Google Authenticator App is very help full for secure your email and other Google online account. While two-step authentication technically means you have two layers of security protecting to your account – typically, one a password, and the second is usually a one-time password (OTP). So most people who talk about two-step authentication are usually taking about OTP.
Once you’ve enabled this additional layer of security on your account, you’ll get an OTP via text message on your registered mobile number or an Authenticator app whenever you login to your Gmail or Twitter account for instance. This means even if someone finds out what your password is, they won’t be able to log in to your account because they won’t have access to the one-time password.
It’s always good to have an extra layer of security when it comes to online accounts. Every other day we hear about people’s accounts being hacked. But enabling two-step authentication is one way to make things difficult for miscreants.
Where to use two-step or two-factor authentication
All sites not support two-factor authentication, but we think you should use this security feature on every single site that supports it. It adds an extra step while you are logging in to your online accounts, it’s also give very good protection.
If you don’t want to use this everywhere, we suggest that you definitely enable it on all of your email accounts. As long as your email isn’t compromised, most of your online accounts are also going to be safe. It goes without saying that you might want to avoid email providers such as Yahoo, which aren’t exactly known for providing a good level of security.
How to use Google Authenticator app to add two-factor authentication
There are two primary ways to use two-factor authentication – text message or via an Authenticator App. Most sites will send you OTP via text message and that’s a perfectly good method of authentication. However if you go abroad or travel to a place with patchy or no network within your country, then you could be locked out of your account because the SMS will never arrive.
That is why we recommend using Authenticator apps such as Google Authenticator, Microsoft Authenticator, or Authy or even some password managers such as 1Password. These apps show you OTPs even if the smartphone is in airplane mode. Google Authenticator is quite easy to use and the following steps will show you how to use it for Gmail. The steps are similar for Other Authenticator Apps too.
1. Open Google’s two-step authentication page.
2. Enter your password as and when prompted. Click Get Started.
3. Enter the phone number you want to use for OTP. This is just in case the Authenticator app isn’t accessible. Click Next.
4. Enter the one-time password sent to your phone. Click Next.
5. Click Turn on.
6. This enables two-step authentication via SMS on your Google account. Now scroll down and click Setup under Authenticator app.
7. In the pop-up, select the type of phone you have – Android or iPhone.
8. Now you’ll see a QR code on screen. You can either scan this or click Can’t scan it to get a code for two-factor authentication. This is where you’ll have to switch to your smartphone.
9. Download Google Authenticator on Android or iOS.
10. Tap Begin Setup.
11. Tap Scan Barcode. This will fire up the camera on your smartphone and you can point that at the QR code on the computer screen. Alternatively you can tap Manual entry and enter the code on screen.
12. On the Google two-step authentication page, click Next.
13. Enter the code on your Authenticator App and click Verify.
So How does Google Authenticator App work offline?
Now that we know the basics of the magical Time-based One-time Password (TOTP) algorithm that’s behind Google Authenticator, it’s time to know how this whole system of your account and the authenticator app works together. The steps discussed below should clarify things:
Step 1: We start off things by setting up the online account (which can be anything from an email account to a cloud storage service) with the (Google) authenticator app after 2FA has been turned on for it. To add your account to Google Authenticator, you’re either required to enter the account username with a special code, or scan the QR code generated by the service for which 2FA is being configured. This QR code contains a unique shared secret key it is mentioned in the previous section, that’s tied in to your account. Needless to say, no two accounts have the same shared secret key.
Step 2: Once the account has been successfully added to the Authenticator App, the one-time setup is finished, and the app now has the unique shared secret key stored with its corresponding account info. From here on, every time you require a unique one-time access code, Google Authenticator will generate the same by combining this shared secret key and the current system timestamp with a special cryptographic hash function, effectively implementing Time-based One-time Password algorithm. The generated code is entered on the website’s code prompt.
Step 3: Now the question is, how does the website know that the code was generated for the same account? It’s simple, and this is where the current system timestamp comes into play. This timestamp increases in fixed intervals (e.g. 30 seconds), and the timestamps of both the code generating app and servers are roughly synchronized, at the time of setup.
This means that codes generated in that fixed duration of time for which they are valid would have more or less the same timestamp and definitely the same shared secret key. Consequently, the website where the code generated by the Authenticator App is entered knows that the code has been generated by the Authenticator App for a particular account, tied in with the shared secret key.
The fact that these codes are invalidated after 30 seconds provides some extra security as well. Since the timestamps are synchronized on both ends, an invalidated code whose 30 second window has expired won’t work on the 2FA secured account.