Suggestion: Windows Phone Authenticator App

**cotti** · 03-15-2014 03:12 AM

"Hello?

Are you from the RPG group playing tonight?

Oh, just wanted to warn you that Sanders, the necromancer, is going to be late tonight."

**Strifex** · 03-29-2014 02:10 PM

I'm a Windows Phone developer...would gladly work with SE to make this app for Windows Phone if they were interested...I sure hope they hire someone to do it soon...hell I'd do it for free just so all us Windows Phone users could have it

**Sparky** · 03-29-2014 04:16 PM

They would never work with the community to make this happen, and there's a very good reason why not too. These authenticators work on the basis of a seeded random number string, so to build an app, you would need to know the algorithm they use. By knowing the algorithm and taking a lucky guess at the seed, you would as a result have the tool required to crack the two factor authentication completely... for anyone's account.

**Zaft** · 04-13-2014 12:01 PM

Originally Posted by Sparky

They would never work with the community to make this happen, and there's a very good reason why not too. These authenticators work on the basis of a seeded random number string, so to build an app, you would need to know the algorithm they use. By knowing the algorithm and taking a lucky guess at the seed, you would as a result have the tool required to crack the two factor authentication completely... for anyone's account.

Correct. If this were outsourced, and somebody were to leak the algorithm, they would have to change everything.

The chance of an authenticator being added to WP is slim seeing how minuscule the userbase is, but if enough people request it, it may happen.

**mk12_delta** · 04-13-2014 12:46 PM

New PS4 player here with a windows phone! I've learned not to hold my breath about apps not coming to WP8, but this would be awesome.

**WizardShotTheFood** · 04-13-2014 02:36 PM

Originally Posted by Sparky

They would never work with the community to make this happen, and there's a very good reason why not too. These authenticators work on the basis of a seeded random number string, so to build an app, you would need to know the algorithm they use. By knowing the algorithm and taking a lucky guess at the seed, you would as a result have the tool required to crack the two factor authentication completely... for anyone's account.

Let's set aside the fact that the app wouldn't even have to know that algorithm (all you need to do is have it tell the server "I am a new authenticator, please generate a seed value for me"). "Taking a lucky guess at the seed"? If you've got that kind of luck, then you'd better hurry up and get to Las Vegas before they find out and ban you for life.

There's plenty of one-time password algorithms that are already publicly known. RFC 6238 is used in everything from Amazon to Wordpress, OPIE is included in FreeBSD by default...hell, even Blizzard's two-factor authentication has had its algorithm figured out. As long as the algorithm doesn't call for an incredibly stupid seed (say, an unsalted MD5 of a randomly chosen dictionary word), knowing it won't necessarily give you any sort of advantage.

So you found out that the secret seed value is generated by firing photons into a beam splitter. How exactly is that going to make it any easier for you to guess what the seed value for a given authenticator is?

Thread: Suggestion: Windows Phone Authenticator App

Thread Tools

Search Thread

Display

Hybrid View