How does the Google Authenticator Work? HOTP TOTP Difference | 2FA Authentication
Vložit
- čas přidán 28. 06. 2024
- How does Authy work? What's HOTP and TOTP? What's multi factor Authentication? and Two factor? 2FA. We look at Base32, QR codes, and the respective RFCs for both approaches.
Authy vs Google Authenticator.
Chapters:
00:00 Intro
00:20 What are we solving?
00:39 HOTP
02:35 Solving: Password length
04:44 Solving: Syncing counter
04:41 TOTP
08:29 TOTP Secret Encoding
09:20 Qr Code contents
10:30 Real World QR code
11:08 Reading the spec, an example of the flow
15:54 How do you validate?
17:33 Outro
Totp vs hotp. rfc4226. How Google authenticator works. - Věda a technologie
You must know some amazing 5 year olds!
😂😂😂😂😂
I really loved the way you explained that! Just the right amount of details and easily understandable with even just a little bit of background knowledge. I appreciated that you even explained how exactly the division of the counter works, even if you apologized for it hahah
hey great video! The length of it was perfect and you clearly know your subject well. Thanks for posting
Appreciate the kind words! Hope I can keep making good content
Thank you for the great explanation!
Love it! That's an amazing explanation! Keep up the good work!
Wow man, that was really an interesting and exhaustive video!! Thank you a lot! Very very hood job
Very nicely explained!
Very good explanation, with just right amount of details.
Public key cryptography and then U2F might be good topics for next videos
Loved it. Very nicely explained for everyone
Hey man, thanks for the great vid. It was very clear and easy to understand.
Hey man, really appreciate the compliment! Look out for new videos coming up.
Great explanation!
Very nice video exactly what I wanted 👍
Nice explain! Thanks so much, I'm looking forward to knowing how to implement it in Golang
Really nice video, thank you.
bro, you blow my mind. thanks for explaination.
Nice explanation. Thanks.
Great video, thank you!
Thanks for the video, it is awesome.
Thank you for this Video.
Niceee. Thanks dude! you saved my day
Keep up the good work!
Thanks man, will do!
excellent vidoe dude🔥
Thanks 🔥! I really appreciate your comment!
Amazingly explained thanks!
I have a question apart of the topic: What are you using to draw?
GoodNotes on iPad . Thanks for the kind words!
You have gained a subscriber. +1
Hell yeah
I feel like it was a bit too complex for me but it is a great video
Sorry about that, I’m still getting the hang of making tutorials, hopefully next time it will be more clear
Thank you
Great explanation! Thanks so much. With so many of these security techniques and tools, there are NO good explanations how they work. I looked high and low for an explanation of how *any* authenticator worked and yours was the only one that really explained it. Your diagrams are excellent and the key to really explaining it well.
Good shit gaby
How does google keep our secret key safe? What do you think about their new feature which allow people to store their on google account?
legend !!
how does google authenticator app (or RSA app) store the secret securely in the phone? How is it also stored in the server side? Should there be some encryption also or its just stored as plain text in DB or cache?
That’s application specific and not dictated by the spec.
Having said that, iOS and Android offer secured & encrypted storage apis that can be used for this purpose. Remember that your app doesn’t need to store anything client side, only Google authenticatpr / Authy. You only need to send the code you copy from there.
On the server side, you could encrypt it, or maybe the database where you store it is encrypted. Unlike a password, which is hashed and salted because it represents something the user provided, this is just a token of some kind that you can rotate and functions as additional security. If somebody gains access to this token you have much bigger problems than them just being able to skip two factor auth
Those 16 digit codes that we are given when we set up 2FA on an app such as Binance, or similar. Can we re-view them/check if they are correct somehow?
I don’t believe you can re view them unless the service actively tries to make them available and I think they must be a form of encoding the secret shown in the video
good explanation
Thank you! Glad you enjoyed it
@@Gabzim for sure🎉
How is the secret handled on the web server? For passwords, best practices dictate never storing the password, and instead storing a salted hash of the password. If there is a breach, passwords are not revealed. In the case of the TOTP secret, is there a similar mechanism being used, or is the secret held on the server side in plaintext? If the latter, couldn't you theoretically retrieve the secret from the website if you should lose your copy? Also, wouldn't that compromise the security of the TOTP secret in the event of a breach?
The problem is that both the server and client need to use the same text to generate the code. So you can't salt etc.
If somebody has compromised your system to the level you describe, you are in trouble either way, the difference with passwords is that you're leaking a users private information. The secret here is your apps token but it does not represent a user's pass. Think of a reset password token. If an app leaked my pass I'd be pissed, specially because most users share their password for multiple things. That wouldn't happen with this secret.
@@Gabzim No, you can't salt or hash. I get that. As designed, both the user's 2fa app and the server need to know the shared secret in order to generate and compare the six-digit code.
One possibility, though, is to encrypt the secret server-side, using the user's password. The server doesn't know the secret until it is unencrypted by the user when they log in. When authentication is done, the unencrypted secret can be securely erased until it is needed again. If the user changes their password, the secret can be unencrypted using the outgoing password during the password change, then re-encrypted with the new one.
This method seems fairly secure, and is vastly preferable to leaving it in plaintext.
Is there a reason not to use Diffie-Hellman when exchanging the secret?
The biggest one I can think of is that this is a method to further secure your account. So that generally means you’re already authenticated and speaking through a secure channel (most likely TLS) so there’s no need for DH since your conversation is most likely taking place over an encrypted connection instead of an insecure channel. I guess you could say that since this is probably happening over a TLS channel, you are using Ephemeral DH
@@Gabzim I now need another video to understand the question from Laurence and your answer.
i am planning to implement TOTP in my college project as a verification system instead of sms authentication. any advice is appreciated.
What language/platform will you be using? Use a ready made library, there are a lot of pretty straightforward implementations.
Gabriel Zimmermann ok thanks 👍🏻
Does that mean TOPT will breakdown when Unix time will max out?
If you are using a 32 bit integer that could be a problem, however I can’t recall if the rfc enforces that. With a 64 bit unsigned int you should be fine.
I AM JUST USING SIMPLE OTP WITHOUT AUTHENTICATION FOR SENDING PASSWORD
DOES OTP HAS KEY EXPOSURE PROBLEM ON INTERNET MEAN IF HACKERS FIND PRIVATE KEYS FROM EMAIL
You can communicate a key in a any way you want though the most common way is often a QR code (since the generator will be running on a phone for practical reasons). It then depends on the client on how to keep it safe. They can rely on OS apis to save to encrypted storage or use any form of encryption to store it in disk
Clear as mud.
Hope next time it is clearer 😅
Maybe use physics - physics uses math(s) - heavily, tbf
A 5 year old? Well... I have to compliment you on your brilliant explanation; however I don't think a five-year-old could understand it, lol. 😄
haha, I’m learning this the hard way. Maybe the next one I’ll make it for 10 years old :joy:
I don't think a 5 year old would understand this lol. But good explanation.
Are you saying that 5 year olds don’t know what a cryptographic hash is? 😂
"I'm going to explain this to you from the point of view that you're five years old."
Immediately starts talking about algorithms, hashes, and encryption with no explanation of what those things are
Yep, this is among my first videos and I reckon that I didn’t take that into account. Hopefully my future videos will be more true to the title
@@Gabzim it's okay. It would seem from the comments that many people still understood what you were talking about. Some of it went over my head, but for the most part it made sense. Next time, assume we're all newborns :)
Nobody:
5 year old: now I am an expert of cryptology
I love this comment
@@Gabzim It was not quite simple for a 5 year old to understand but nice explanation lol :D
@@Gabzim How's your baby? :)
Doing well thanks! They grow so fast.
yeah I learned a lot from making these videos, I am hoping that my next explain like I’m 5 videos are easier to understand
@@Gabzim Quality CZcams content over anything! Wish the best for you :)
Could you explain it like i'm a two year old😮
You must know some very precocious five-year-olds ;-)
One minute and 20 seconds in and you lost me already.......
Buddy , 4 year olds are gonna have a tough time understanding that 😂
I went to public school man.
You lost the 5 year old at the first “SHA1”
So you're saying that a kindergartner can understand this.......really?
can i authorize unlimited user in my app by using Oauth2.0?