How does Google Authenticator work?

  • Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android where the codes will be sent.

    It works without any connectivity; it even works on plane mode. This is what I don't get. How is it possible that it works without connectivity? How do the mobile phone and the server sync to know which code is valid at that very moment?

    The codes are not "sent". They are made via a seed and counter.

  • user10211

    user10211 Correct answer

    8 years ago

    Google Authenticator supports both the HOTP and TOTP algorithms for generating one-time passwords.

    With HOTP, the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides, allowing the server and client to remain in sync.

    TOTP essentially uses the same algorithm as HOTP with one major difference. The counter used in TOTP is replaced by the current time. The client and server remain in sync as long as the system times remain the same. This can be done by using the Network Time protocol.

    The secret key (as well as the counter in the case of HOTP) has to be communicated to both the server and the client at some point in time. In the case of Google Authenticator, this is done in the form of a QRCode encoded URI. See: KeyUriFormat for more information.

    In the case of HOTP, how does Google Authenticator know that I have "used" the password without syncing with the server? What Google Authenticator does is that it continues to flash different keys and I can just use any one them without giving feedback to my mobile.

    @MarioAwad The answer to that can be found on the HOTP RFC, section 7.4.

    Thank you for the well defined answer and followup. Quick summary of section 7.4: Resynchronization of the Counter every now and then and a look-ahead window for the counter is what makes things work without requiring instant-sync.

    As @TerryChia pointed out, the secret key is in the QR code. Be aware of the sensitivity of the QRCode/Information. I wrote a blog post a while ago

    @cornelinux You're right about TOTP, but surely with HOTP a second device would need to know how many times the other device has connected to work.

    @Auspex you are right. The counter could vary between two authenticator apps with the same seed. But on the other hand, I would simply "guess" the counter while after while. According to the RFC the auth server should have a count window. So I would simply increase the counter by - lets say - 9 and try to login one or two times per day. After a few days I would most probably hit a matching OTP value.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM