How Google Authenticator works without the Internet?
You know when you play a game with a secret code? TOTP is like that, but for keeping our important things safe, like our online accounts. First, we have a special secret key. It’s like a magic password that only we know. It’s a special code that we keep really safe.
When we want to log in to our account, we use the secret key and the current time. You know how we have clocks to tell the time? Well, we use the time on our clock.We take the secret key and mix it with the current time using some special magic. This magic mixes them together and makes a special code just for us.
This special code changes every few seconds. It’s like a new secret code each time we want to log in. That’s why it’s called a one-time password. Then, we enter this special code into our account, and the account knows it’s really us because we have the right secret code at the right time.
It’s important to keep the secret key safe and not share it with anyone. That way, only we can generate the right one-time passwords and keep our accounts safe.
When you set up Google Authenticator for an account, such as a website or an app, a secret key is generated and shared between the service and your Authenticator app. This secret key is used to generate time-based one-time passwords (TOTPs).
TOTP is a widely used algorithm for generating one-time passwords that are valid for a short period of time. TOTP adds an extra layer of security to the authentication process by requiring the user to provide a unique password that changes periodically, typically every 30 seconds.
The private key used to generate one-time passwords (OTPs) is stored on the user’s device within the app itself. The private key is securely stored within the app’s data and is not accessible to other apps or users on the device.
When you set up Google Authenticator or a compatible authenticator app for an account, the app generates a secret key or QR code that contains the secret key. This secret key is used to derive the OTPs based on the current time.
Here’s a breakdown of the process:
- Secret Key Generation:
- During the initial setup, a secret key is generated on the server.
- The secret key is securely stored on the server and associated with the user’s account.
- A copy of the secret key is also provided to the user, typically in the form of a QR code or a manual key.
- Secret Key Storage:
- The user’s device (Authenticator app) securely stores the secret key provided during setup.
- The secret key is usually encrypted and stored within the app’s data.
- TOTP Generation:
- When authentication is required, the Authenticator app retrieves the stored secret key.
- The app combines the secret key with the current time to generate a TOTP.
- The combination typically involves a cryptographic function like HMAC-SHA1 or HMAC-SHA256.
- TOTP Verification:
- The server independently calculates the expected TOTP using the stored secret key and the current time.
- The server compares the expected TOTP with the one provided by the user.
- If the two match, the user is granted access.
The purpose of storing the secret key on both the server and the user’s device is to ensure that the TOTP generated by the user’s device matches the one generated by the server. By using the same secret key and current time, both the server and the Authenticator app can independently generate the same TOTP, validating the user’s identity.
The Time-Based One-Time Password (TOTP) algorithm relies on several fundamental variables to generate one-time passwords. These variables include:
- Secret Key: The secret key is a randomly generated, unique key that is shared between the authenticator app (user’s device) and the server. It is used as the main input for generating the one-time passwords. The secret key is securely stored on both the server and the authenticator app.
- Time Step: The time step is a fixed duration, typically 30 seconds, during which the one-time passwords remain valid. The time step ensures that the passwords change periodically, increasing security. The time step is synchronized between the server and the authenticator app.
- Current Time: The current time, often represented as the number of seconds elapsed since a defined epoch (e.g., Unix timestamp), is a critical input for generating the one-time passwords. The current time is divided by the time step to determine the time interval for which the one-time password will be valid. TOTP typically uses a time step of 30 seconds, which means that the generated one-time passwords are valid for a 30-second interval. To ensure successful authentication, the server and the client should have their clocks synchronized within this time step.
- Hash Function: A cryptographic hash function, such as HMAC-SHA1 or HMAC-SHA256, is used to combine the secret key and the current time to create a hash value. The hash function ensures that the generated one-time passwords are unique and unpredictable.
- Password Length: The length of the generated one-time passwords is another important variable. Commonly, TOTP generates 6-digit numerical passwords. However, some systems may use different lengths for the passwords.
By utilizing these fundamental variables, the TOTP algorithm generates one-time passwords that are time-dependent, unique, and valid for a specific duration. These passwords provide an additional layer of security during the authentication process by requiring users to provide the correct password within a short time window.
The algorithm used in an authenticator app like Google Authenticator follows the Time-Based One-Time Password Algorithm (TOTP). Here’s a simplified pseudocode representation of the TOTP algorithm:
function generateTOTP(secretKey, currentTime):
timeStep = 30 # Time step in seconds
timeStamp = floor(currentTime / timeStep)
hmacResult = HMAC-SHA1(secretKey, timeStamp) # Calculate HMAC-SHA1 using secret key and timestamp
offset = last 4 bits of hmacResult # Extract 4-byte offset from HMAC-SHA1 result
truncatedHash = 4 bytes starting at offset in hmacResult # Extract 4-byte hash from HMAC-SHA1 result
otp = truncatedHash mod 10^6 # Convert 4-byte hash to a 6-digit OTP
return otp
In this pseudocode, secretKey
represents the secret key associated with the account in the authenticator app. currentTime
is the current time in seconds since a defined epoch (e.g., Unix timestamp).
The algorithm divides the current time by a time step value (usually 30 seconds) to obtain the timeStamp
. Then, it calculates the HMAC-SHA1 using the secretKey
and timeStamp
. The HMAC-SHA1 function combines the secret key and timestamp to create a cryptographic hash.
The last 4 bits of the HMAC-SHA1 result are used as an offset to extract a 4-byte hash from the result. This hash is then truncated to a 6-digit one-time password (OTP) by taking the modulo (mod
) with 10^6
.
The generated OTP is typically displayed in the authenticator app and should match the OTP displayed on the server or service you are authenticating with. The actual implementation may include additional security measures, such as using a different hashing algorithm (e.g., HMAC-SHA256) or incorporating additional steps for key derivation or encoding.
The secret key is typically stored in an encrypted format on the device’s storage. The app ensures that the secret key is protected and not easily accessible to unauthorized users. It may use additional security measures like encryption, secure storage, or device-specific security features to safeguard the secret key.
The TOTP algorithm combines a secret key, known by both the authentication server and the user’s device, with the current time to generate the one-time password. The secret key is securely stored on the user’s device and the authentication server.
Google Authenticator follows an open standard for generating time-based one-time passwords (TOTPs) called the Time-Based One-Time Password Algorithm (TOTP algorithm). This standard ensures compatibility between different authenticator apps that implement the same algorithm.
Therefore, Google Authenticator is generally compatible with any authenticator app that supports the TOTP algorithm. This includes several popular authenticator apps available for various platforms. Some of these compatible apps include:
- Microsoft Authenticator: Developed by Microsoft, this app supports TOTP-based two-factor authentication and can be used for various online accounts.
- Authy: Authy is a widely used authenticator app that supports TOTP and offers additional features like cloud backup and multi-device synchronization.
- LastPass Authenticator: LastPass, a popular password manager, offers its own authenticator app that supports TOTP and can be used for 2FA.
- Duo Mobile: Duo Mobile is a comprehensive security app that provides multi-factor authentication options, including TOTP.
- 1Password: Known primarily as a password manager, 1Password also includes an authenticator feature compatible with TOTP-based accounts.
When setting up 2FA for your accounts, you can typically choose to use Google Authenticator or scan the QR code provided by the service using any TOTP-compatible authenticator app of your choice. The generated one-time passwords should be interchangeable between these apps, allowing you to use multiple authenticator apps or switch between them without issues.