Implementing Google Authenticator for 2FA with LDAP/AD

  • Blog
  • Implementing Google Authenticator for 2FA with LDAP/AD

Knowledge Base

Site Reliability Experience

View Categories

Implementing Google Authenticator for 2FA with LDAP/AD

2 min read

Table of Contents

What Is Google Authenticator? #

Google Authenticator is a mobile app that provides a second factor of authentication using time-based one-time passwords (TOTP).
It’s widely used for implementing Two-Factor Authentication (2FA) and works without an internet connection once configured.

How Google Authenticator Works: TOTP vs HOTP #

Google Authenticator supports two algorithms for generating one-time passwords:

  • TOTP (Time-based One-Time Password): The most common implementation. The OTP changes every 30 seconds and is based on a shared secret and the current timestamp.
  • HOTP (HMAC-based One-Time Password): Less commonly used. It generates OTPs based on a counter that increments each time a code is requested. The server must track the counter state.

At RELIANOID, we use TOTP for our 2FA portal as it ensures seamless time-based validation and avoids counter synchronization issues.

RELIANOID 2FA with Google Authenticator and AD/LDAP Integration #

High-Level Flow #

  1. User logs in with their username and password (validated against LDAP/AD).
  2. If the user does not have a TOTP secret registered:
    • A new TOTP secret is generated on the backend.
    • A QR code (containing the secret in URI format) is shown for the user to scan with Google Authenticator.
    • The user then enters the first 6-digit OTP to complete registration.
    • The secret is stored in a custom LDAP/AD attribute (e.g., otpSecret).
  3. If the user already has a registered secret:
    • The backend verifies the provided OTP against the secret using a TOTP algorithm (e.g., RFC 6238).

Security Considerations #

  • Secure communication with LDAP (LDAPS or StartTLS).
  • Restrict access to the otpSecret attribute.
  • Store secrets using base32 encoding and avoid plain visibility in logs.
  • Use clock synchronization (e.g., NTP) to ensure consistent TOTP behavior.

Conclusion #

Integrating Google Authenticator into the RELIANOID 2FA portal enhances user security without compromising usability. With support for AD and LDAP, the deployment is seamless in most enterprise environments.

Need help configuring your 2FA integration? Contact the RELIANOID support team—available 24/7.

SHARE ON:

Powered by BetterDocs