Google Authenticator

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of mobile applications by Google.[2]

When logging into a site supporting Authenticator (including Google services) or using Authenticator-supporting third-party applications such as password managers or file hosting services, Authenticator generates a six- to eight-digit one-time password which users must enter in addition to their usual login details.

Previous versions of the software were open-source but subsequent releases are proprietary.[3]

Google Authenticator
Google Authenticator for Android icon
Initial releaseSeptember 20, 2010[1]
Operating systemAndroid, iOS, BlackBerry OS
LicenseProprietary (earlier versions were under Apache License 2.0)

Typical use case

To use Authenticator, the app is first installed on a smartphone. It must be set up for each site with which it is to be used: the site provides a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all future logins to the site.

To log into a site or service that uses two-factor authentication and supports Authenticator, the user provides username and password to the site, which computes (but does not display) the required six-digit one-time password and asks the user to enter it. The user runs the Authenticator app, which independently computes and displays the same password, which the user types in, authenticating their identity.

With this kind of two-factor authentication, mere knowledge of username and password is not sufficient to break into a user's account; the attacker also needs knowledge of the shared secret key, or physical access to the device running the Authenticator app. An alternative route of attack is a man-in-the-middle attack: if the computer used for the login process is compromised by a trojan, then username, password and one-time password can be captured by the trojan, which can then initiate its own login session to the site or monitor and modify the communication between user and site.

Technical description

The service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits).[4] This is provided as a 16, 26 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key. The message that is HMAC-ed can be:

  • the number of 30-second periods having elapsed since the Unix epoch (TOTP); or
  • the counter that is incremented with each new code (HOTP).

A portion of the HMAC is extracted and converted to a six-digit code.

Pseudocode for one-time password (OTP)

  function GoogleAuthenticatorCode(string secret)
      key := 5B5E7MMX344QRHYO
      message := floor(current Unix time / 30)
      hash := HMAC-SHA1(key, message)
      offset := last nibble of hash
      truncatedHash := hash[offset..offset+3]  //4 bytes starting at the offset
      Set the first bit of truncatedHash to zero  //remove the most significant bit
      code := truncatedHash mod 1000000
      pad code with 0 from the left until length of code is 6
      return code

Other authentication software

The Google Authenticator app for Android was originally open source, but later became proprietary.[3] Google made earlier source for their Authenticator app available on its GitHub repository; the associated development page states:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[5]

Following Google Authenticator ceasing to be open source, a free-software clone named FreeOTP[6][3] was created, predominantly a fresh rewrite but including some code from the original.Google provides Android,[7] BlackBerry, and iOS[8] versions of Authenticator.

Several other versions of authentication software are available. Those that use TOTP and HMAC in addition to other two-factor authentication can authenticate with the same sites and processes as Google Authenticator. Some of the listed software is available in versions for several platforms.

  • Windows Phone 7.5/8/8.1/10: Microsoft Authenticator,[9] Virtual TokenFactor[10]
  • Windows Mobile: Google Authenticator for Windows Mobile[11]
  • Java CLI: Authenticator.jar[12]
  • Java GUI: JAuth,[13] FXAuth[14]
  • J2ME: gauthj2me,[15] lwuitgauthj2me,[16] Mobile-OTP (Chinese only),[17] totp-me[18]
  • Palm OS: gauthj2me[19]
  • Python: onetimepass[20] pyotp[21]
  • PHP: GoogleAuthenticator.php[22]
  • Ruby: rotp,[23] twofu[24]
  • Rails: active_model_otp[25]
  • webOS: GAuth[26]
  • Windows: gauth4win,[27] MOS Authenticator,[28] WinAuth[29]
  • .NET: TwoStepsAuthenticator[30]
  • HTML5: html5-google-authenticator[31]
  • MeeGo/Harmattan (Nokia N9): GAuth[32]
  • Sailfish OS: SGAuth,[33] SailOTP[34]
  • Apache: Google Authenticator Apache Module[35]
  • PAM: Google Pluggable Authentication Module,[5] oauth-pam[36]
  • Backend: LinOTP (Management Backend implemented in python)
  • Chrome/Chrome OS: Authenticator[37]
  • Multi-platform: Twilio Authy[38]
  • Multi-platform: Duo Mobile[39]
  • OTP Auth[40]

