Such a cool-sounding term, I had to find out its meaning and purpose. So here is the story. Let’s take the story step-wise. You should have heard by now of 2-FA, two-factor authentication. The base idea is pretty simple. Apart from just the password, many of the websites might be sending you an OTP on the phone to grant access. That summarises the two factors. Your password is factor one, and possession of your phone number is factor 2. But just for curious people, I will share some knowledge. Multi-Factor Authentication In information security, we have three main pillars to verify someone’s identity. Something only the user knows Knowledge: Something only the user has Possession: Something only the user is Inherence: Withdrawing money from ATM checks of ATM card and of the PIN. Encashing a cheque checks of the cheque book and to user’s signature. Attendance in my college lectures needs to fingerprint and of the ID card. Writing proxy attendance in attendance sheet requires of friend’s roll number and of the fake signature of your friend. You get the idea where it’s going. possession knowledge possession inherence the inherence possession knowledge inherence as most of the examples above, is about combining the methods from 2 separate domains. It is different from which can be just a password and a pin, both from the domain. Two-Factor authentication, Two-Step authentication, knowledge Where does Google Authenticator come in? Many secure websites recommend, even enforce you, to use such two factors. More than often, the part is your phone number. possession But waiting for OTP can be troublesome, especially in a place with poor networking. Many people may be stuck in places that do have good WiFi, internet connectivity but horrible cellular coverage. Like any place in the new CSE building of my college or even Chhatrapati Shivaji Maharaj International Airport in rush hours. Why so many worries, right? If we just wanted to prove the possession of something, can’t we show the possession of our phone? Something that we always have. And more than often is the device we are using to log in to the website. This is the idea behind . Google Authenticator How does it work? At the time of first account creation, if you choose the authenticator app option in the available list, they will provide you with a QR code, which is the main secret that will remain shared between your phone and the website. You should print this QR code and keep it hidden in your cupboard or somewhere you can be safe about. Why? We will come to that later. Ease of use This secret that is shared through QR is more than often 16+ length of a random string. So are you supposed to type in every time? That will not only make it tough but also make the string knowledge than possession. Instead, what the app does for you is taking this secret key and the current time as inputs, it generates a new OTP for you which is a 6–8 digit number that you can type in. This OTP is regenerated in 30 seconds and older OTP expires. A Cyber hacker has to guess the OTP in a small time window. Anything later than that and the OTP will expire. This will not only prevent the entry but also warn the user through email about his password being compromised. How to get started? Here’s how you can get started. Though I am writing this for usage on Facebook, you can adopt similar procedures for any website providing such an option. * Link to the app: Google Authenticator, Play Store * In Facebook, head to . security option in setting * You will find a separate section for two-factor authentication. * Select the Set-up/add option in “Authentication app” section * Such a page with codes will popup. In the Google Authenticator app, you will have a “+” sign which will give you option to either add the code or scan the QR. *You will be prompted to add the current OTP from the phone screen on the website to complete the authentication procedure. * In any later login attempts, you will be asked to provide the code from the code generator app. * You can copy the code from the app which will be refreshing every 30 seconds. The app doesn’t allow screenshot and hence I am sharing the image available through play store screenshots Screenshot from play store Pros & Cons Google Authenticator gives the following benefits: 1. Does not need a cellular connection 2. Easy to use. Not waiting for OTP from the server. 3. Better than SMS-based OTP, because SMS is not encrypted. Bummer right, but at least that’s what my limited google search results told me. 4. The OTP is time-based with a short expiration window But there are some cons. 1. As this method is device centered, losing the device will mean now even you won’t be able to get authenticated. So the printed QR code you kept on the shelf will be handy to re-authenticate. 2. A buggy phone with an inaccurate time will again cause issues as this method of verification works around the clock and its precision. TL;DR Google Authenticator is awesome and easy to use. Worth a try. Thanks for reading ❤

Facebook

Google

Check my website

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Google's Authenticator App Explained and Reviewed

Too Long; Didn't Read

Companies Mentioned

Rupesh

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Google's Authenticator App Explained and Reviewed

Too Long; Didn't Read

Companies Mentioned

Rupesh

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES