Two-factor authentication makes it less likely that an intruder can masquerade as an authorized user. Authentication factors are categories of credentials used to verify that someone or something is who or what they are declared to be. There are three categories: Knowledge factors are credentials that the user knows, typically a user name and password; possession factors are things that the user has, typically a mobile phone; and inherence factors are things that the user is, typically a biometric characteristic such as a fingerprint or an iris pattern.
How does Google Authenticator work?
Authenticator works for any site or service that has enabled two-factor authentication. Like most web-based 2FA applications, the system combines knowledge and possession features. To access websites or web-based services, the user types in his normal username and password and then enters a one-time passcode (OTP) that was delivered to his device, triggered by the login. That combination verifies that the same person entering login data on the site is in possession of the device to which the Google Authenticator app was downloaded.
Passwords may be easy to crack or otherwise steal but because the vast majority of exploits are conducted via the Internet, it is unlikely that the hacker also has access to the user's physical device.
The Authenticator app is based on the time-based one-time password (TOTP) system specified in the IETF's RFC 6238 document. The TOTP algorithm generates a six-digit passcode that factors in the current time of day to ensure that each passcode is unique. Passcodes are changed every 30-60 seconds for further security.
See a video demonstration of setting up Google Authenticator: