The leaks and hacks we’ve read about in recent years make it clear that passwords alone do not provide enough security to protect your online bank account or social media accounts. Two-factor authentication (2FA or MFA, for multi-factor authentication) adds another layer of protection, and authors often urge our audiences to use it. Authenticator apps, such as Authy, Google Authenticator, or Microsoft Authenticator, enable one of the more secure forms of 2FA. Using one of these apps can also help protect you from hidden attacks such as stickers.
What Is Two-Factor Authentication?
As the name implies, it is using more than just a password to access your online account or app; adding an element other than that password. Verification experts classify factors into three groups: something you know (for example a password), something you have (a physical thing), and something you have (fingerprint) Or other biometric features). When you use one of the authentic apps included here, you reinforce your known password with a token, smartphone, or smartwatch you have.
What’s the Best Kind of Two-Factor Authentication?
Yes, you can apply MFA to your banking site by simply sending a text message with a code after which you enter the site for access. However, this did not turn out to be the best way to do 2FA. A weakness in SMS messaging has recently emerged which allows bullies to redirect text messages. A verification app on your smartphone generates code that never travels through your mobile network, with the ability to display and compromise.
You set up authentication on the site’s security settings page, in the two-factor or multi-factor authentication section; almost every financial site offers this option. You can find out which sites offer multi-factor authentication options in our story, two-factor authentication: who owns it and how to configure it. There you can read about the process of setting up 2FA for major services from Amazon to Yahoo.
Most sites offer a simple SMS code option, but go beyond that and look for authentic app support. Configuring 2FA usually involves scanning the QR code on-site with your phone’s authentication app. Note that you can scan the code on multiple phones if you want a backup. You should also save the account recovery codes provided by the sites, and store them in a safe place, such as in the password manager.
How Authenticator Apps Work
After that, whenever you log in to the site from an unknown device, you’ll need to open the Authenticator app, unlock it, and find the site entry. Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), six digits that are updated every 30 seconds. You insert or paste it into a secure app or site, and voilà, you’re inside. The time limit means that if a bug fixer manages to get your one-time passcode, it won’t work for them after 30 seconds.
Using the standard HMAC-based One-time Password (HOTP) algorithm approved by the Internet Engineering Task Force (IETF), codes are generated by doing some math on this QR scan and the long code transmitted through the current time. ۔ These apps have no access to your accounts, and after the initial code transfer, they do not interact with the site. They generate code easily and silently. You don’t even need phone service for them to work.
Since the protocol used by these products is generally based on this standard, you can use Microsoft Authenticator to access your Google Account, for example, or vice versa. Although Microsoft Authenticator adds simple login options to its services, such as Office, Outlook, and OneDrive.
What to Look for in an Authenticator App
One of the things to look for when choosing one of these apps is whether it backs up the account information (certainly encrypted) if you no longer have the phone on which you have everything. What is set Authy, Duo Mobile, LastPass Authenticator, and Microsoft Authenticator offer this, whereas Google Authenticator does not?
In the security win for Google’s mobile OS, Android prevents anyone from taking screenshots while you have an authentic app open, while iOS allows it.
For even more complete security, you can implement MFA with a dedicated device, such as UBK. These devices generate codes that are transmitted via NFC, Bluetooth, or when you insert them directly into a USB port. Unlike smartphones, they have the advantage of being single-purpose and hard-to-protect devices. Although unlikely, it is possible that the malware-infected app running on your phone may block verification codes generated by the phone’s authentication app. Security keys have no batteries, no moving parts, are extremely durable, and do not require an internet connection – but they are not as easy to use as your phone.
Authy and Microsoft Authenticator also offer Apple Watch apps, and for even more convenience, something is missing for Google Authenticator and LastPass. With nearly 36 million of these WatchOS devices sold in 2020 alone (which sold 14 million more than Apple Mac computers), this is a feature that very few people can take advantage of.
Therefore, to summarize: (1) You should use multi-factor authentication for all your online accounts. (2) Authenticator apps provide better security than SMS codes. (3) Check out our summary of the most popular authentic apps below and start setting up your accounts with whatever you like. Lastly, let us know your thoughts on these apps and related security issues in the comments below.
Duo Mobile
Duo Mobile is geared towards corporate apps, especially now it’s part of Cisco’s portfolio. The app offers enterprise features in addition to the one-time passcodes described above, such as multi-user deployment options and provisioning and one-tap push authentication. A nice security touch is that you can’t take a screenshot of the Duo interface on Android (but you can on iOS). You can backup Duo Mobile using Google Drive for Android and iCloud KeyChain on iPhone.
Google Authenticator
The Search Advertising giant’s authentication app is basic and does not offer any additional highlights. Unlike Microsoft Authenticator, the Google Authenticator app does not add any special options for its services, nor does it offer backup or password generation and management. Google is more interested in getting you two-factor authentication using the built-in Android features than the Authenticator app. Using an Android phone for 2FA with a Google Account (instead of the Google Authorized App) is easier because it involves simply tapping on the phone instead of entering a six-digit code.
Unlike Authy, Google Authenticator lacks online backups for your account codes, but you can import them from the old to the new phone if you have the former. A minor concern is that Google Authenticator does not provide the Apple Watch app.
LastPass Authenticator
This differs from the LastPass Password Manager app, although it offers some compatibility with the popular app’s password functions. Installing LastPass Authenticator is a snap, and if you already have a LastPass account with multi-factor authentication, you can easily allow LastPass by tapping push notifications. Also, once the app is set up with your LastPass account, it’s easy to back up your authentic accounts in your LastPass vault. It does hurt to move to a new phone.
Microsoft Authenticator
Microsoft Register now includes secure password generation, and it allows you to log in to Microsoft accounts at the push of a button. The Authenticator app also allows schools and workplaces that use it to register users’ devices. Account recovery is an important feature that you should turn on if you use the app. That way, when you get a new phone after installing Microsoft Authenticator, you’ll see the option to recover by signing in to your Microsoft account and providing further verification.
One problem here (and this is Apple’s lock-in issue) is that if you have a backup in iCloud you can’t transfer your saved 2FA accounts to an Android device because using iCloud for the iPhone version Need Microsoft Authenticator offers another layer of security: you may need to unlock your phone with a PIN or biometric verification to view the codes.
You will find the password management capabilities in a separate tab at the bottom. You can easily sync with the Microsoft account you have associated with the verifier, and after that, you’ll see the logs you’ve saved and synced with the Edge browser. Additionally, you can use Authenticator as a password filler/saver utility on your phone.
Twilio Authy
Unlike other apps in this mini-roundup, Authy needs your phone number when you first set it up. We’re not a fan of this requirement, because we want the app to treat our phones as anonymous pieces of hardware, rather than connecting to our personally identifiable data. In addition, some people have levied a charge that opens the app up to SIM card swap fraud. Authy’s Help Center offers a solution for this, but we would prefer it to work like any other app without the need for a phone number. Apple Watch users will appreciate the fact that there is an Authy app version for the timepiece of their choice.
One of the major benefits of Authy is the encrypted cloud backup, but this is partly due to the fact that you can update the account using the “PIN code sent via call or SMS” according to Authy’s support pages. Add to phone. There is also an option to enter a private password or passphrase which Authy uses to encrypt your account login information to the cloud. Only you know the password, so if you forget it, Authy will not be able to recover the account. It also means that no authority can force Authy to unlock your accounts.
