Monday, December 03, 2012

Mysterious google two step authentication - in debug


 I hope you have enabled your google account for two step authentication? If not -I strongly recommend to do so.  Do you know the nature of the code generated by Google Authenticator?  There are no myth here  - this is just implementation of RFC6238. And even more - you can add new level of security to your application very easy without need to use some monstrous security library. 

I will use PHP in this article - this means that server side can use this code to validate the client one. But nothing stops you from implementing OTP generation algorythm in javascript.  


2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they'd have to get your personal key used to generate 6 digit combination. 

How this combination is generated? Let's move through process:

Assume, that secret code in base32 is  GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ (this is actually base32 encoded secret key  12345678901234567890. 

Why base32 and not base64 is used? My guess takes into consideration following points:

The resulting character set is all one case (usually represented as uppercase), which can often be beneficial when using a case-insensitive filesystem, spoken speech, or human memory.
The alphabet was selected to avoid similar-looking pairs of different symbols, so the strings can be accurately transcribed by hand. (For example, the symbol set omits the symbols for 1, 8 and zero, since they could be confused with the letters 'I', 'B', and 'O'.) 
The result can be included in a URL without encoding any characters. 
in other words  -  encoded message is much easier to remember than base 64.

 Variance of the code is time (to be more precise, it's 30sec intervals). Bearing in mind, that not all devices use ntp to synchronize, we might want to check 3-5 sequential codes to be sure, that right code is entered. The more secure is your solution - the less 30sec intervals you might want to check,


 Let us take current Unix Time Stamp: 

UnixTimeStamp (time()/30): 44376117.366667 

and calculate  HOTP - onetime password based on HMAC  (

What do we need to calculate 6 digit code:

Take trunc of the value above - 44376117 and convert to hex 2a52035

Pack to byte string: 


Read more: Codeproject
QR: Inline image 1

Posted via email from Jasper-Net