-1

When a human logs into a website with 2FA, the human reads the generated TOTP code from the google authenticator app on his phone and enters it onto the website which he is trying to login.

I am designing a backend integration between two systems via web API. I am not comfortable just to let the two systems hold on to the same encryption password. I want to involve something like 2FA in this process. Obviously there is no human involved in this process to read the code from the authenticator app. So what are the industry-standard/recommended approach?

Silly Dude
  • 558
  • 3
  • 9
  • 22

1 Answers1

1

If a password is something the server knows, then a certificate might be something the server has.

Consider protecting your web based API using TLS with mutual authentication where also the client (as the other server is acting as a client here) is authenticated via TLS. This way the password is only ever exchanged if both ends have first authenticated using their certificates.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thank you Esa! Do you have a link to some good instruction on how to implement TLS with mutual authentication"? If not that is fine I can google. Thanks again! – Silly Dude Apr 30 '21 at 00:20
  • Particularly, how to implement it in C#? – Silly Dude Apr 30 '21 at 00:28
  • I found this link which guides how to implement client certificate checking in .NET: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api – Silly Dude Apr 30 '21 at 01:07