Copyright belongs to the author.
Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.
Xu Xiaohua
Links: http://www.zhihu.com/question/20462696/answer/18731073
Source: Know
When you turn on Google Login Two step verification (ie Google Authenticator service), users need to enter an additional one-time password generated by the mobile client when they log in.
Implementing the Google Authenticator feature requires server-side and client support. The server side is responsible for generating the key, verifying that the one-time password is correct. A one-time password is generated after the client logs the key.
Currently the client has:
Android version: Google authenticator
iOS version:https://itunes.apple.com/cn/app/google-authenticator/id388497605
Implementation principle:
First, when users need to open Google Authenticator services,
1. The server randomly generates a key similar to "DPI45HKISEXU6HG7" and saves the key in the database.
2. Display a QR code on the page with a URI address (otpauth://totp/account secret= key), such as "Otpauth://totp/[email protected]?secret= Dpi45hcebcjk6hg7 ",:
<img src= "https://pic1.zhimg.com/d37d311d9464d4c24a37e70d541364bc_b.jpg" data-rawwidth= "200" data-rawheight= "class=" Content_image "width=" >
3. The client scans the QR code and saves the key "Dpi45hkisexu6hg7" on the client.
Second, when users need to log in
1. The client uses the key "Dpi45hkisexu6hg7" and the timestamp every 30 seconds to generate a 6-digit one-time password, such as "684060", through an "algorithm". such as the Android version of the interface:
<img src= "https://pic1.zhimg.com/c2056261a0b106af19517697887c0b38_b.jpg" data-rawwidth= "281" data-rawheight= "398" class= "Content_image" width= "281" >
2. Enter the one-time password "684060" when the user logs in.
3. The server side uses the key "Dpi45hkisexu6hg7" and the timestamp saved in the database to generate a 6-digit one-time password through the same "algorithm". We all know the control variable method, if the algorithm is the same, the same key, and the same time (the same time stamp), then the client and the server computed the same-one password is the same. If the server verifies the same, the login succeeds.
Tips:
1. This "algorithm" is public, so the server side also has a lot of open-source implementations, such as the PHP version:https://github.com/phpgangsta/googleauthenticator 。 Search for Google Authenticator on GitHub to find more language versions of Google Authenticator.
2. So, you can easily add support for Google Authenticator on your project, and displaying multiple accounts on one client can look at the Android interface above. Currently Dropbox, LastPass, WordPress, even VPS and other third-party applications are supported by Google Authenticator login, please search by yourself.
3. Real life, net silver, network game entity dynamic Password Card actually the principle is similar, we can self-brain fill, thank you.
<img src= "https://pic2.zhimg.com/fc0617ba6b2062bec68c87eb481d25c1_b.jpg" data-rawwidth= "302" data-rawheight= "144" class= "Content_image" width= "302" >
What is the implementation principle of
Google Authenticator?