Google Authenticator

Google Authenticator
Developer(s)	Google
Initial release	September 20, 2010;13 years ago
Repository	github.com/google/google-authenticator
Written in	Java (Android, Blackberry); Objective-C (iOS);
Operating system	Android, iOS, BlackBerry OS, Wear OS
Platform	Mobile
License	Proprietary freeware (some versions were under Apache License 2.0)

Last updated April 16, 2024

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password (TOTP; specified in RFC 6238) and HMAC-based one-time password (HOTP; specified in RFC 4226), for authenticating users of software applications.^[2]

When logging into a site supporting Authenticator (including Google services) or using Authenticator-supporting third-party applications such as password managers or file hosting services, Authenticator generates a six- to eight-digit one-time password which users must enter in addition to their usual login details.

Google provides Android,^[3] Wear OS,^[4] BlackBerry, and iOS ^[5] versions of Authenticator.

An official open-source fork of the Android app is available on GitHub.^[6] However, this fork was archived in Apr 6, 2021 and is now read only.^[7]

Current software releases are proprietary freeware.^[8]

Typical use case

Previous logo

The app is first installed on a smartphone to use Authenticator. It must be set up for each site with which it is to be used: the site provides a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future logins to the site.

To log into a site or service that uses two-factor authentication and supports Authenticator, the user provides a username and password to the site. The site then computes (but does not display) the required six-digit one-time password and asks the user to enter it. The user runs the Authenticator app, which independently computes and displays the same password, which the user types in, authenticating their identity.^{[ citation needed ]}

With this kind of two-factor authentication, mere knowledge of username and password is insufficient to break into a user's account - the attacker also needs knowledge of the shared secret key or physical access to the device running the Authenticator app. An alternative route of attack is a man-in-the-middle attack: if the device used for the login process is compromised by malware, the credentials and one-time password can be intercepted by the malware, which then can initiate its login session to the site, or monitor and modify the communication between the user and the site.^[9]

Technical description

During setup, the service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits).^[10] This is transferred to the Authenticator app as a 16, 26, or 32-character base32 string, or as a QR code.

Subsequently, when the user opens the Authenticator app, it calculates an HMAC-SHA1 hash value using this secret key. The message can be:

The number of 30-second periods since the Unix epoch (TOTP) as 64 bit big endian integer; or
A counter that is incremented with each new code (HOTP).

A portion of the HMAC is extracted and displayed to the user as a six-digit code; The last nibble (4 bits) of the result is used as a pointer, to a 32-bit integer, in the result byte array, and masks out the 31st bit.

License

The Google Authenticator app for Android was originally open source, but later became proprietary.^[8] Google made earlier source for their Authenticator app available on its GitHub repository; the associated development page stated:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."^[11]

The latest open-source release was in 2020.^[6]

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of authentication technologies, with the aim of lowering costs and simplifying their functions.

HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

LinOTP is Linux-based software to manage authentication devices for two-factor authentication with one time passwords. It is implemented as a web service based on the python framework Pylons. Thus it requires a web server to run in.

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

Mitro was a password manager for individuals and teams that securely saved users' logins, and allowed users to log in and share access.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.

<span class="mw-page-title-main">FreeOTP</span> Free and open-source two-factor authentication app

FreeOTP is a free and open-source software token that can be used for two-factor authentication. It provides implementations of HOTP and TOTP. Tokens can be added by scanning a QR code or by manually entering the token configuration. It is maintained by Red Hat under the Apache 2.0 license, and supports Android and iOS.

privacyIDEA is a two factor authentication system which is multi-tenency- and multi-instance-capable. It is opensource, written in Python and hosted at GitHub. privacyIDEA is a LinOTP's fork from 2014.

Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.

<span class="mw-page-title-main">OnlyKey</span> Hardware security token

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, also acting as a portable password manager.

References

↑ "Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch". TechCrunch . 2010-09-20. Retrieved 2016-03-12.
↑ "GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)". GitHub. 18 May 2022. These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
↑ "Google Authenticator - Apps on Google Play".
↑ Fingas, Jon (July 19, 2019). "Google Authenticator takes security codes from your smartwatch". Engadget . Archived from the original on October 20, 2020. Retrieved November 6, 2023.
↑ "Google Authenticator". App Store.
1 2 "google/google-authenticator-android: Open source fork of the Google Authenticator Android app". GitHub. 16 May 2022.
↑ "google-authenticator/mobile at master · google/google-authenticator". GitHub.
1 2 Willis, Nathan (22 January 2014)." FreeOTP multi-factor authentication ". LWN.net. Retrieved 10 August 2015.
↑
Umawing, Jovi (6 January 2022). "Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected". www.malwarebytes.com. Retrieved 27 April 2023.
- Papez, Neko (25 April 2023). "The art of MFA Bypass: How attackers regularly beat two-factor authentication". menlosecurity.com. Retrieved 27 April 2023.
↑ m'Raihi, D.; Bellare, M.; Hoornaert, F.; Naccache, D.; Ranen, O. (2005-02-15). "RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm". Tools.ietf.org. doi:10.17487/RFC4226 . Retrieved 2019-03-25.{{cite journal}}: Cite journal requires |journal= (help)
↑ "google-authenticator - Two-step verification - Google Project Hosting". 18 May 2022.

External links

Google Authenticator on Google Help
Google Authenticator (Android) and Google Authenticator (other) legacy source code on GitHub
Google Authenticator PAM module source code on GitHub
Google Authenticator implementation in Python on Stack Overflow
Authenticator on F-Droid
Django-MFA Implementation Using Google Authenticator - Django-MFA is a simple package to add an extra layer of security to your Django web application. It gives your web app a randomly changing password as extra protection.
Source code of version 1.02 on GitHub

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch". TechCrunch . 2010-09-20. Retrieved 2016-03-12.

[2] "GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)". GitHub. 18 May 2022. These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

[3] "Google Authenticator - Apps on Google Play".

[4] Fingas, Jon (July 19, 2019). "Google Authenticator takes security codes from your smartwatch". Engadget . Archived from the original on October 20, 2020. Retrieved November 6, 2023.

[5] "Google Authenticator". App Store.

[github-android-6] 1 2 "google/google-authenticator-android: Open source fork of the Google Authenticator Android app". GitHub. 16 May 2022.

[7] "google-authenticator/mobile at master · google/google-authenticator". GitHub.

[lwn-otp-8] 1 2 Willis, Nathan (22 January 2014)." FreeOTP multi-factor authentication ". LWN.net. Retrieved 10 August 2015.

[9] Umawing, Jovi (6 January 2022). "Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected". www.malwarebytes.com. Retrieved 27 April 2023.
Papez, Neko (25 April 2023). "The art of MFA Bypass: How attackers regularly beat two-factor authentication". menlosecurity.com. Retrieved 27 April 2023.

[mwwg] Papez, Neko (25 April 2023). "The art of MFA Bypass: How attackers regularly beat two-factor authentication". menlosecurity.com. Retrieved 27 April 2023.

[10] 'Raihi, D.; Bellare, M.; Hoornaert, F.; Naccache, D.; Ranen, O. (2005-02-15). "RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm". Tools.ietf.org. doi:10.17487/RFC4226 . Retrieved 2019-03-25.{{cite journal}}: Cite journal requires |journal= (help)

[code.google.com-11] "google-authenticator - Two-step verification - Google Project Hosting". 18 May 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]