29

I have a web app that is Angular2 on the front-end and NodeJS on the back-end. I want to allow clients to use Google Authenticator to make their accounts more secure.

How can I implement/use Google Authenticator in my website? I cannot find an API to use or and tutorials to follow or any libraries to use. Where can I find some resources to do this?

georgej
  • 2,401
  • 4
  • 17
  • 43
  • Just implement the ability to authenticate as user via a google account. That's all you can do. Whether the user will have to use the Authenticator depends on *their* account settings and will be different on a per-user basis. – Chris G Jun 27 '17 at 19:48
  • @ChrisG Oh, so a client would only be able to use the Google Authenticator option if they have a google/gmail account? – georgej Jun 27 '17 at 19:49
  • No, but you tagged this with `google-authentication`, which is "all authentication using google accounts", so I assumed your question was about adding a gmail login to your web app. – Chris G Jun 27 '17 at 19:54
  • 1
    I have reservations on Chris G's comment. Enabling sign-in with Google accounts is not all you can do. You can certainly develop MFA to your app's "built-in" accounts that works with an authenticating app like Google's or Microsoft's. Several sites are doing this and one I can think of at the moment is 500px. – pmdci Mar 14 '19 at 09:24

1 Answers1

37

The key phrase that you're looking for is "TOTP" (Time-Based One-time Password) - and it is a specification, rather than an API maintained by Google.

At a very high level, your backend will generate a secret that it will share with your users' Google Authenticator app. At login, both the Authenticator app and your backend with use the stored secret and current time to generate a single-use key. If the keys match, it means that the secrets match, and the user may be logged in.

The SpeakEasy node implementation seems to be pretty popular on github.

Andrew Rueckert
  • 3,877
  • 1
  • 25
  • 38
  • Speakeasy provides [sample codes](https://github.com/speakeasyjs/speakeasy/blob/master/README.md) for a JavaScript implementation. There is no communication with Google Authenticator - there is no need to, cf the TOTP specs linked by Andrew Rueckert above. – Nino Filiu Jul 20 '18 at 12:01
  • SpeakEasy seems to be abandoned project with their last update 6 years ago. – DeftToneR Feb 26 '21 at 14:50
  • "NOT MAINTAINED" – jasonleonhard Apr 21 '21 at 21:37
  • 1
    Just google `TOTP `, and you'll have your pick of implementations. The [otplib](https://www.npmjs.com/package/otplib) NPM library looks like it can probably do what you want. It hasn't been updated in about a year, but the spec doesn't change, and the old code will still produce the correct 6-digit sequence. – Andrew Rueckert Apr 29 '21 at 01:13