Does Google Authenticator Work Offline?

So what is google authenticator?

When a black-hat steals your password, you might be locked out and your sensitive information might be viewed or even deleted. The doxxers could also pretend to be you and send you unwanted or harmful emails to all of your contacts. They could even reset your other accounts' passwords such as banking, shopping, etc. with your account.

If you lose access to your account and everything in it, what would you do?

With Google Authenticator, you can protect your accounts against password theft for free. Among the services that use it are Gmail, Facebook, Twitter, Instagram, and more. It is easy to set up and can be used as part of a process known as two-factor authentication (2FA). Two-factor authentication simply means authentication which is made up of two parts, so not only a login and password but an additional code request.

Google authenticator works slightly differently from the method of sms codes being sent directly to your mobile which you then later enter to be able to login (making it difficult for doxxers who also could potentially clone your phone). It’s because it’s also time based. Essentially, the Google authenticator goes with the common knowledge that it would be that your device and the code sent would only work if they were in-sync and were being used around the same time.

Instead, a random code is generated by the app (iOS/Android) for use when you log into various services. It is done through a QR code which uses an algorithm based on scanning and synchronising of time where the 6-digit passcode is made up of the time being sent and the secret key to form an original pass code. It is technically possible to receive the code via text message every time, but the Google Authenticator app provides an added layer of security asking you for this algorithmic code which rotates every time you try to login.

A devoted hacker can socially engineer an attack against your phone company using SMS-based 2FA. By generating codes on your phone using algorithms, Google Authenticator eliminates the possibility of SMS-based attacks.

You must enter a password and a unique verification code which is sent to your phone. This will keep the bad guys out because even if these black-hats have your password it won’t be enough for them to hack into your account as you have the additional verification system now which requires your phone and time of verification.

So does google authenticator work offline?

The short answer is yes.

Mobile or internet connections are not required to use Authenticator. The secret key is an alphanumeric code of 16 or 32 characters generated by the system. The software generates the same code as Google with the help of TOTP technology, which does not require an internet connection.

The only thing it depends on is the current time and a shared secret (which is shared at the time of setup).

It can then simply combine the secret and the current time to generate the one-time password (OTP) (usually 6 or so digits). Using the same password on both servers, the remote server can compare them.

Based on previous codes, it is impossible to predict the next one for OTP. This means that as long as only two parties know the secret, each OTP will be secure.

We hope this guide has helped you. You may also be interested in our article Do Password Managers Work Offline? or our other ways of keeping the black hats out of your personal details on our blog Pragmatic Paranoia; paranoia at its best!