Google Authenticator
![]() | |
Developer(s) | |
---|---|
Initial release | September 20, 2010[1] |
Repository | github |
Written in |
|
Operating system | Android, iOS, BlackBerry OS, Wear OS |
Platform | Mobile |
License | Proprietary freeware (some versions were under Apache License 2.0) |
Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password (TOTP; specified in RFC 6238) and HMAC-based one-time password (HOTP; specified in RFC 4226), for authenticating users of software applications.[2]
When logging into a site supporting Authenticator (including Google services) or using Authenticator-supporting third-party applications such as password managers or
![](http://upload.wikimedia.org/wikipedia/commons/thumb/8/8c/Google_authenticator.png/220px-Google_authenticator.png)
Google provides Android,[3] Wear OS,[4] BlackBerry, and iOS[5] versions of Authenticator.
An official open-source fork of the Android app is available on GitHub.[6] However, this fork was archived in Apr 6, 2021 and is now read only.[7]
Current software releases are proprietary freeware.[8]
Typical use case
![](http://upload.wikimedia.org/wikipedia/commons/thumb/6/6e/Google_Authenticator_for_Android_icon.svg/120px-Google_Authenticator_for_Android_icon.svg.png)
The app is first installed on a smartphone to use Authenticator. It must be set up for each site with which it is to be used: the site provides a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future logins to the site.
To log into a site or service that uses
With this kind of two-factor authentication, mere knowledge of username and password is insufficient to break into a user's account - the attacker also needs knowledge of the shared secret key or physical access to the device running the Authenticator app. An alternative route of attack is a man-in-the-middle attack: if the device used for the login process is compromised by malware, the credentials and one-time password can be intercepted by the malware, which then can initiate its login session to the site, or monitor and modify the communication between the user and the site.[9]
Technical description
During setup, the service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits).[10] This is transferred to the Authenticator app as a 16, 26, or 32-character base32 string, or as a QR code.
Subsequently, when the user opens the Authenticator app, it calculates an
- The number of 30-second periods since the TOTP) as 64 bit big endian integer; or
- A counter that is incremented with each new code (HOTP).
A portion of the HMAC is extracted and displayed to the user as a six-digit code; The last nibble (4 bits) of the result is used as a pointer, to a 32-bit integer, in the result byte array, and masks out the 31st bit.
License
The Google Authenticator app for Android was originally open source, but later became proprietary.[8] Google made earlier source for their Authenticator app available on its GitHub repository; the associated development page stated:
"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[11]
The latest open-source release was in 2020.[6]
See also
- Multi-factor authentication
- HMAC-based one-time password
- FreeOTP
- LinOTP
- Comparison of TOTP applications
References
- ^ "Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch". TechCrunch. 2010-09-20. Retrieved 2016-03-12.
- ^ "GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)". GitHub. 18 May 2022.
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
- ^ "Google Authenticator - Apps on Google Play".
- ^ Fingas, Jon (July 19, 2019). "Google Authenticator takes security codes from your smartwatch". Engadget. Archived from the original on October 20, 2020. Retrieved November 6, 2023.
- ^ "Google Authenticator". App Store.
- ^ a b "google/google-authenticator-android: Open source fork of the Google Authenticator Android app". GitHub. 16 May 2022.
- ^ "google-authenticator/mobile at master · google/google-authenticator". GitHub.
- ^ a b Willis, Nathan (22 January 2014)."FreeOTP multi-factor authentication". LWN.net. Retrieved 10 August 2015.
- ^ Umawing, Jovi (6 January 2022). "Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected". www.malwarebytes.com. Retrieved 27 April 2023.
- Papez, Neko (25 April 2023). "The art of MFA Bypass: How attackers regularly beat two-factor authentication". menlosecurity.com. Retrieved 27 April 2023.
- )
- ^ "google-authenticator - Two-step verification - Google Project Hosting". 18 May 2022.
External links
- Google Authenticator on Google Help
- Google Authenticator (Android) and Google Authenticator (other) legacy source code on GitHub
- Google Authenticator PAM module source code on GitHub
- Google Authenticator implementation in Python on Stack Overflow
- Authenticator on F-Droid
- Django-MFA Implementation Using Google Authenticator - Django-MFA is a simple package to add an extra layer of security to your Django web application. It gives your web app a randomly changing password as extra protection.
- Source code of version 1.02 on GitHub