Eli5: How does the an authenticator app (like Google authenticator) and a site I’m accessing communicate if my authenticator app is in an offline phone?

445 viewsOtherTechnology

To expound, I access a website that has a 2FA that asks me a temporary authentication code generated by Google authenticator. My Google authenticator is in my Android phone, which is usually offline. Even so, the temporary code that it generates still works when I input it in the website.

How does that work? How does my Google authenticator in a phone that isn’t connected to the net communicate with the website?

In: Technology

7 Answers

Anonymous 0 Comments

When you setup the authenticator, the qr code contains secure string that your app and server know.

Your code is generated from this string and current time (up to a minute). It’s a deterministic math function.

Your phone generates you a number, and when you submit it, the server uses the same secret key, current time and function to generate own code, and if they are the same, it lets you in.

This protocol can be used on [fully offline MFA keys](https://www.watchguard.com/sites/default/files/ldr_token_support.jpg)

You are viewing 1 out of 7 answers, click here to view all answers.