I were planning to make one. But then I found this. Afaik, many apps should be made using html. Btw. I would like to see TOTP mentioned instead of Google/Gauth. But I assume Google something is much cooler than anything else. See: https://en.wikipedia.org/wiki/Time-based_One-time_Password_A... - So it's generic TOTP implementation, not Google(only) Authentication app trusting Google infrastructure. Also, there might be local storage security issues with HTML5 apps, but I'm not expert in that field.
Recently also Dropbox started to use the same TOTP implementation for securing with a two-factor auth. I have used the name G since they wrote the specification and at the time of this implementation, they were the only user.
I wrote the application so I would be able to use 2FA on my 'aging' MeeGo phone, the N9. No tools were available and implementing it with web technologies would allow me to port it easily to a desktop environment, an extension, etc.
I was wondering what I'd use this for (either as an end-user or as a developer), when I found that people actually use their google-account for two-factor authentication for their SSH accounts.
You know what? I don't trust Google enough to allow them to lock me out of my own systems, and I'm surprised other obviously technologically inclined people do.
> You know what? I don't trust Google enough to allow them to lock me out of my own systems, and I'm surprised other obviously technologically inclined people do.
This is a common misconception of Authenticator. It is an open source implementation of OATH which works entirely offline once the initial secrets have been shared.
Using Google Authenticator for SSH accounts (via PAM) does not give Google the ability to lock you out of your systems.
Excluding severe bugs and overly paranoid scenarios, e.g. the entire Authenticator system being a convoluted plan for Google to take over your servers.
Google Authenticator is just a client for the open OATH protocol. It doesn't rely on Google at all - there's no network connection, it's just a number being calculated from a seed + the current time.
Nitpicking: '... or a counter on the token/device'.
As far as I know Google Authenticator allows both time and counter based accounts. Not that it changes anything regarding the GP's misconception about accessing external services.
The application I wrote works for all the mentioned websites, e.g. Drupal, Amazon, Dreamhost, Dropbox, etc since it implements the standard HOTP specification. It is merely named G since this is the most well-known implementation and was my first use-case.
You can implement the whole protocol in a few lines of python, or whatever is your weapon of choice. Secure key management aside it could do the same functionality. Google authenticator is just a confort option.
I don't have the context here but it's entirely possible to use it without Google's knowledge. For example Amazon also implements Gauth for their two-factor scheme.
