1

All the products supporting TOTP-based 2FA use one of the common authenticator apps such as Google Authenticator, Authy, etc.

I want to understand whether there are any security reasons behind why the implementations prefer to use the generic authenticator apps and not build the TOTP code-gen application themselves or even have it in the main app (the one that relies on TOTP for 2FA)?

I see a few concerns:

  1. Most of the TOTP use-cases are for login, so I understand the need for a different app to share the code, instead of having the code-generator within the parent app, which cannot be accessed - well - until one login. However, 2FA can have use-cases other than login
  2. Time-sync on the local device can be hard, so one can rely on apps like Google Authenticator to implement it rather than implement it themselves.

What are the other reasons? Are there any security concerns? I could not find any reference in the RFC specs.

supertramp
  • 11
  • 1

2 Answers2

2

In my opinion you are essentially asking why developers rely on existing and established apps instead of inventing their own? There are many reasons for this, like

  • crypto is hard so better use something proven
  • shorter time to market
  • less development costs
  • maybe these apps are already familiar to the end user, i.e. less friction for the user and less support costs for the developer
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

There's a common misconception that the TOTP used by Google is proprietary, or uses a Google library, or something like that. It is not. The TOTP used by Authy, Google Auth, 1Password, KeePass and others are just one math equation that uses the curent tim an the token, and output 6 or 8 digits. Nothing else. You can do the same in a few lines of PHP, Python, Java...

Usually developers recommend Google Auth because it was one of the first user friendly TOTP generators around, and most people uses Google Auth as synonym to TOTP. And the onboarding of it is very simple: install the app, scan the QRCode, done. Other solutions involve creating an account, entering passwords, being rebuked by choosing 123456 as the password, and so on.

If the user have no prior exposure to TOTP tokens, he will mostly likely install Google Auth. Users that knows about TOTP will either have it installed already, or another solution.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • on my phones I replaced Google Auth with the open source variant FreeOTP, also user friendly with easy onboarding and all you need, available for Android and iOS. – lab9 Jun 09 '20 at 22:43