Technical description
Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of software applications.
During setup, the service provider generates an 80-bit secret key for each user (whereas RFC 4226 §4 requires 128 bits and recommends 160 bits).[5] This is transferred to the Authenticator app as a 16, 26 or 32 character base32 string or as a QR code.
Subsequently, when the user opens the Authenticator app, it calculates an HMAC-SHA1 hash value using this secret key. The message that is HMAC-ed can be:
The number of 30-second periods since the Unix epoch (TOTP), a counter that is incremented with each new code (HOTP). A portion of the HMAC is extracted and displayed to the user as a six-digit code.
The Google Authenticator app for Android was originally open source, but later became proprietary. This open source project allows you to download the code that powered latest version of the application.