To expound, I access a website that has a 2FA that asks me a temporary authentication code generated by Google authenticator. My Google authenticator is in my Android phone, which is usually offline. Even so, the temporary code that it generates still works when I input it in the website.
How does that work? How does my Google authenticator in a phone that isn’t connected to the net communicate with the website?
In: Technology
When you setup the authenticator, the qr code contains secure string that your app and server know.
Your code is generated from this string and current time (up to a minute). It’s a deterministic math function.
Your phone generates you a number, and when you submit it, the server uses the same secret key, current time and function to generate own code, and if they are the same, it lets you in.
This protocol can be used on [fully offline MFA keys](https://www.watchguard.com/sites/default/files/ldr_token_support.jpg)
Latest Answers