A Brief Overview of the Google Authenticator
By Deepak Choudhary.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Many application providers are considering implementing a more robust login mechanism to their applications as single layer authentication is no longer considered a secure approach. The trend is to add an additional authentication layer after main login surface. It could be anything like OTP based (text message), secondary authentication questions, voice calls etc…

It’s common for the application provider to setup a second layer on their end but there are also a few third party providers in the market. Google’s “Two factor authentication” is arguably the most popular and the subject of this blog post.


Google’s Two Factor Authenticator is the smartphone-based application that generates a one-time password used in secondary authentication. End users have option to enable this option within the setup on their smart phone.

In order to leverage the Google Authenticator, the user needs to install the mobile application and then synch with application server. Once the user logs into the first page of the application, they will be presented with the Google Authentication verification prompt. The user can scan the on-screen QR code or manually enter a secret as shown below. Once the process is completed, the user can work without any connectivity.

OTP Generation

Google Authenticator uses two type of algorithm for generating OTPs. Both algorithms are supplied as follows:

The main difference in what the algorithms are fed is that the HMAC OTP uses a counter for input feed where the Time based OTP (TOTP) is seeding with the current time. For TOTP, the client and the server’s time must be in sync or the process will not complete. Network time protocol (NTP) is a key component to facilitate TOTP. In contract to TOTP, HMAC OTP uses a counter used instead of time. The counter increases on both sides once OTP is generated.


From a security prospective, OTP should take into consideration the same key elements as most other multifactor authentication mechanisms. For example:

  • Cross account OTP usage
  • OTP expiration
  • OTP reuse
  • OTP length , etc


By admin