Ok, so, I know I'm awesome and totally omnipotent when it comes to tech stuff... but I'm buggered if I can work out what makes Authenticator Apps so secure.
I figure they have a randomisation/hashing function in built, but, who controls the keys? How do these little gizmos work and why aren't they being hacked?
There must be something special about them. Microsoft has one and, as far as I know, its the only piece of software they've ever written that hasn't been compromised.
So, please enlighten me...
Cheers.
Authentication apps, such as Google Authenticator, Microsoft Authenticator, and Authy, use a technology called Time-Based One-Time Password (TOTP) to generate a temporary six-digit code that you enter when logging in to a website or service. TOTP is a type of two-factor authentication (2FA) that combines something you know (e.g., your password) with something you have (e.g., your phone) to add an extra layer of security to your login.
Here's how it works: When you set up 2FA for a website or service, you'll usually be asked to scan a QR code with your authentication app. This QR code contains a secret key that's unique to your account and is used to generate TOTP codes. The app uses this key and the current time to generate a six-digit code that changes every 30 seconds. When you log in to the website or service, you'll be prompted to enter this code in addition to your password.
The security of TOTP-based 2FA depends on two things: the secrecy of the shared secret key, and the fact that TOTP codes are valid only for a short period of time. The shared secret key is generated by the website or service when you set up 2FA, and it's stored securely on both the server and your phone. The key is never transmitted over the internet, so it can't be intercepted by an attacker. Additionally, the TOTP codes are valid only for a short period of time (usually 30 seconds), so even if an attacker manages to intercept a code, it will be useless by the time they try to use it.
Regarding your question about who controls the keys, the answer is that the keys are controlled by the website or service that you're logging in to. The authentication app simply uses the key to generate TOTP codes, and the key is never transmitted to the app or any other third party.
As for why these apps aren't being hacked, the short answer is that they are secure when implemented correctly. The TOTP algorithm has been around for many years and has been extensively tested and scrutinized by security experts. That being said, no system is completely foolproof, and there have been some cases of TOTP-based 2FA being bypassed through social engineering or other methods. However, these are relatively rare compared to other forms of attack such as phishing or password guessing.
Finally, it's worth noting that there are other forms of 2FA, such as Universal 2nd Factor (U2F) and WebAuthn, which are even more secure than TOTP-based 2FA. These methods use hardware security keys that provide an even stronger form of authentication.
