How does 2FA work?

  • Baya generates an 80-bit secret key
  • This is transferred securely to the Authenticator app as a QR code (scanned using the Google Authenticator App)
  • Subsequently, when the user opens the Authenticator app, it calculates an HMAC-SHA1 hash value using this secret key. The message can be:

    the number of 30-second periods since the Unix epoch (TOTP); or

    a counter that is incremented with each new code (HOTP).

    (Google Authenticator uses a TOTP)

  • A portion of the HMAC is extracted and displayed to the user as a six-digit code.

  • Using the secret key, the Baya application also calculates a TOTP. (During authentication there is no communication between the server and the GA on the client)

  • Server checks for the match between the code entered by the user and the one generated on the server.
    If there is no match, then the user is prompted to reenter the code.

Possible causes of re-registration prompt

  • A mismatch between authenticator and server timing
  • The authenticator is used for multiple applications
  • Multiple devices are registered for authentication
  • Some disconnect with the email account due to Authenticator update or corruption due to some unknown reason


  • Case 1
    Try the Time Correction for codes: Sync now - from the settings menu and retry authentication
  • Case 2, 3 and 4
    Please re-register for 2FA and try again.