To expound, I access a website that has a 2FA that asks me a temporary authentication code generated by Google authenticator. My Google authenticator is in my Android phone, which is usually offline. Even so, the temporary code that it generates still works when I input it in the website.
How does that work? How does my Google authenticator in a phone that isn’t connected to the net communicate with the website?
In: Technology
Google, like pretty much every other major webiste, implements the [RFC 6238 TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) for 2FA. Let’s break that down.
RFCs are standards for all things digital. It defines data formats, communication protocols, etc. We have them so all our internet devices speak the same language and know how to talk to each other. RFC 6238 is a standard defining TOTP, or time-based one-time passwords, a way to get time-based rotating codes.
The way it works is the server and client both share a secret, established when you first set up 2FA: when you set it up, accounts.google.com had your phone scan a QR code or else enter a string of random characters into the authenticator app. There is now a shared secret between the server and your phone’s authenticator app. Now based on that secret, your phone and the server feed that secret + the current time (truncated to 30 second increments from the Unix epoch) into a cryptographic hash function (and then does some further manipulation, like truncating the result and serializing it to decinal), which allows both of you to arrive without communication at the same result that is “unique” (or at least, hard to guess or compute) for the current 30 second slice of time and for your account.
Latest Answers