See also


  1. ^ "Google Is Making Your Account Vastly More Secure With Two-Step Authentication - TechCrunch". TechCrunch. 2010-09-20. Retrieved 2016-03-12.
  2. ^ "GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)". GitHub. Google. These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
  3. ^ a b c Willis, Nathan (22 January 2014)."FreeOTP multi-factor authentication". Retrieved 10 August 2015.
  4. ^
  5. ^ a b "google-authenticator - Two-step verification - Google Project Hosting".
  6. ^ "FreeOTP".
  7. ^ A
  8. ^ "Google Authenticator". App Store.
  9. ^ "Authenticator". 4 April 2013.
  10. ^ "Virtual TokenFactor". 26 February 2012.
  11. ^ "[APP]Google Authenticator for Windows Mobile". XDA Developers.
  12. ^ "http://blog dot jamesdotcuff dot net".
  13. ^ "mclamp/JAuth". GitHub.
  14. ^ "kamenitxan/FXAuth". GitHub.
  15. ^ "gauthj2me - Google Authentification in Java Mobile, j2me - Google Project Hosting".
  16. ^ "lwuitgauthj2me - Google Authenticator for J2ME phones - Google Project Hosting".
  17. ^ "chunlinyao / mobile-otp — Bitbucket".
  18. ^ "totp-me - TOTP for Java ME - Google authenticator".
  19. ^ "gauth.prc - gauthj2me - Google Authenticator for Palm OS (converted from java) - Google Authentification in Java Mobile, j2me - Google Project Hosting".
  20. ^ "tadeck/onetimepass". GitHub.
  21. ^ "pyotp/pyotp". GitHub.
  22. ^ "chregu/GoogleAuthenticator.php". GitHub.
  23. ^ "rotp - - your community gem host".
  24. ^ "ukazap/twofu". GitHub.
  25. ^ "heapsource/active_model_otp". GitHub.
  26. ^ "GAuth".
  27. ^ "gauth4win - Google Authenticator for windows - Google Project Hosting".
  28. ^ "MOS Authenticator Home".
  29. ^ "winauth - Windows Authenticator for / World of Warcraft / Guild Wars 2 / Glyph / WildStar / Google / Bitcoin - Google Project Hosting".
  30. ^ "glacasa/TwoStepsAuthenticator". GitHub.
  31. ^ "gbraad/html5-google-authenticator". GitHub.
  32. ^ Techtransit. "Nokia Store: Download GAuth and many other games, wallpaper, ringtones and mobile apps on your Nokia phone".
  33. ^ "SGAuth".
  34. ^ "SailOTP".
  35. ^ "google-authenticator-apache-module - Apache Module for Two-Factor Authentication via Google Authenticator - Google Project Hosting".
  36. ^ "oauth-pam - PAM for use with OAuth Websites - Google Project Hosting".
  37. ^ "Authenticator".
  38. ^ "Authy". App Store.
  39. ^ "Duo Mobile". App Store.
  40. ^ "OTP Auth". App Store.

External links

CEX.IO is a cryptocurrency exchange and former Bitcoin cloud mining provider. As an online digital currency exchanger, CEX.IO offers trading cryptocurrency for fiat money, such as USD, EUR, GBP and RUB. The exchange charges 0% to 0.25% commission on trade operations, according to the Maker-Taker fee schedule.The list of cryptocurrencies introduced on the platform includes Bitcoin, Ether, Ripple, XLM, Bitcoin Cash, Dash, Zcash, and Bitcoin Gold.

Central Authentication Service

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

Comparison of authentication solutions

Authentication is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. Out of different types of authentication two-factor authentication is a method that provides identification of users by means of the combination of two different components. There are number of two-factor authentication and multi-factor authentication methods. Multi-factor authentication products can provide significant benefits to an enterprise, but the methods are complex and the tools themselves can vary greatly from provider to provider.


FreeOTP is a soft token authenticator that can be used for two-factor authentication. It provides implementations of HOTP and TOTP. Tokens can be added by scanning a QR code or by manually entering in the token configuration. FreeOTP can be used as a replacement for Google Authenticator even when logging into Google services. It is maintained by Red Hat under the Apache 2.0 license. It is available for Android and iOS.


