If you read our 2FA article that means you’re already using two-factor authentication to secure access to at least some of your digital accounts, right?
While this is an essential step to protect social media, financial, bank and other accounts that may contain sensitive information, there are other two factor (2FA) options for a better level of protection. In this article, we’re going to go over authenticator apps.
What’s an authenticator app?
Most users start with 2FA via SMS. They receive a one-time code sent to their phone via a text message to get access to their account. But SMS has its limitations and vulnerabilities (check out our SMS 2FA pros and cons list here). To overcome these and add more security, you can use an authenticator app.
There are several authenticator apps you can get for iPhone or Android: Google Authenticator, Authy, DuoMobile, and Microsoft Authenticator are examples. In addition to being more secure, some authenticator apps save time by enabling you to tap a button to verify your identity, instead of having you manually enter the six-digit code.
An important note: most sites that support two-factor authentication do not support authenticator apps, but many of the most security sensitive sites do. Whenever you’re given an option between the two, an authenticator app is your best bet for security.
Why authenticator apps are more secure
The security risk in SMS for 2FA is that a skilled hacker can compromise your texts (and your phone) from afar. If a hacker decides they want to spoof (impersonate) your phone, then that means they’ll get all your SMS messages, including any 2FA codes required for a log-in.
SMS authentication codes are valid for about 30 minutes (longer than authentication app codes) and any backup codes you generate can work for several days. If these codes are stolen, your accounts can be easily compromised.
An authenticator app is not tied to your phone number, or even a single device – so someone who spoofs your phone or hijacks your SIM still can’t see your authenticator app codes. The app requires physical access to the device where it was installed – so only by physically stealing your phone and then bypassing your passcode or security could someone get the authenticator codes – and that is far less likely than intercepting text messages.
Each time you launch the authenticator app, it randomly-generates a six-digit code that refreshes every 30-60 seconds, and is synced with whichever site or service you’re trying to access. Because each code expires after such a short window of time, it’s impossible for someone who isn’t in possession of your device to log in.
As we mentioned earlier, a new generation of authenticator apps are eschewing the use of six-digit inputs altogether, and allow push-based authentication. This is a much easier way of authentication and only requires a push of a button.
The secret sauce of authenticator apps
Many of these apps, such as Google Authenticator, will work without internet or network connectivity. You don’t have to worry about being locked out of a site if you’re on a plane, for example, because the authenticator app 2FA is tied to a physical device. The apps are built using an algorithm called Time-based One-Time Password algorithm. With TOTP, the same code will be generated both on your mobile and on the app without the need for connectivity.
Where should I look for an app?
Most of the apps available have the same functionality and features. Google Authenticator and Authy are the most popular authenticator apps out there. There is a Microsoft-specific app called Microsoft Authenticator if you use a lot of Microsoft products. Some password management services, like LastPass, also offer an authenticator app.
Want even more …..consider ramping up your protection level with hardware
While using an authenticator app for 2FA is much better than SMS, it’s still not the most secure way to protect your accounts. For an even higher level of protection, consider a hardware key.
Hardware keys come in various shapes and size and can be USB tokens, smart cards, offline tokens with a digital display. They generate one-time keys on demand. The keys are then entered manually or automatically — for instance, through a USB interface.
While less convenient (and easy to lose) for those who require the highest-level of privacy and security, such as a politician, activist, or corporate executive, hardware keys are the most secure option for 2FA.
Everyone should be using two-factor authentication to secure their protected accounts. An authenticator app to receive codes is a much more secure way to use 2FA.