How google authenticator works
2024 Apr 23
See all posts
How google authenticator works
2FA has become an authentication standard for critical online
services in the last few years. In this post, I briefly layout how
google authenticator works.
What is 2FA? – Two-factor authentication is a form of multi-factor
authentication, in which the user has to establish identity via 2
different allowed methods called authentication
factors.
Authentication factors are classes of identity verification methods.
This includes username/password (knowledge based), and location, and
biometrics.
Google authenticator provides an authenticator factor based on
possession (of your phone, for example). It uses Time-based One-time
password (TOTP). Here's how it works:
- setup shared private key A shared private key is
established between the service and google authenticator app. The
service provides either a setup key or a QR code, which is scanned by
the authenticator app. This sets up a shared private key between the two
parties.
- Code generation on authenticator app The google
authenticator uses this private key along with a particular epoch start
time to create a code. This code has a time interval till which it is
valid.
- Verification on service
When the user needs to access to some resource in the service (or any
other scenario where 2FA is needed), the user enters the code they see
on the authenticator app. The service must have time nearly
synchronized with the authenticator app, as it uses the same (or close)
epoch start time to generate the TOTP (recall that the service also has
the shared private key with them). They then check if the code
matches.
- Handling minor variations in time: the service also
looks at epochs near the current epoch (like previous and next), and
match the code thus generated with what user provided. This way minor
variations in system time between authenticator app and service or user
delays in entering the code doesn't cause the authentication to
fail.
Note that at verification time, the authenticator doesn't need to
interact with the service. In fact, the authenticator doesn't even need
to be online.
How google authenticator works
2024 Apr 23 See all posts2FA has become an authentication standard for critical online services in the last few years. In this post, I briefly layout how google authenticator works.
What is 2FA? – Two-factor authentication is a form of multi-factor authentication, in which the user has to establish identity via 2 different allowed methods called authentication factors.
Authentication factors are classes of identity verification methods. This includes username/password (knowledge based), and location, and biometrics.
Google authenticator provides an authenticator factor based on possession (of your phone, for example). It uses Time-based One-time password (TOTP). Here's how it works:
When the user needs to access to some resource in the service (or any other scenario where 2FA is needed), the user enters the code they see on the authenticator app. The service must have time nearly synchronized with the authenticator app, as it uses the same (or close) epoch start time to generate the TOTP (recall that the service also has the shared private key with them). They then check if the code matches.
Note that at verification time, the authenticator doesn't need to interact with the service. In fact, the authenticator doesn't even need to be online.