MFA Implementation in Python — ELI5

Imagine your house has a lock on the front door. You use a key to get in. But what if someone copies your key? They could walk right in.

So you add a second layer: after unlocking the door, you also have to do a secret knock — three taps, a pause, then two taps. Even if someone has your key, they can’t get in without knowing the knock.

That’s multi-factor authentication (MFA). It means you need two different kinds of proof to get in:

1. Something you know — your password (the key)
2. Something you have — your phone (the secret knock generator)

When you log into a website with MFA turned on, you type your password first. Then the site asks for a short number — usually six digits — that changes every 30 seconds. You open an app on your phone (like Google Authenticator), and it shows you that number. You type it in, and you’re in.

The clever part: your phone and the website agreed on a shared secret when you first set up MFA (that’s what the QR code scan was for). They both use the same math formula, combined with the current time, to generate the same number. They never need to talk to each other — they just independently arrive at the same code.

If a hacker steals your password, they’re stuck. They don’t have your phone, so they can’t get the code. Your account stays safe.

In Python, libraries like pyotp make it straightforward to generate and verify these time-based codes, adding that critical second layer of protection to any app.

The one thing to remember: MFA means needing both your password and a temporary code from your phone — so even a stolen password alone isn’t enough to break in.