4

I'd like to turn on Google's two authentication factor on but first I'd like to understand how it works.

Specifically I'd like to use the Google app for smartphones (btw I checked the FAQ and this is not a question about smartphone but a question where smartphone are on-topic because they interface with a computer).

So I do not want to use the "receive a SMS for authentication".

My question is about the Google app: how does it work? Is everybody downloading a different app or is the app somehow "seeded" for your specific Google account?

Also what happens if you somehow lose your smartphone? How can you then re-install that Google app and how do you re-seed it (if it needs to be seeded)?

Basically I'd like to understand how Google manages to do the equivalent of a RSA device (?) using a Google app.

fixer1234
  • 27,064
  • 61
  • 75
  • 116
Cedric Martin
  • 464
  • 2
  • 6
  • 12
  • The Google Authenticator app is [open source](http://code.google.com/p/google-authenticator/) if you want to check it out :) – slhck Aug 09 '12 at 13:56

3 Answers3

4

Everyone is downloading the exact same Authenticator app at the same time. When launched for the first time, the app will ask for your Google login information and at the same time generate a unique ID for your phone (kind of like the serial number on RSA devices.) That unique ID will then be linked to your Google account which will be used for two-factored authentication.

If you were to lose your smartphone, that unique ID associate your smartphone to your Google account will be blacklisted on Google'server to prevent anyone who knows your password AND have your smartphone in their possession from logging into your Google account.

superuser
  • 4,007
  • 5
  • 25
  • 33
  • Minor additions: You don't have to lose your phone. Just installing on a secondary device and providing the same Google account login will reset your Google secret. Note this is *specific* to Google's authentification service + app, most 3rd party services generate a secret that doesn't reset automatically. Also a 3rd party app like "authy" won't trigger a reset. – jiggunjer Oct 24 '17 at 09:43
3

Yes, it's "seeded" to your specific account. If you lose your phone you redownload the software. This destroys the capability of the old software to provide the needed key to get in (it uses the old salt, your newly d/l'd and logged in software uses the new one it just created). You redownload it using the process you used to get it in the first place.

An excellent article is available here.

Sathyajith Bhat
  • 61,504
  • 38
  • 179
  • 264
Everett
  • 5,912
  • 1
  • 22
  • 33
  • it's not seeded to account, more like device-specific. If you have a backup of the device keys(using something like Titanium Backup on Android), restoring the backup on _any_ device, new or old will result in Google auth working with the new device – Sathyajith Bhat Aug 09 '12 at 14:20
  • I was using the term "seeded" in the way the original question was asked. That's why I put quotes around it. I felt if more explanation was needed (that it's keyed, not seeded), it would be provided by the linked article. "restoring the backup on any device, new or old will result in Google auth working with the new device," Only if there isn't a new paring for the two factor authentication system, and you have a backup code "You can also create a batch of ten backup codes, which you can use to authorize a computer. " That was taken from the article, and there is a link to it. – Everett Aug 09 '12 at 14:44
-1

You can use Google Authenticator with a lot of services which support two-factor authentication. When you enable 2FA at service settings you get a QR code. This QR code contains the secret key. You scan it with the Google Authenticator app on your phone so the service and application know the same secret key. Based on this secret key Google Authenticator generates OTPs and the server checks if they are correct. Google Authenticator doesn’t require any internet or network connection. If you don’t want to lose an access to your account when you lose your phone you should save QR code at the moment of token enrollment. Then you will be able to restore your tokens on your new phone. Otherwise, you should contact the support team of services which you protect with Google Authenticator. They will help you to restore an access to your account and you will be able to issue new tokens on your new device.

George
  • 1
  • 1
  • This is a description of how you use the application not how the application actually functions. I would expect a reference to the standard at the very least. – Ramhound Feb 23 '18 at 11:43