I was logging in on a microsoft account of my work. I use google authenticator. My phone was not having a wifi connection. Eventhough I entered the code and it let me log in. Later I noticed wifi on my phone was not working.
I thought the authenticator app needed to check via some sort of network if the code was right. It clearly doesn’t. But now I am curious how all of this works.
In: Technology
There are different types of authenticator token systems in use. Google Authenticator implements a well known standard known as TOTP as well as HOTP. This is short for Time-based One Time Password. The app is going to take the current time and date and then calculate a cryptographic hash using a secret key. The numbers it shows represent this hash. The server knows the same secret key and will calculate the same hash to compare. It will also calculate some of the other hashes around the current time in case the clock on the phone is a bit off or you take some extra time entering the code. But if your clock is too far out the phone will not show a valid code. HOTP works in a similar manner but instead of the clock it will use the number of times you viewed the code as input.
They rely on the current time.
The authenticator and Microsoft both know your account’s 2FA secret (because that’s in the QR code when you set up the authenticator for the 1st time).
Then, both your authenticator and Microsoft take that secret and the current date&time, and put them through a hash (a bunch of complicated calculations). And then they both end up with the same 6-digit code so Microsoft can check whether the code you entered is valid.
Latest Answers