LLDintermediatePremium

Google Authenticator LLD: Two Devices, No Connection, One Six-Digit Truth (TOTP)

A low-level design walkthrough of TOTP and Google Authenticator: a shared secret and the clock through HMAC to six digits, with an acceptance window that tolerates skew and blocks replay.

By fiveyearsdevJune 13, 202610 min read

"Design Google Authenticator." Your phone shows six digits that change every thirty seconds. The login server, on the other side of the planet, knows whether they're right — and here's the thing that should stop you cold: your phone was in airplane mode the whole time. No network. No message left the device. Yet two machines that have never spoken since setup agree, to the digit, on a number that didn't exist a minute ago and won't exist a minute from now. That's not magic and it's not luck — it's the cleanest "shared nothing, agree on everything" trick in applied crypto, and it fits in a scre…

What’s inside

Let's start nowhere near a computer

Where the codebook-and-clock trick runs

Step 1 — Functional requirements (sentences first)

Step 2 — Non-functional requirements

Step 3 — Nouns: a secret, a clock, a deterministic function

Step 4 — The generator: secret + counter, one way out

Step 5 — The verifier: forgive the clock, but only by a little

Step 6 — Trade-offs (each one keeping an NFR)

The complete implementation

The interview corner

Where to go from here

Read this one free

Sign in and your first premium article is on us — read Google Authenticator LLD: Two Devices, No Connection, One Six-Digit Truth (TOTP) free.

LLD