How this Auth verification workflow works?

This workflow is called TOTP-based MFA (Time-based One-Time Password multi-factor authentication).

Here’s the flow behind what’s happening on that Microsoft sign-in screen.


High-Level Idea

You prove TWO things:

  1. Something you know
    → your password
  2. Something you have
    → your phone with the authenticator app

That second step is what this screen is verifying.


Step-by-Step Flow

1. You enter username + password

Example:

  • email
  • password

Microsoft validates them.

If correct:
→ it asks for MFA.


2. Authenticator app already shares a secret key

When you first set up:

  • Microsoft Authenticator
  • Google Authenticator

you scanned a QR code.

That QR code contains:

  • a hidden secret key.

Example conceptually:

SECRET = "ABCDXYZ123"

Both:

  • Microsoft server
  • your phone

now know this secret.


3. Phone generates rotating codes

The authenticator app does NOT contact Microsoft every time.

Instead:

  • it locally computes a code.

Using:

  • secret key
  • current time

Typically:

  • every 30 seconds
  • a new 6-digit code appears.

Example:

482193

then after 30 sec:

774201

4. You enter the code

You type:

482193

into the login page.


5. Microsoft independently computes expected code

Microsoft server:

  • uses same secret key
  • same current time

and computes:

Expected = 482193

If:

entered == expected

→ authentication succeeds.


Under the Hood

The algorithm is usually:

TOTP

(Time-based One-Time Password)

Built on:

  • HOTP
  • HMAC
  • SHA-1/SHA-256

Very common standard.


Simplified Formula

Conceptually:

\text{Code} = HMAC(\text{Secret},\text{CurrentTimeWindow})

Not exact implementation details, but close enough conceptually.


Why This Is Secure

Even if someone steals:

  • your password,

they still need:

  • your phone,
    OR
  • current rotating code.

And codes:

  • expire quickly,
  • cannot be reused.

Why Time Matters

Both:

  • server
  • phone

must have roughly synchronized clocks.

If phone time is wrong:

  • codes fail.

That’s why authenticator apps sometimes say:

  • “sync time”

Difference From Push Notification MFA

Sometimes Microsoft instead shows:

  • “Approve sign in?”
  • or number matching

That workflow is different.

In push MFA:

  • server contacts phone directly.

In TOTP:

  • phone generates code offline.

Why Authenticator Apps Work Offline

Because:

  • the code generation is mathematical,
  • not network-based.

So even in airplane mode:

  • the app can generate valid codes.

Why QR Code Setup Is Important

That QR code transfers the shared secret securely.

Example QR contains something like:

otpauth://totp/Microsoft:user@company.com?secret=ABCXYZ...

The app stores this secret locally.


Real-World Senior Engineering Angle

As a senior engineer, this is useful to understand because:

  • many enterprise systems use TOTP,
  • OAuth/OIDC flows often integrate MFA,
  • Azure AD / Entra ID commonly enforce this,
  • frontend apps must handle MFA redirects/challenges.

Especially relevant for your:

  • MSAL,
  • auth wrapper,
  • enterprise frontend experience.