How this Auth verification workflow works?

This workflow is called TOTP-based MFA (Time-based One-Time Password multi-factor authentication).
Here’s the flow behind what’s happening on that Microsoft sign-in screen.
High-Level Idea
You prove TWO things:
- Something you know
→ your password - Something you have
→ your phone with the authenticator app
That second step is what this screen is verifying.
Step-by-Step Flow
1. You enter username + password
Example:
- password
Microsoft validates them.
If correct:
→ it asks for MFA.
2. Authenticator app already shares a secret key
When you first set up:
- Microsoft Authenticator
- Google Authenticator
you scanned a QR code.
That QR code contains:
- a hidden secret key.
Example conceptually:
SECRET = "ABCDXYZ123"Both:
- Microsoft server
- your phone
now know this secret.
3. Phone generates rotating codes
The authenticator app does NOT contact Microsoft every time.
Instead:
- it locally computes a code.
Using:
- secret key
- current time
Typically:
- every 30 seconds
- a new 6-digit code appears.
Example:
482193then after 30 sec:
7742014. You enter the code
You type:
482193into the login page.
5. Microsoft independently computes expected code
Microsoft server:
- uses same secret key
- same current time
and computes:
Expected = 482193If:
entered == expected→ authentication succeeds.
Under the Hood
The algorithm is usually:
TOTP
(Time-based One-Time Password)
Built on:
- HOTP
- HMAC
- SHA-1/SHA-256
Very common standard.
Simplified Formula
Conceptually:
\text{Code} = HMAC(\text{Secret},\text{CurrentTimeWindow})
Not exact implementation details, but close enough conceptually.
Why This Is Secure
Even if someone steals:
- your password,
they still need:
- your phone,
OR - current rotating code.
And codes:
- expire quickly,
- cannot be reused.
Why Time Matters
Both:
- server
- phone
must have roughly synchronized clocks.
If phone time is wrong:
- codes fail.
That’s why authenticator apps sometimes say:
- “sync time”
Difference From Push Notification MFA
Sometimes Microsoft instead shows:
- “Approve sign in?”
- or number matching
That workflow is different.
In push MFA:
- server contacts phone directly.
In TOTP:
- phone generates code offline.
Why Authenticator Apps Work Offline
Because:
- the code generation is mathematical,
- not network-based.
So even in airplane mode:
- the app can generate valid codes.
Why QR Code Setup Is Important
That QR code transfers the shared secret securely.
Example QR contains something like:
otpauth://totp/Microsoft:user@company.com?secret=ABCXYZ...The app stores this secret locally.
Real-World Senior Engineering Angle
As a senior engineer, this is useful to understand because:
- many enterprise systems use TOTP,
- OAuth/OIDC flows often integrate MFA,
- Azure AD / Entra ID commonly enforce this,
- frontend apps must handle MFA redirects/challenges.
Especially relevant for your:
- MSAL,
- auth wrapper,
- enterprise frontend experience.