How does Google Authenticator work?

-




How does 𝐆𝐨𝐨𝐠𝐥𝐞 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐨𝐫 work?

We use this authenticator a lot for logging into our accounts and transferring money online. 


But how does it guarantee security?


Google Authenticator is a software-based authenticator that implements two-step verification service. The diagram below provides detail. 

 

There are two stages involved:


🔹 Stage 1 - The user enables Google two-step verification.


🔹 Stage 2 - The user uses the authenticator for logging in, etc.

 

Let’s look at these stages.

 

𝐒𝐭𝐚𝐠𝐞 1


Steps 1 and 2: 


Bob opens the web page to enable two-step verification. The frontend requests a secret key. The authentication service generates the secret key for Bob and stores it in the database.

 

Step 3: 


The authentication service returns a URI to the frontend. The URI is composed of key issuer, username and secret key. The URI is displayed in the form of a QR code on the web page.

 

Step 4: 


Bob then uses Google Authenticator to scan the generated QR code. The secret key is stored in the authenticator.


𝐒𝐭𝐚𝐠𝐞 2


Steps 1 and 2:


Bob wants to log into a website with Google two-step verification. For this he needs the password. Every 30 seconds, Google Authenticator generates a 6-digit password using TOTP (Time-based One Time Password) algorithm. Bob uses the password to enter the website.

 

Steps 3 and 4: 


The frontend sends the password Bob enters to the backend for authentication. The authentication service reads the secret key from the database and generates a 6-digit password using the same TOTP algorithm as the client.

 

Step 5: 


The authentication service compares the two passwords generated by the client and the server, and returns the comparison result to the frontend. Bob can proceed with the login process only if the two passwords match.

 

Is this authentication mechanism 𝐬𝐚𝐟𝐞? 


🔹 Can the secret key be obtained by others? 

We need to make sure the secret key is transmitted using HTTPS. The authenticator client and the database store the secret key, and we need to make sure the secret keys are encrypted.


🔹 Can the 6-digit password be guessed by hackers?

No. The password has 6 digits, so the generated password has 1 million potential combinations. Plus, the password changes every 30 seconds. If hackers want to guess the password in 30 seconds, they need to enter 30,000 combinations per second.

Comments

Post a Comment

Popular posts from this blog

What is deepfake and how to secure yourself from deepfake?

-
Image
Deepfake refers to the use of artificial intelligence (AI) and deep learning techniques to create or manipulate media content, often involving the substitution of a person's likeness in videos or images. The term "deepfake" is derived from the combination of "deep learning" and "fake." Deepfake technology uses deep neural networks, particularly generative adversarial networks (GANs), to generate realistic-looking content. GANs consist of two neural networks – a generator and a discriminator – that work together to create and evaluate synthetic data. In the context of deepfakes, the generator creates fake content, such as a video of a person saying or doing something they never did, while the discriminator tries to distinguish between real and fake content. Deepfakes can be created for various purposes, including entertainment, satire, or malicious activities. While they have potential positive applications, such as in the film industry for special e
Read more

What is Rubber ducky USB????

-
Image
USB Rubber ducky   is an HID device that looks similar to a USB Pen drive. It may be used to inject keystroke into a system, used to hack a system, steal victims essential and credential data can inject payload to the victim’s computers. The main important thing about USB Rubber ducky is that it cannot be detected by any Anti-Virus or Firewall as it acts as an HID device. Features:  USB Rubber ducky is a kind of key injection tool, can be used as malicious or non-malicious keystroke. It is one of the favorite devices of hackers penetration testers as it is very fast and did not detect by ant PC. USB Rubber Ducky can also be used for targeting vulnerable systems or programming processes and save times. Working: USB rubber ducky acts as a keyboard and has keystrokes installed in it When we connect it to PC the keystrokes run automatically. It has a high speed of approx. 1000 words per minute. So those works which can be done by keyboard can also be done by USB rubber ducky When ever it i
Read more

🔰How to Protect Yourself from Keylogger Attacks🔰

-
Image
When a hacker has an unnoticed backdoor on your computer, anything is possible, but there are a few things you can do to minimize the risk of having your keys captured: 🔸 Use antivirus software. While there's not a catch-all solution, and antivirus software won't protect against sophisticated and cutting-edge keyloggers, there's still no excuse for not using antivirus software which protects against most known keylogger software. 🔸 Use on-screen keyboards when entering passwords.One of the limitations of most keyloggers is that they only capture actual keystrokes being pressed on the keyboard. The Windows on-screen keyboard will provide a virtual keyboard that may help circumvent keyloggers. 🔸 Use a firewall. It's possible lazy attackers won't go through the effort of disguising their payloads to appear as being normal DNS (port 53) or HTTP (port 80) transmissions. A firewall might catch suspicious packets leaving your computer on port 35357. 🔸 Protect your comp
Read more