Google Authenticator is a two-step authentication application using Time-based One-time Password Algorithm (TOTP) and Google's HMAC-based One-time Password Algorithm ( HOTP ). The service implements the algorithms specified in RFC 6238 and RFC 4226 . [3]
| Google authenticator | |
|---|---|
| Type of | |
| Developer | |
| operating system | Android , iOS , BlackBerry OS |
| First edition | September 20, 2010 [1] |
| Hardware platform | Mobile |
| Latest version | |
| License | Proprietary (previous versions were released under Apache License 2.0) |
| Site | |
Authenticator provides a 6- or 8-digit one-time digital password that the user must provide in addition to the username and password in order to log in to Google services or other services. Authenticator can also generate codes for third-party applications, such as password managers or file hosting services. Previous versions of the program were available on open source on GitHub , but recent releases are privately owned by Google. [four]
Content
Usage Example
Typically, users must first install the application on their mobile device. In order to enter the site or use the services of the service, you need to enter a username and password, run the Authenticator application and enter the generated one-time password in a special field.
To do this, the site provides a shared secret key to the user, which must be saved in the Google Authenticator application. This secret key will be used for all future site logins.
With two-step authentication, just knowing the username / password is not enough to crack the account. An attacker must also know the secret key or have physical access to the device with Google Authenticator. An alternative way is the MITM attack: if the user's computer is infected with a trojan , then the user name, password and one-time code can be intercepted, then initiate their own login session on the site or track and change information between the user and the site.
Implementations
Google Authenticator is provided on Android , [5] BlackBerry , and iOS [6] . Several third-party implementations are also available:
- Windows Phone 7.5 / 8 / 8.1 / 10: Microsoft Authenticator [7] Virtual TokenFactor [8]
- Windows Mobile: Google Authenticator for Windows Mobile [9]
- Java CLI: Authenticator.jar [10]
- Java GUI: JAuth [11] FXAuth [12]
- J2ME: gauthj2me [13] lwuitgauthj2me [14] Mobile-OTP (Chinese only) [15] totp-me [16]
- Palm OS: gauthj2me [17]
- Python: onetimepass [18]
- PHP: GoogleAuthenticator.php [19]
- Ruby: rotp, [20] twofu [21]
- Rails: active_model_otp [22] (third party implementation)
- webOS: GAuth [23]
- Windows: gauth4win [24] MOS Authenticator [25] WinAuth [26]
- .NET: TwoStepsAuthenticator [27]
- HTML5: html5-google-authenticator [28]
- MeeGo / Harmattan (Nokia N9): GAuth [29]
- Sailfish OS: SGAuth, [30] SailOTP [31]
- Apache: Google Authenticator Apache Module [32]
- PAM: Google Pluggable Authentication Module [33] oauth-pam [34]
- Backend: LinOTP (Management Backend implemented in python)
- Chrome / Chrome OS: Authenticator [35]
- iOS: OTP Auth [36]
Technical Description
The service provider generates an 80-bit secret key for each user (although RFC 4226 § 4 requires a minimum of 128 bits and recommends 160 bits). [37] The key is provided as a 16-, 26-, 32-digit base32 encoded string or as a QR code . Using the secret key, the client creates an HMAC - SHA1 from:
- the number of 30 second intervals since the beginning of the " UNIX era " for the TOTP variant
- counter, which increases with each new code for the HOTP option.
Then, the HMAC part is retrieved and converted to a 6-digit code.
Pseudo-code for Time-based OTP
function GoogleAuthenticatorCode ( string secret )
key : = base32decode ( secret )
message : = floor ( current Unix time / 30 )
hash : = HMAC - SHA1 ( key , message )
offset : = last nibble of hash
truncatedHash : = hash [ offset .. offset + 3 ] // 4 bytes starting at the offset
Set the first bit of truncatedHash to zero // remove the most significant bit
code : = truncatedHash mod 1000000
pad code with 0 until length of code is 6
return code
Pseudocode for Event / Counter OTP
function GoogleAuthenticatorCode ( string secret )
key : = base32decode ( secret )
message : = counter encoded on 8 bytes
hash : = HMAC - SHA1 ( key , message )
offset : = last nibble of hash
truncatedHash : = hash [ offset .. offset + 3 ] // 4 bytes starting at the offset
Set the first bit of truncatedHash to zero // remove the most significant bit
code : = truncatedHash mod 1000000
pad code with 0 until length of code is 6
return code
Notes
- ↑ Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch . TechCrunch (September 20, 2010). Date of treatment March 12, 2016.
- ↑ Release 1.02 - 2016.
- ↑ GitHub - google / google-authenticator: Open source version of Google Authenticator (except the Android app) (unspecified) . Github Google - "These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. ".
- ↑ Willis, Nathan (January 22, 2014). " FreeOTP multi-factor authentication ". LWN.net . Retrieved 10 August 2015.
- ↑ https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 A
- ↑ Google Authenticator . App Store
- ↑ Authenticator (April 4, 2013).
- ↑ Virtual TokenFactor unopened (February 26, 2012).
- ↑ [APP Google Authenticator for Windows Mobile] . XDA Developers .
- ↑ http: // blog dot jamesdotcuff dot net (inaccessible link) . Date of treatment July 27, 2016. Archived August 1, 2014.
- ↑ mclamp / JAuth unspecified . Github
- ↑ kamenitxan / FXAuth unspecified . Github
- ↑ gauthj2me - Google Authentification in Java Mobile, j2me - Google Project Hosting .
- ↑ lwuitgauthj2me - Google Authenticator for J2ME phones - Google Project Hosting .
- ↑ chunlinyao / mobile-otp - Bitbucket .
- ↑ totp-me - TOTP for Java ME - Google authenticator .
- ↑ gauth.prc - gauthj2me - Google Authenticator for Palm OS (converted from java) - Google Authentification in Java Mobile, j2me - Google Project Hosting .
- ↑ tadeck / onetimepass unspecified . Github
- ↑ chregu / GoogleAuthenticator.php unspecified . Github
- ↑ rotp - RubyGems.org - your community gem host .
- ↑ ukazap / twofu . Github
- ↑ heapsource / active_model_otp unspecified . Github
- ↑ GAuth unspecified .
- ↑ gauth4win - Google Authenticator for windows - Google Project Hosting .
- ↑ MOS Authenticator Home .
- ↑ winauth - Windows Authenticator for Battle.net / World of Warcraft / Guild Wars 2 / Glyph / WildStar / Google / Bitcoin - Google Project Hosting .
- ↑ glacasa / TwoStepsAuthenticator . Github
- ↑ gbraad / html5-google-authenticator . Github
- ↑ Techtransit. Nokia Store: Download GAuth and many other games, wallpaper, ringtones and mobile apps on your Nokia phone .
- ↑ SGAuth unspecified .
- ↑ SailOTP unspecified .
- ↑ google-authenticator-apache-module - Apache Module for Two-Factor Authentication via Google Authenticator - Google Project Hosting .
- ↑ google-authenticator - Two-step verification - Google Project Hosting .
- ↑ oauth-pam - PAM for use with OAuth Websites - Google Project Hosting .
- ↑ Authenticator .
- ↑ OTP Auth . App Store
- ↑ RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm
Links
- Google Authenticator on Google Help
- Google Authenticator legacy source code on GitHub
- Google Authenticator implementation in Python on Stack Overflow