How does two factor authentication with phone authenticator apps work? How does the website know you’ve entered the correct temporary code?


Two factor authentication is so important in the modern internet. As far as I know, it makes it extremely difficult to hack into an account, even if you have the password. But how does it work? How does this random website know that I’ve entered the temporary code from my authenticator app correctly?

Like, 2fa with email or text is simple, but how, specifically, do the authenticator apps on phones work?

In: 5


The ideas is that both sides already know both a “secret” key and the current time.

taking advantage of that information, a 6 digit code is created using a combination of the two. The website can then verify the entered code against expected code(s)

Your phone (or in prior times, a separate device the size of a lighter) is running an algorithm that spits out pseudorandom numbers at set intervals of about a minute or so. To break that down, it’s not *really* generating random numbers, it just appears random because the outside observer doesn’t know the initial conditions used to set it up. Only the phone app and the authenticating body know how that pseudo random number generator is set up, so if the number the phone generates matches the one in the company’s servers, that’s the authentication.

Obviously, this falls apart if someone steals or clones your phone, or otherwise knows how to duplicate the number generator and settings, but it’s still one more hurdle that your average hacker needs to overcome. Given that most hacks aren’t *targeted* hacks against a specific individual, it’s not worth it to them to try and breach an account with 2FA, so they’ll go hunt easier prey.

The app and the website have a shared secret key. They use the secret key and the current time to generate the temporary code. The temporary code can be generated the same way on both side and your input can then be compared to it.

The secret key is generated when you set up the two-factor authentication and both the phone and the server have it.

When you created the 2FA method, the server generated a secret. That is the thing that is shared via a QR code with your phone.

Then your phone runs a predetermined algorithm that takes the secret and the current time and produces a code. The server can also take the secret and the current time and compare the value. If you were able to provide the value that is correct for the current time, then you must have the device that the original secret is on.