Almost everyone here in the community has used Google Authenticator (GA) for their account verification. You might have even noticed when your mobile device is in offline mode GA works just fine. How does that happen? Even when your mobile device is not connected to the internet how does it verify the generated code in the first place. To know about it let’s start with the basics first.

What is Google Authenticator?

Google Authenticator (GA) is a two step verification services to provide an additional layer of security when signing in to a client application.

What are the two steps involved?

• The password of your account which you want to login.
• The GA code which is generated in real time on your mobile device.

A quick recap into the setup procedure of GA into your client account:

• To activate your GA security, your client account must have GA authentication feature build in.
• Click on the settings button of your client application account and click on enable GA option.
• On enabling GA, a QR code will be generated.
• Go to your Appstore from your mobile device, install the app Google Authenticator.
• Scan the QR-code using the GA app, a 6-digit code will be generated.
• Provide the code into your client account and click on finish.
• You setup is done and your client application is now synced with GA.

How does it work technically?

The GA implements the TIme based One Time Password (TOTP) and HMAC based One Time Password ( HOTP) algorithm. The three main characteristics of GA are:

• Shared Secret Key:

  Remember the QR code that was scanned when you need to setup your GA. That’s the private secret key which should not be shared with anyone. Then why is it Shared Secret Key? The key is shared with your mobile device and the server.

• Counter:

  The counter is nothing but the real time which is synced with the GA and your mobile device. It should be kept in mind that your mobile device time should always be in sync with GA (If you change your mobile device timings, make sure you sync it up with google) because the time generated by the phone is also generated in the server but they work independently and they never communicate with each other apart from when they are syncing up with each other ( Now you know why GA works just fine even in offline mode).

• The Signing Function:

  This is nothing but the black box of GA. The above two parameters are passed into it and the output is the 6-digit OTP. The function used is HMAC-SHA1. HMAC stands for Hash based Message Authentication Code and SHA-1 stands for Secure Hash Algorithm-1.

NOTE: The signing function implements TOTP algorithm. The key difference between HOTP and TOTP algorithm is that in HOTP the Counter is a random token whereas in TOPT the counter is the real time. So GA implements HOTP algorithm with the counter being the real time of the device.

How it works from a top level view:

• You finish your setup procedure of communicating your secret key to your mobile device.
• Your mobile device now has the secret key and the counter is the real time of your mobile. It generates the code using the two parameters.
• In the meantime, your server also does the same thing, that is uses the secret key and the counter which has to be same of that of your device and generates the code (This is not shown to you and is stored internally).
• Your client application asks you to provide the 6-digit code. You check your phone, write down the code to the client application and click on submit.
• On submit, the verification occurs, the code which is pasted is now verified with that which is stored in the server internally ( not shown to you). If the code matches you are allowed to login.

References:
https://en.wikipedia.org/wiki/Google_Authenticator
https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
https://security.stackexchange.com/questions/35157/how-does-google-authenticator-work

P.S:

If you liked my post, hit the upvote button. Want to ask any question, feel free to ask in the comment section. I will be adding other #howitworks blogs soon. Hit the follow button @debs to checkout my post. Thank you everyone for reading it.