Gmail is a free email service developed by Google. Users can access Gmail on the web and using third-party programs that synchronize email content through POP or IMAP protocols. Gmail started as a limited beta release on April 1, 2004 and ended its testing phase on July 7, 2009.

At launch, Gmail had an initial storage capacity offer of one gigabyte per user, a significantly higher amount than competitors offered at the time. Today, the service comes with 15 gigabytes of storage. Users can receive emails up to 50 megabytes in size, including attachments, while they can send emails up to 25 megabytes. In order to send larger files, users can insert files from Google Drive into the message. Gmail has a search-oriented interface and a "conversation view" similar to an Internet forum. The service is notable among website developers for its early adoption of Ajax.

Google's mail servers automatically scan emails for multiple purposes, including to filter spam and malware, and to add context-sensitive advertisements next to emails. This advertising practice has been significantly criticized by privacy advocates due to concerns over unlimited data retention, ease of monitoring by third parties, users of other email providers not having agreed to the policy upon sending emails to Gmail addresses, and the potential for Google to change its policies to further decrease privacy by combining information with other Google data usage. The company has been the subject of lawsuits concerning the issues. Google has stated that email users must "necessarily expect" their emails to be subject to automated processing and claims that the service refrains from displaying ads next to potentially sensitive messages, such as those mentioning race, religion, sexual orientation, health, or financial statements. In June 2017, Google announced the upcoming end to the use of contextual Gmail content for advertising purposes, relying instead on data gathered from the use of its other services.By February 2016, Gmail had one billion active users worldwide.

Google Account

A Google Account is a user account that is required for access, authentication and authorization to certain online Google services.

Intuitive Password

Intuitive Password is a proprietary freemium password manager and secure digital wallet that stores users' passwords and confidential data. It was launched in 2013 by the Australian company Intuitive Security Systems. Intuitive Password received mixed reviews. Neil J. Rubeking wrote in PC Magazine in 2013 that Intuitive Password's not having automated password capture like some of its competitors was a significant downside.


LinOTP is a Linux-based solution to manage authentication devices for two-factor authentication with one time passwords.

It is implemented as a web service based on the python framework Pylons. Thus it requires a web server to

run in.

LinOTP is mainly developed by the German company KeyIdentity GmbH. Its core components are licensed under the Affero General Public License.

It is an open source authentication server certified

by the OATH initiative for open authentication for its 2.4 version.

List of Google apps for Android

e Google Play Store, although some may not show up in search results if they are listed as incompatible with your device (even though they may still function from an *.apk). Some of Google's apps may be pre-installed on some devices, depending upon the device manufacturer and the version of Android. A few of these apps, such as Gboard, are not supported on older versions of Android.

List of Google products

The following is a list of products and services provided by Google. is a web portal and web-based email service provider owned by the German internet company United Internet. It offers news articles and videos and a free webmail application with unlimited storage.


multiOTP is an open source PHP class, a command line tool and a web interface that can be used to provide an operating system independent strong authentication system. multiOTP is OATH certified since version 4.1.0 and is developed under the LGPL license. Starting with version, multiOTP open source is also available as a virtual appliance - as a standard OVA file, a customized OVA file with open-vm-tools, and also as an Hyper-V downloadable file.

QRcode is generated automatically when printing the user configuration page.


Nitrokey is an open source USB key to enable secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft.The hardware and software of Nitrokey are available as open source, free software and open hardware which enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, Linux, and macOS.

One-time password

A one-time password (OTP), also known as one-time pin, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).

The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid. A second major advantage is that a user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the password for one of these is gained by an attacker. A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further.

OTPs have been discussed as a possible replacement for, as well as enhancer to, traditional passwords. On the downside, OTPs are difficult for human beings to manipulate. Therefore, they require additional technology to work.


privacyIDEA is a Two Factor Authentication System which is multi-tenency- and multi-instance-capable.

It is opensource, written in Python and hosted at GitHub.

Security token

A security token is a physical device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

Some tokens may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint details. Some may also store passwords. Some designs incorporate tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including USB, near-field communication (NFC), radio-frequency identification (RFID), or Bluetooth. Some tokens have an audio capability designed for vision-impaired people.

Self-service password reset

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition . Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password.

Software token

A software token (a.k.a. soft token) is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated (absent physical invasion of the device).)

Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example, computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or to simple phishing attacks in which the one-time password provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens.


This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.