Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How does 2-step-authentication when using Authenticator App?

H

HarryPot

macrumors 65816
Original poster
Sep 5, 2009
1,085
548
Hi,

Today I've been setting up 2-step-authentication in my important accounts.

The last I configured was Amazon, which requieres not only your mobile phone, but a second method to authenticate. I choose the "use an authenticator app" option.

So, I downloaded the app from Google, and by scanning the picture given by Amazon the app gave me a code to enter. After this all was set up correctly.

My doubt is, I didn't even had to Sign In in the Authenticator App from Google. How can Amazon verify that the code given by the app is from me? If I didn't had to make any kind of link between the app and Amazon.

Thanks:)
 
Those authenticator apps work similar to an RSA SecureID token if you've ever used one. Basically, the app generates a number based off the current time and a unique ID tied to your account. Amazon's server is doing the same, generating a code based off the time and the same unique ID. Since your phone and Amazon's servers should both be synced to an Internet time server, have the same unique ID, and are using the same algorithm, your phone app and Amazon's servers will generate the same code. When you log in, you type the code that shows in the app, Amazon generates the code on their end, if they match, it lets you in.

What you scanned was a QR code containing that unique ID, so now everything's in sync. The code you entered was just a test to make sure it worked. I don't use 2FA on Amazon, but I'm assuming they have an option to deactivate the authenticator app if you lose your phone, this basically just changes that unique ID on your account so the code generated by the app and the server no longer match.
 
  • Like
Reactions: HarryPot
yg17 said:
Those authenticator apps work similar to an RSA SecureID token if you've ever used one. Basically, the app generates a number based off the current time and a unique ID tied to your account. Amazon's server is doing the same, generating a code based off the time and the same unique ID. Since your phone and Amazon's servers should both be synced to an Internet time server, have the same unique ID, and are using the same algorithm, your phone app and Amazon's servers will generate the same code. When you log in, you type the code that shows in the app, Amazon generates the code on their end, if they match, it lets you in.

What you scanned was a QR code containing that unique ID, so now everything's in sync. The code you entered was just a test to make sure it worked. I don't use 2FA on Amazon, but I'm assuming they have an option to deactivate the authenticator app if you lose your phone, this basically just changes that unique ID on your account so the code generated by the app and the server no longer match.
Click to expand...

I haven't set it up on my Amazon account either but I believe this is the way it works.

Also, if you were to lose your phone, when you activate the Authenticator app on a new device it will automatically deactivate the codes from the old device, I would think the Amazon setup would be similar.
 
How does the MacRumors 2 step verification work?

Honestly I have it set up with my google email accounts, and it's kind of a pain, although I acknowledge that it does amount to extra security. As I switch between computers it frequently makes me put in a code, although I've all ready said "trust the computers" I use on a regular basis...
 
Thanks for the explanation!

I agree that Two Step Verification seems like a pain sometimes. I'm just intending to use it in accounts where I have my credit card stored or my email accounts.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back