Google Authenticator
Google Authenticator is an open -source Two-Step token that was developed by Google. It consists of a 6-digit number that is used in addition to user name and password for user authorization for Google services and other services.
Operation
The app is based on the Time-based One-time Password Algorithm of the Internet Engineering Task Force. The server that offers a protected through Google Authenticator application generates a 80 -bit secret code that the user on a personal device - must transfer - usually a smartphone. To this end, the secret is usually depicted as a QR code or Base64 string. The transfer process is a potential weak point: Since this is the shared secret of the method, the code can be read only from a trusted computer. Also a photograph of the QR code would compromise the secret.
After this first step the mystery only the server and the personal device of the user is known and leaves it ideally never will. To authorize a one-time password is generated, which is calculated from the current time and the mystery. For this reason, the clocks of the client and server have to go about the same. The below pseudo code provides a new password every 30 seconds. In practice, the server can be programmed to accept the predecessor and successor Code so as to cover differences over a minute. Instead of time can serve as a basis according to the specification, a counter that is incremented on both sides with each login. This variant is not currently used.
When registering, the user in addition to the normal password and the generated one-time password must now enter. The necessary to generate the one-time password secret is not transmitted, and therefore it can not be intercepted.
Due to his principle protects reliably against Google Authenticator keyloggers and eavesdropping of passwords as you type. Presented an attacker but a fake login page, he may as man in the middle intercept the one-time password and use it instead of the user name to login. In addition, most providers allow you to define specific computer as trusted clients, from which the application may be made without one-time password. Can an attacker to gain access to such a computer, the protection is not necessarily the case.
Implementation
Google supports Apple iOS, BlackBerry and Android. There are many other implementations by third parties.
- Windows Phone 7.5 / 8: Virtual Token Authenticator Factor
- Windows Mobile: Google Authenticator for Windows Mobile
- Java CLI: Authenticator.jar
- Java GUI: JAuth
- J2ME: gauthj2me lwuitgauthj2me TOTP me MOTP Mobile OTP ( chinese only)
- PalmOS: gauthj2me
- Python: OneTimePass
- PHP: GoogleAuthenticator.php
- Ruby: gem google_authenticator_auth (third party implementation )
- WebOS: Gauth
- Windows: gauth4win
- HTML5: html5 google -authenticator
- MeeGo / Harmattan (Nokia N9 ): Gauth
- Apache: Google Authenticator Apache modules
Dissemination
Google Authenticator can be used in the following websites:
- Bitcoin - central.net
- Dropbox
- Gaia Online
- Gmail
- Google Apps
- Joomla
- LastPass
- Mt.Gox
- Synology
- TYPO3 (extension required)
- WordPress ( plugin required)
- Drupal ( plug-in required )
- App.net
- Dreamhost control panel
- . br
- Outlook.com
- Evernote
- Guild Wars 2
- Zarafa ( plug-in required )
- Amazon Web Services
- Github
Pseudocode
Function GoogleAuthenticatorCode (string secret) key: = base32decode ( secret) message: = floor (current Unix time / 30) hash: = HMAC -SHA1 (key, message) offset: = last nibble of hash truncatedHash: = hash [offset .. offset 3 ] / / 4 bytes starting at the offset Set the first bit of truncatedHash to zero / / remove the most significant bit code: = truncatedHash mod 1000000 pad code with 0 until length of code is 6 return code Web Links
- Project site (english)