问题
I have seen many two factor authentication apps like the google authentication app.
The app works offline and is resets the key on the phone every 30 seconds.
So how the the server know which keys are valid?
I have having trouble understanding this?
And If i were to create such an app myself. How can i do so?
回答1:
Google Authenticator uses Time-based One-time Password Algorithm. It uses the current time and a shared secret key to compute the code. The generated codes validate as long as the device and server have the correct time set.
回答2:
Google Authenticator uses 2 different methods:
1...
The "time-based" version (TOTP) is pretty simple to keep in sync. (Both your device... and the remote server... must have the same/correct time.)
2...
The "counter-based" version (HOTP) stays in sync (even if your mobile device is in airplane-mode) and somehow updates its counter internal every 30 secs... and the remote server does the same.
I've only worked with #1... since Google isn't very clear about how the #2 counter can stay "in sync" (changing ever 30 secs) without any communication between the mobile device and remote server.
来源:https://stackoverflow.com/questions/33772994/understanding-how-google-authenticator-app-works