3

My understanding is that in TOTPs are like HMAC where code is derived from time.

However, I am struggling to understand the concept of Backup Codes in Google Authenticator, and how are they calculated as they are not time sensitive and can be used in any sequence. So how Google has implemented that?

Marcel
  • 3,494
  • 1
  • 18
  • 35
blackbox007
  • 81
  • 3
  • Could you clarify - are you talking about backup codes for a service using TOTP (e.g. Google Account), or backup codes for Google Authenticator App (e.g. if your phone breaks, you can restore access to all TOTP tokens without interacting with individual services). – domen Feb 17 '20 at 16:39

2 Answers2

3

On Google Auth and any other service using TOTP provides you the time-based tokens, but they understand the possibility of losing the device or not being able to access the codes.

Eg. Your phone got stolen or heavily damaged.

So when you add a service like this they provide you Another login mechanism apart from TOTP, those are the backup codes, they are not part from TOTP but remediation method if you lose access to them.

Community
  • 1
Fabian Diaz
  • 76
  • 5
  • I'm not sure @blackbox007 is talking about backup for individual services. Looks to me it's about backup for the Authenticator itself (I don't use that, but I do use Authy, which provides similar functionality and does have backup for the authenticator itself). – domen Feb 17 '20 at 16:37
  • On google 2fa when you set up the TOTP method, just when you confirm the code from the web view and the app, it automatically enables the backup codes. As UX visualization it seems to be part of TOTP but as you can see on their [documentation] (https://support.google.com/accounts/answer/185839?hl=en&ref_topic=2954345) On **Step 2**, you can choose the 2fa method, after you finish setting up the app codes, it auto-enables the [backup codes](https://support.google.com/accounts/answer/1187538). – Fabian Diaz Feb 18 '20 at 00:12
  • It appears you're right, Google Authenticator does not support the feature I had in mind (https://authy.com/blog/how-the-authy-two-factor-backups-work/), so there's only one way to interpret OP's question. – domen Feb 18 '20 at 09:11
1

Goolge Authenticator, and the underlying TOTP concept, does not have backup codes. These are a different concept, provided by Google, alongside their TOTP implementation.

Marcel
  • 3,494
  • 1
  • 18
  • 35