I use the Google Authenticator app as an additional security measure for my Google account. When Dropbox added support I realised it wasn’t just a Google thing. I finally thought I’d look at what it takes to implement a Google Authenticator “compliant” service. Turns out it’s not too hard, and it’s all standards based.
For the impatient, here’s the CF Google Authenticator Github repo.
So for the details: These 2 standards are involved in the Google Authenticator implementation:
- RFC-6238 TOTP: Time-Based One-Time Password Algorithm
- RFC-4226 HOTP: An HMAC-Based One-Time Password Algorithm
The first is actually a specific implementation of the second, and what Google Authenticator tokens are based on.
HOTP is conceptually simple – you take the HMAC-SHA-1 of a shared secret key, and a counter. You then do some bit twiddling with the resulting 160-bit (20 byte) hash to get it down to a 4-byte number, from which you then extract a 6-digit number which is your token.
TOTP is a particular implementation of HOTP, where the counter is based on the number of seconds since the UNIX Epoch. Specifically it’s how many X second periods have there been since the epoch, where X is 30 seconds in Google’s case. This is why the number changes every 30 seconds.
So anyway, the actual derivation of the current token value from the secret is only a few lines of code, but there was some additional complexity to implementing this in ColdFusion.