Multi-Factor Authentication With Google Authenticator
On this page
Google Authenticator is a popular app to enable a mobile phone as a second factor for authentication. It's based on the TOTP standard, which the Curity Identity Server supports. In this tutorial, we'll describe how to set it up.
Prerequisites
You will need an installation of Curity Identity Server with the basic setup completed. You can achieve this by following our Getting Started Guides. Alternatively, if you have a system up and running with your own configuration, you can use that as well. Just be aware that you probably have different names set for certain components.
Setting up the Authenticator
First, create a new Authenticator by giving it a name and selecting the TOTP
type.
Since we'll use Google Authenticator as a second factor, we still need a first factor. For this demo, we'll use the HTML form Authenticator called username-password
. Add it both as a Login and as a Registration prerequisite. This will also let the Authenticator know which account the device is bound to.
Then, choose which Account Manager
to use. Select the default-account-manager
. Then configure which Bucket
to use. Select default-bucket
. Keep in mind; Google Authenticator only supports the SHA-1 Algorithm
. If you are using other TOTP apps, they might support stronger algorithms.
Lastly, we must set the source of the key. The key could either be pre-generated or generated on the fly. If it is pre-generated, use the pre-shared-key-configuration
. If not, you can let Curity Identity Server generate it on the fly when a new device is registered. To configure this, select generated-key-config
and choose which Bucket
to store the key in. We will choose the default-datasource
again. We will also set the Issuer
to make it easy for the end-user to identify this account in the Google Authenticator App. Set it to Curity test server
.
Register a Device
Once you set up the Authenticator, you must register your device to your user account. Accomplish this by clicking on the Register new device
link in the Authenticator. This will bring up a QR code. Scan this code with the Google Authenticator App and press Next
to confirm your setup is correct.
Conclusion
Now, you can authenticate with Google Authenticator on your mobile phone as a second factor. You can also manage your devices via SCIM and set devices to expire after a certain amount of time. In this example, we used a one-factor authentication to register the device, but a two-factor process would be more secure in production.
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial