Authenticate With Google Authenticator

Google Authenticator is a popular app to enable a mobile phone as a second factor for authentication. It's based on the TOTP standard, which the Curity Identity Server supports. In this tutorial, we'll describe how to set it up.

Prerequisites

You will need an installation of Curity Identity Server with the basic setup completed. You can achieve this by following our Getting Started Guides. Alternatively, if you have a system up and running with your own configuration, you can use that as well. Just be aware that you probably have different names set for certain components.

Setting up the Authenticator

First, create a new Authenticator by giving it a name and selecting the TOTP type.

Since we'll use Google Authenticator as a second factor, we still need a first factor. For this demo, we'll use the HTML form Authenticator called username-password. Add it both as a Login and as a Registration prerequisite. This will also let the Authenticator know which account the device is bound to.

Then, choose which Account Manager to use. Select the default-account-manager. Then configure which Bucket to use. Select default-bucket. Keep in mind; Google Authenticator only supports the SHA-1 Algorithm. If you are using other TOTP apps, they might support stronger algorithms.

Lastly, we must set the source of the key. The key could either be pre-generated or generated on the fly. If it is pre-generated, use the pre-shared-key-configuration. If not, you can let Curity Identity Server generate it on the fly when a new device is registered. To configure this, select generated-key-config and choose which Bucket to store the key in. We will choose the default-datasource again. We will also set the Issuer to make it easy for the end-user to identify this account in the Google Authenticator App. Set it to Curity test server.

Register a Device

Once you set up the Authenticator, you must register your device to your user account. Accomplish this by clicking on the Register new device link in the Authenticator. This will bring up a QR code. Scan this code with the Google Authenticator App and press Next to confirm your setup is correct.

Conclusion

Now, you can authenticate with Google Authenticator on your mobile phone as a second factor. You can also manage your devices via SCIM and set devices to expire after a certain amount of time. In this example, we used a one-factor authentication to register the device, but a two-factor process would be more secure in production.