Authenticator apps. Thoughts?

SMS authentication is not very secure at all. App is very simple to use and doesn't need mobile signal.

If you can't scan the QR code there's a code you can enter manually.

I started using it yesterday at work via the Microsoft authenticator app when logging onto Teams and Office 365. It seemed to work okay, only requiring me to open my phone with my existing pin to authenticate my login. Just another pain in the bum reason to have to carry my phone around with me everywhere though. Bus ticket to Glasgow, Nextbike to University, Authenticate login so I can check emails etc, and check I'm not dying from diabetes with my Libre 2. If I forget my phone, my day is doomed!

I use the Microsoft one.   The QR reader is built into the apps. They only feel slightly more secure as if your phone is lost you need a backup method and that is usually sms or email. But it is much faster

As per the above app based 2FA is generally more secure that SMS. If given the choice between the two I would always go the app route.

I use the Microsoft one. Haven't had any issues with it at all...

So what are the benefits of installing an authenticator app?

2FA confirms the person accessing your account has possession of your phone (or at least your phone number - it seems it not too difficult to call you a mobile provider and transfer someone's number away from them)

An authenticator app confirms the person in possession of your phone in you

Whenever I do training for people at work, I recommend that people use some sort of 2FA app. It doesn’t really matter which one (I use the Google one), but choose a good one and put it on everything hat supports it.

It’s probably the easiest way to make unauthorised access to your accounts more difficult for other people.

Just checked and I have 20accounts on my authenticator app at the moment as well as a couple of physical keys.  It's just part of modern digital life

Duosec and Microsoft authenticator here. Bit of pain on the ms one as it only allow some item unlocked using the finger reader but mine is not set up very well and is very hard to get right

Bus ticket to Glasgow, Nextbike to University, Authenticate login so I can check emails etc, and check I’m not dying from diabetes with my Libre 2. If I forget my phone, my day is doomed!

At least you won't be far from home though as you'll still be at the bus stop.

😂😂😂 @peekay

Oh and Authenticator apps are brill. The QR code is generally only used once to add the account, quick and easy. Make sure it gets backed up so if you need to set it up again because you lose your phone or whatever you can just restore it all from the backup rather than having to re-setup all the accounts which I imagine would be a complete PITA.

I generally like authenticator apps - although currently have an issue where I'm working in a secure room that I can't take my phone into so I have to leave, get the code on my phone and run back before it expires, hoping no one talks to me on the way so that I don't forget it... Hopefully they see sense and get some physical tokens sorted for use on the project

as people have said before - SMS is not secure, it's now been deprecated by the US Gov standards (NIST) as a method of authentication. The authenticator should require you to unlock your phone so a 2FA (something you have - phone and something you know / are - unlock code for your phone or fingerprint/faceID).

The qr code is just used to pair your app to your account (a bit like a bluetooth pairing) - otherwise there is no way to securely tie a phone to the account you're logging onto on the computer

In principle, they're perfectly ok.

In practice my workplace appears to have picked a broken one, which requires my device to be set up from scratch inside the authenticator, every day, every time I log in. Yes, I save the config. Yes, it forgets it. Every time. So, that's a PITA.

Bear in mind this thing is on apps I access using a work laptop over a VPN authenticated with password and hard token access key which has its own password.

I’ve been using authy, which you can install on multiple devices including Apple Watch, which is very convenient!!

I use MS authenticator and Google authenticator and they work fine. As others have said, once you start down this path, you need to keep them backed up securely.

Not much I can add to the above, really. There's some good comments here.

You really should be using some form of multi-factor authentication on anything you care about, it's one of the single best things you can do to improve your security today. Passwords are increasingly unfit for purpose.

SMS authentication is probably the least secure method of 2FA, but is still exponentially better than not doing it at all.

We use Duo at work. At first I was reluctant, but the (iPhone) app is very good. I can even authenticate by tapping my watch which still feels very futuristic even after I've done it daily for months! 2FA still makes it slightly slower to login, obviously, but it feels about as slick as it could be.

Google and Microsoft authenticator apps here, about 15 accounts across them. Working in IT, it's sort of a requirement, not only for work accounts.

As above, if you haven't got MFA/2FA set up, do it!!

Friend had a "sim swap" attack, where someone manages to convince your mobile network that you've lost your phone and need the number swapping to a new SIM. When the new one enables you lose your calls/texts and they can reset passwords and authenticate on all sorts of services that trust the mobile number they have stored as belonging to you.

Don't 2FA with SMS, and I'd avoid even having it as a backup option if you can.

