To expound, I access a website that has a 2FA that asks me a temporary authentication code generated by Google authenticator. My Google authenticator is in my Android phone, which is usually offline. Even so, the temporary code that it generates still works when I input it in the website.
How does that work? How does my Google authenticator in a phone that isn’t connected to the net communicate with the website?
In: Technology
Its time based, notice that the authenticator code changes every 60 seconds.
When you setup an entry in the authenticator app you normally scan a 3d barcode which provides a unique value for the authenticator entry, the value is specific to you and the web site, I suspect it also may setup a reference time zone (perhaps UTC?).
With some clever math the authenticator app uses your web-site specific unique value and time to generate a code which you manually enter into a page on the web-site.
The web site also generates a code using your unique value (which it knows because it generated the 3d barcode when you setup the entry in the authenticator app) and the time and compares it to the code you entered. If the two match then your are authenticated.
So no on-line connection, the system works by using a shared secret value and a common time reference , the only requirement is that the time on your phone is reasonably accurate.
Latest Answers