How google authenticator works

2024 Apr 23 See all posts

How google authenticator works

2FA has become an authentication standard for critical online services in the last few years. In this post, I briefly layout how google authenticator works.

What is 2FA? – Two-factor authentication is a form of multi-factor authentication, in which the user has to establish identity via 2 different allowed methods called authentication factors.
Authentication factors are classes of identity verification methods. This includes username/password (knowledge based), and location, and biometrics.

Google authenticator provides an authenticator factor based on possession (of your phone, for example). It uses Time-based One-time password (TOTP). Here's how it works:

  1. setup shared private key A shared private key is established between the service and google authenticator app. The service provides either a setup key or a QR code, which is scanned by the authenticator app. This sets up a shared private key between the two parties.
  2. Code generation on authenticator app The google authenticator uses this private key along with a particular epoch start time to create a code. This code has a time interval till which it is valid.
  3. Verification on service
    When the user needs to access to some resource in the service (or any other scenario where 2FA is needed), the user enters the code they see on the authenticator app. The service must have time nearly synchronized with the authenticator app, as it uses the same (or close) epoch start time to generate the TOTP (recall that the service also has the shared private key with them). They then check if the code matches.
  4. Handling minor variations in time: the service also looks at epochs near the current epoch (like previous and next), and match the code thus generated with what user provided. This way minor variations in system time between authenticator app and service or user delays in entering the code doesn't cause the authentication to fail.

Note that at verification time, the authenticator doesn't need to interact with the service. In fact, the authenticator doesn't even need to be online.