Google Authenticator

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Google Authenticator
Developer(s) Google
Initial release September 20, 2010; 7 years ago (2010-09-20)[1]
Repository github.com/google/google-authenticator
Operating system Android, iOS, BlackBerry OS
Platform Mobile
License Proprietary (earlier versions were under Apache License 2.0)

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226.[2]

Authenticator provides a six- to eight-digit one-time password which users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third-party applications, such as password managers or file hosting services. Previous versions of the software were open-sourced but subsequent releases are proprietary.[3]

Typical use case[edit]

Typically, a user installs the Authenticator app on a smartphone. To log into a site or service that uses two-factor authentication, the user provides user name and password to the site and runs the Authenticator app. The app displays an additional six-digit one-time password. The same password is independently generated by the site, which asks the user for it. The user enters it, thus authenticating the user's identity.[citation needed]

For this to work, a set-up operation has to be performed ahead of time: the site provides a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future logins to the site.[citation needed]

With this kind of two-factor authentication, mere knowledge of username and password is not sufficient to break into a user's account. The attacker also needs knowledge of the shared secret key or physical access to the device running the Authenticator app. An alternative route of attack is a man-in-the-middle attack: if the computer used for the login process is compromised by a trojan, then username, password and one-time password can be captured by the trojan, which can then initiate its own login session to the site or monitor and modify the communication between user and site.[citation needed]

Implementations[edit]

Google provides Android,[4] BlackBerry, and iOS[5] versions of Authenticator. Several third party implementations are available.

  • Windows Phone 7.5/8/8.1/10: Microsoft Authenticator[6] Virtual TokenFactor[7]
  • Windows Mobile: Google Authenticator for Windows Mobile[8]
  • Java CLI: Authenticator.jar[9]
  • Java GUI: JAuth[10] FXAuth[11]
  • J2ME: gauthj2me[12] lwuitgauthj2me[13] Mobile-OTP (Chinese only)[14] totp-me[15]
  • Palm OS: gauthj2me[16]
  • Python: onetimepass[17], pyotp[18]
  • PHP: GoogleAuthenticator.php[19]
  • Ruby: rotp,[20] twofu[21]
  • Rails: active_model_otp[22] (third party implementation)
  • webOS: GAuth[23]
  • Windows: gauth4win[24] MOS Authenticator[25] WinAuth[26]
  • .NET: TwoStepsAuthenticator[27]
  • HTML5: html5-google-authenticator[28]
  • MeeGo/Harmattan (Nokia N9): GAuth[29]
  • Sailfish OS: SGAuth,[30] SailOTP[31]
  • Apache: Google Authenticator Apache Module[32]
  • PAM: Google Pluggable Authentication Module[33] oauth-pam[34]
  • Backend: LinOTP (Management Backend implemented in python)
  • Chrome/Chrome OS: Authenticator[35]
  • iOS: OTP Auth[36]

Technical description[edit]

The service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits).[37] This is provided as a 16, 26 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key. The message that is HMAC-ed can be:

  • the number of 30-second periods having elapsed since the Unix epoch (TOTP); or
  • the counter that is incremented with each new code (HOTP).

A portion of the HMAC is extracted and converted to a six-digit code.

Pseudocode for one-time password (OTP)[edit]

  function GoogleAuthenticatorCode(string secret)
      key := base32decode(secret)
      message := floor(current Unix time / 30)
      hash := HMAC-SHA1(key, message)
      offset := last nibble of hash
      truncatedHash := hash[offset..offset+3]  //4 bytes starting at the offset
      Set the first bit of truncatedHash to zero  //remove the most significant bit
      code := truncatedHash mod 1000000
      pad code with 0 until length of code is 6
      return code

Pseudocode for event or counter OTP[edit]

  function GoogleAuthenticatorCode(string secret)
      key := base32decode(secret)
      message := counter encoded on 8 bytes
      hash := HMAC-SHA1(key, message)
      offset := last nibble of hash
      truncatedHash := hash[offset..offset+3]  //4 bytes starting at the offset
      Set the first bit of truncatedHash to zero  //remove the most significant bit
      code := truncatedHash mod 1000000
      pad code with 0 until length of code is 6
      return code

Open Source status on Android[edit]

The Google Authenticator app as currently (16/09/2017) available on Google's Android app market is proprietary.[3] Google has made the source for their Authenticator app available on its GitHub repository. The project's development page states:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[33]

An independent fork of the Android version of the software named FreeOTP[38][3] has been created, which was based on the last version of the open source code that had been provided by Google, prior to their move to GitHub. A less popular fork named OTP Authenticator[39] is also available on Google Play.

References[edit]

  1. ^ "Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch". TechCrunch. 2010-09-20. Retrieved 2016-03-12. 
  2. ^ "GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)". GitHub. Google. These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. 
  3. ^ a b c Willis, Nathan (22 January 2014)."FreeOTP multi-factor authentication". LWN.net. Retrieved 10 August 2015.
  4. ^ https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 A
  5. ^ "Google Authenticator". App Store. 
  6. ^ "Authenticator". 4 April 2013. 
  7. ^ "Virtual TokenFactor". 26 February 2012. 
  8. ^ "[APP]Google Authenticator for Windows Mobile". XDA Developers. 
  9. ^ "http://blog dot jamesdotcuff dot net". 
  10. ^ "mclamp/JAuth". GitHub. 
  11. ^ "kamenitxan/FXAuth". GitHub. 
  12. ^ "gauthj2me - Google Authentification in Java Mobile, j2me - Google Project Hosting". 
  13. ^ "lwuitgauthj2me - Google Authenticator for J2ME phones - Google Project Hosting". 
  14. ^ "chunlinyao / mobile-otp — Bitbucket". 
  15. ^ "totp-me - TOTP for Java ME - Google authenticator". 
  16. ^ "gauth.prc - gauthj2me - Google Authenticator for Palm OS (converted from java) - Google Authentification in Java Mobile, j2me - Google Project Hosting". 
  17. ^ "tadeck/onetimepass". GitHub. 
  18. ^ "pyotp/pyotp". GitHub. 
  19. ^ "chregu/GoogleAuthenticator.php". GitHub. 
  20. ^ "rotp - RubyGems.org - your community gem host". 
  21. ^ "ukazap/twofu". GitHub. 
  22. ^ "heapsource/active_model_otp". GitHub. 
  23. ^ "GAuth". 
  24. ^ "gauth4win - Google Authenticator for windows - Google Project Hosting". 
  25. ^ "MOS Authenticator Home". 
  26. ^ "winauth - Windows Authenticator for Battle.net / World of Warcraft / Guild Wars 2 / Glyph / WildStar / Google / Bitcoin - Google Project Hosting". 
  27. ^ "glacasa/TwoStepsAuthenticator". GitHub. 
  28. ^ "gbraad/html5-google-authenticator". GitHub. 
  29. ^ Techtransit. "Nokia Store: Download GAuth and many other games, wallpaper, ringtones and mobile apps on your Nokia phone". 
  30. ^ "SGAuth". 
  31. ^ "SailOTP". 
  32. ^ "google-authenticator-apache-module - Apache Module for Two-Factor Authentication via Google Authenticator - Google Project Hosting". 
  33. ^ a b "google-authenticator - Two-step verification - Google Project Hosting". 
  34. ^ "oauth-pam - PAM for use with OAuth Websites - Google Project Hosting". 
  35. ^ "Authenticator". 
  36. ^ "OTP Auth". App Store. 
  37. ^ https://tools.ietf.org/html/c#section-4
  38. ^ "FreeOTP". 
  39. ^ "kaie/otp-authenticator-android". GitHub. 

External links[edit]