Google Authenticator is a software token that implements a two-step verification service using Time Over Time (TOTP) and HMAC One HMAC (HOTP) One Time Password Algorithms to authenticate users of mobile apps by Google. This service implements the algorithms specified in RFC 6238 and RFC 4226, respectively.
Authenticator provides a one-time password up to six digits that users should give users in addition to their usernames and passwords to sign in to Google services or other sites. Authenticator can also generate code for third-party applications, such as password managers or file hosting services. Previous versions of the software were sourced open but the next release was proprietary.
Video Google Authenticator
Common use case
Usually, the user installs the Authenticator app on the smartphone. To log in to sites or services that use two-factor authentication, users provide usernames and passwords to the site and run the Authenticator app. This app displays a one-time additional six-digit password. The same password is created independently by the site, which asks the user for it. The user enters it, thus authenticating the user's identity.
For this to work, setup operations must be performed in advance: the site provides a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future login to the site.
With this two-factor authentication, only the knowledge of usernames and passwords is not enough to break into user accounts. Attackers also require knowledge of shared secret keys or physical access to devices running Authenticator applications. An alternative route of attack is a man-in-the-middle attack: if the computer used for the login process is compromised by the trojan, then the username, password and one-time password can be caught by the trojan, which can then start its own login session to the site or monitor and modify communications between users and sites.
Maps Google Authenticator
Implementations
Google provides Android Authenticator version of Android, BlackBerry and iOS. Some third-party implementations are available.
- PrivacyIDEA Authentication System.
Technical description
Service providers generate 80-bit secret keys for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits). This is provided as a base32 string of 16, 26 or 32 characters or as a QR code. Client creates HMAC-SHA1 using this secret key. Messages that HMAC-ed can:
- the number of 30-second periods have elapsed since the Unix era (TOTP); or
- counters incremented with each new code (HOTP).
Most HMACs are extracted and converted to a six-digit code.
Pseudocode for one time password (OTP)
Open source status on Android
Starting September 16, 2017, the Google Authenticator app available in the Google Android app market is proprietary. Google has created previous sources for their Authenticator apps available in its GitHub repository. The project development page states:
"This open source project allows you to download code that empowers version 2.21 of the app. The next version contains Google-specific workflows that are not part of the project."
An independent fork version of Android from software called FreeOTP has been created, based on the latest version of open source code provided by Google, before moving to GitHub. A less popular fork named OTP Authenticator is also available on Google Play.
References
External links
- Google Authenticator in Google Help
- Google Authenticator (Android) and Google Authenticator (other) legacy source code in GitHub
- The source code of the Google Authenticator PAM module in GitHub
- Google Authenticator implementation with Python on Stack Overflow
- Authenticator on F-Droid
- Django-MFA Implementation Using Google Authenticator - Django-mfa is a simple package to add an extra layer of security to your Django web app. This gives the web app a random change of password as extra protection.
Source of the article : Wikipedia
0 Comments