Google Authenticator is a software-based

authenticator An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. I ...

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

that implements

two-step verification Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...

services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of software applications. When logging into a site supporting Authenticator (including Google services) or using Authenticator-supporting third-party applications such as

password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...

s or

file hosting service A file-hosting service, cloud-storage service, online file-storage provider, or cyberlocker is an internet hosting service specifically designed to host user files. It allows users to upload files that could be accessed over the internet afte ...

s, Authenticator generates a six- to eight-digit

one-time password A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...

which users must enter in addition to their usual login details. Google provides Android,

BlackBerry The blackberry is an edible fruit produced by many species in the genus ''Rubus'' in the family Rosaceae, hybrids among these species within the subgenus ''Rubus'', and hybrids between the subgenera ''Rubus'' and ''Idaeobatus''. The taxonomy of ...

, and

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also include ...

versions of Authenticator. An official open-source fork of the Android app is available on GitHub. However, this fork has not been updated since 2020. Likewise, for old versions of the Google Authenticator apps for iOS and BlackBerry, the source code is also freely available. Yet this source code, too, has not been updated in years. Current releases of the software are proprietary freeware.Willis, Nathan (22 January 2014)."
FreeOTP multi-factor authentication
'". ''LWN.net''. Retrieved 10 August 2015.

Typical use case

To use Authenticator, the

app App, Apps or APP may refer to: Computing * Application software * Mobile app, software designed to run on smartphones and other mobile devices * Web application or web app, software designed to run inside a web browser * Adjusted Peak Performan ...

is first installed on a smartphone. It must be set up for each site with which it is to be used: the site provides a

shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, o ...

key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future logins to the site. To log into a site or service that uses

two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...

and supports Authenticator, the user provides a username and password to the site. The site then computes (but does not display) the required six-digit

and asks the user to enter it. The user runs the Authenticator app, which independently computes and displays the same password, which the user types in, authenticating their identity. With this kind of two-factor authentication, mere knowledge of username and password is insufficient to break into a user's account - the attacker also needs knowledge of the shared secret key, or physical access to the device running the Authenticator app. An alternative route of attack is a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

: if the computer used for the login process is compromised by a

trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

, then username, password, and the one-time password can be captured by the trojan, which then can initiate its own login session to the site, or monitor and modify the communication between the user and the site.

Technical description

During setup, the service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits). This is transferred to the Authenticator app as a 16, 26 or 32 character

base32 Base32 is the base-32 numeral system. It uses a set of 32 digits, each of which can be represented by 5 bits (25). One way to represent Base32 numbers in a human-readable way is by using a standard 32-character set, such as the twenty-two upper- ...

string, or as a

QR code A QR code (an initialism for quick response code) is a type of Barcode#Matrix (2D) barcodes, matrix barcode (or two-dimensional barcode) invented in 1994 by the Japanese company Denso#Denso Wave, Denso Wave. A barcode is a machine-readable optic ...

. Subsequently, when the user opens the Authenticator app, it calculates an

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secre ...

SHA1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecima ...

hash value using this secret key. The message can be: * the number of 30-second periods since the

Unix epoch Current Unix time () Unix time is a date and time representation widely used in computing. It measures time by the number of seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the beginning of the Unix epoch, less adjustments ...

( TOTP); or * a counter that is incremented with each new code (

HOTP HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH). HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the ...

). A portion of the HMAC is extracted and displayed to the user as a six digit code.

Source code license

The Google Authenticator app for Android was originally open source, but later became proprietary. Google made earlier source for their Authenticator app available on its

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, co ...

repository; the associated development page stated:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."

The latest open-source release was in 2020. Following Google Authenticator ceasing to be open source, a free-software clone was created, predominantly a fresh rewrite but including some code from the original. The currently-maintained fork of this clone is called FreeOTP+.

References

External links

Google Authenticator
on Google Help
Google Authenticator (Android)
an
Google Authenticator (other)
legacy source code on

Google Authenticator PAM module
source code on

Google Authenticator implementation in Python
on

Stack Overflow In software, a stack overflow occurs if the call stack pointer exceeds the stack bound. The call stack may consist of a limited amount of address space, often determined at the start of the program. The size of the call stack depends on many facto ...

Authenticator on F-DroidDjango-MFA Implementation Using Google Authenticator
- Django-MFA is a simple package to add an extra layer of security to your Django web application. It gives your web app a randomly changing password as extra protection.
Source code of version 1.02
on

Articles with example pseudocode Computer access control

Authenticator An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. I ...

Computer-related introductions in 2010 {{Google Inc.

Typical use case

Technical description

Source code license

See also

References

External links