Module 9 · Protocols, Security, ObservabilityDay 08425 min

Authentication: Passwords and MFA

Hash with a slow function; add a second factor.

← Previous Next →

Day 084

Authentication: Passwords and MFA

25m

focus

User

client

Password (KDF)

service

MFA

service

Session

datastore

Signal path

Auth pipeline

User

client

flow

Password (KDF)

service

Password (KDF)

service

flow

MFA

service

MFA

service

flow

Session

datastore

Memory hook

Authentication: Passwords and MFA: hash with a slow function

Mental model

design for the day something breaks

Design lens

MFA increases friction — adopt risk-based prompts.

Recall anchors

PasswordsMFARecovery

Why it matters

Authenticate users with strong password hashing (slow KDF), and add a second factor wherever risk warrants. Weak recovery flows undo strong front-door auth.

1Use password hashing correctly (Argon2/scrypt/bcrypt).
2Plan MFA (TOTP, WebAuthn).
3Handle account recovery without weakening the floor.

Deep dive

Argon2id is the modern default. Bcrypt remains acceptable.

TOTP is broadly supported; WebAuthn (passkeys) is phishing-resistant and growing fast.

Recovery: device backup codes, secondary email; avoid security questions.

Demo / scenario

Add MFA to existing app.

Allow TOTP enrollment.
Encourage WebAuthn for high-risk accounts.
Backup codes for recovery.
Force MFA challenge on new device/risk events.

Tradeoffs

MFA increases friction — adopt risk-based prompts.
Recovery channels are the new attack surface.
Passkeys remove passwords entirely — strong long-term direction.

Diagram

Auth pipeline.

Mind map

Check yourself

Loading quiz…

Sources & further reading

OWASP password storage cheat sheet

← Previous Next →