How does Google Authenticator work?

1146295 pts.
Tags:
Authentication
Google
I'm pretty new to Google Authenticator but I understand it's an alternative to SMS for 2Step verification. But the part I don't understand is that how is it possible that it works without connectivity? How can the server and mobile phone sync together to know which code is valid? I would appreciate some help here.
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

Google Authenticator uses a TOTP–Time-based One Time Password–algorithm. It’s pretty simple. After an initial setup routine that generates or lets you input a shared secret, the app is ready to go. After this initial connection, no further connection to the server is required. The six-digit OTP is generated using a combination of the shared secret, the current time, and a signing function. Basically, as long as the time on your phone is accurate, the server is able to generate the same code your phone is generating. This changes every minute. When you actually use the OTP, it is compared with what the server says it should be and if they match, you are authenticated.

If you really want to get into the details, you can read the IETF RFC 6238 which tells how it all works.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: