Google Authenticator would make a fantastic third-party authentication tool
Tuesday, Feb 22, 2011
Google's implementation of 2-factor authentication would be a fantastic platform for third parties needing the same functionality. Imagine that you run a website that could benefit from 2-factor authentication. If Google chose to support it, a Google Authenticator API would be dead simple. Say you run Reddit and want to support 2-factor auth. You could send a request to the GAuth API with the name of your service/account (in this example, "Reddit: kfury") and Google would pass back a secret token and a url to a QR code image. You (Reddit) store the secret token in your user database and associate it with your user. You give the QR code to the user so they can suck it in to their phone with their Google Authenticator app.
Example screenshot of Google Authenticator with Reddit
Now when the user wants to sign in you ask them for a current code from Google Authenticator and, having received it, you pass it and the user's secret token to the GAuth API, which returns a simple 'pass' or 'fail'. Reddit would log me in or tell me the code was bad, accordingly. Rate-limiting and other protections could be built in to the API so the individual sites wouldn't have to worry about that either. Judging by the generic nature of the Google Authenticator app this is probably part of the plan, and if so I can't wait. Update: Thanks to @elstudio and Nelson Minar for pointing me to the google-authenticator project which allows site admins to use Google Authenticator with PAM to auth on their sites. It could still be made easier for the casual developer if they could stay away from the auth side altogether, but with this code anyone could implement the kind of GAuth API I described. Exciting!
If you like it, please share it.

Hi, I'm Kevin Fox.
I've been blogging at since 1998.
I can be reached at .

I also have a resume.


I'm co-founder in
a fantastic startup fulfilling the promise of the Internet of Things.

The Imp is a computer and wi-fi connection smaller and cheaper than a memory card.

Find out more.

We're also hiring.


I post most frequently on Twitter as @kfury and on Google Plus.


I've led design at Mozilla Labs, designed Gmail 1.0, Google Reader 2.0, FriendFeed, and a few special projects at Facebook.

©2012 Kevin Fox