-entered 6-digit code by running the same HOTP/TOTP algorithm on the server side.

Brief explanation why not to change Wordpress login URL

I've heard that Google Authenticator now allows data to be exported, but I'm not sure about how easy it is.

The Verge posted this about the matter in late 2020.