How Google Authenticator Works

Google Authenticator is a mobile app I use for two-step verification — a method that’s being increasingly adopted by services (banking, e-mail, etc.) in order to make access more secure. It is the combination of not only something you know (password) but also something you have (phone) that allows you to login. I was curious as to how this all works, especially when the app isn’t connected to the internet for whatever reason. This is where it gets technical:

Google Authenticator supports both the HMAC-based One Time Password (HOTP) and Time-based One Time Password (TOTP) algorithms for generating one-time passwords.

With HOTP, the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides, allowing the server and client to remain in sync.

TOTP essentially uses the same algorithm as HOTP with one major difference. The counter used in TOTP is replaced by the current time. The client and server remain in sync as long as the system times remain the same. This can be done by using the Network Time protocol.

The secret key (as well as the counter in the case of HOTP) has to be communicated to both the server and the client at some point in time. In the case of Google Authenticator, this is done in the form of a QRCode encoded URI. See: KeyUriFormat for more information.

(Source: StackExchange)

There you have it. And if you’d prefer not to use the app, there should always be the option to receive the one-time password via a text message instead.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s