I have seen many two factor authentication apps like the google authentication app.
The app works offline and is resets the key on the phone every 30 seconds.
So how the the server know which keys are valid?
I have having trouble understanding this?
And If i were to create such an app myself. How can i do so?
Google Authenticator uses Time-based One-time Password Algorithm. It uses the current time and a shared secret key to compute the code. The generated codes validate as long as the device and server have the correct time set.
Google Authenticator uses 2 different methods:
The "time-based" version (TOTP) is pretty simple to keep in sync. (Both your device... and the remote server... must have the same/correct time.)
The "counter-based" version (HOTP) stays in sync (even if your mobile device is in airplane-mode) and somehow updates its counter internal every 30 secs... and the remote server does the same.
I've only worked with #1... since Google isn't very clear about how the #2 counter can stay "in sync" (changing ever 30 secs) without any communication between the mobile device and remote server.