An authenticator app confirms the person in possession of your phone in you

How is that any different to an SMS?

How is that any different to an SMS?

They have to have a phone unlocked in front of them. Not just a stolen (but locked) phone which can show text messages on the lock screen, or a stolen phone number via Sim replacement.

oh and from experience, make sure you know how to get back up access before you need it. Some will allow you to export a one time code to save somewhere safe for example. When you get a new phone you will need these...

They have to have a phone unlocked in front of them. Not just a stolen (but locked) phone which can show text messages on the lock screen, or a stolen phone number via Sim replacement.

Ah! I see. I only have notifications enabled, you can’t see the content with an unlock or facial recognition. Changing the sim won’t over ride that.

Anyway as mentioned 2FA is way better than just having a password.

Changing the sim won’t over ride that.

No, but calling your mobile provider with a few of your personal details and asking for a new sim to be issued on your number will. All they then need is to put the sim in their phone...

All they then need is to put the sim in their phone…

Yep.  Although they are normally meant to check identity I've walked into a shop before and asked for a new sim for my daughter and been given it with zero fuss.  Being confident, white, male and old goes a long way to getting by this stuff 🙁

When you get a new phone you will need these…

Not with Apple these days (I have no idea about other OS) - a new device can simply clone the contents of the old device. IIRC the only thing it doesn't do is copy across cards in the Wallet.

Google one works well enough for me for Playstation. We also have a work one which was previously a bit broken as it never worked first time and you had to repeat it a second time. However it looks like that's fixed now. It also has the option to require biometric auth to do the approval so even if someone ran off with your phone whilst it was unlocked they still wouldn't get in.

Have to use the MS one for work/school. It's a bit flaky as to when it asks for 2FA but when it does I have it set up biometric so all I need to do is open the notification to approve and then scan a fingerprint. Dead quick and I guess proves it's me holding the phone - if anyone wants my school resources badly enough to force me at gunpoint to approve authentication for them then I think they're probably welcome to my teaching PowerPoints!

Just think how many security codes are readable on your phone via text/email etc. - '123456 is the code you need for <insert bank name>' etc. - I knopw its a very niche attack vector but having you phone in their hands even without a pin potentially unlocks quite a lot.

Lots of banking apps also have built-in authenticator functions for validating transactions. All good in my book as they’re both more secure and more usable than passwords and can be linked to the phone biometrics (face and touch).

’ve walked into a shop before and asked for a new sim for my daughter and been given it with zero fuss.

To be fair, that's a damn good trade.

😀

The other thing with SMS / codes versus "is this you?" style app verification is, I don't even need access to your device.

Say I have your details but not your One Time Passcode. I log in to your bank, it prompts for your code. So I text you, "Hi, this is YourBank Plc. We've detected fraudulent activity on your account. To verify your identity and prevent your account being closed, please reply to this message with your six digit Authentication Code."

When you get a new phone you will need these…

Not with Apple these days (I have no idea about other OS) – a new device can simply clone the contents of the old device. IIRC the only thing it doesn’t do is copy across cards in the Wallet

Yeah, Android will migrate all your apps and their settings without a problem. Well, IME at least.

For anyone who's dubious about enabling 2FA as widely as possible, at the very least have it on your primary email. You know, the address all the requests for confirmation of password changes go to...

No, but calling your mobile provider with a few of your personal details and asking for a new sim to be issued on your number will. All they then need is to put the sim in their phone…

So now they’ll need your personal details, they also need to migrate your sim over without you receiving notification someone has done this. It’s not impossible but it involves a lot of work and hoping no one notices.

This is wholly true. But it hinges on the assumption that anyone else gives the slightest of shits about your security.

Your office can have all the mag locks, ID cards and security guards in the world. Now turn up with a stack of pizzas and see how close you can get to the boardroom. I'll wager they'll hold the doors open for you.

Now, about porting a mobile number to that new SIM card...

Android will migrate all your apps and their settings without a problem. Well, IME at least.

From memory this was true of 2 of the three apps I have (I think google did, but can't remember which of the other two was a pain - Duo or Microsoft). Frustratingly some services insist on a specific app which is a pain.

Just think how many security codes are readable on your phone via text/email etc. – ‘123456 is the code you need for <insert bank name>’ etc. – I knopw its a very niche attack vector but having you phone in their hands even without a pin potentially unlocks quite a lot.

Only if you display messages on the lock screen (which would be very daft).

Apple devices [b]will not[/b] migrate the contents of authentication apps. You must make sure you have backup codes, or turn off MFA for those services before you migrate your phone, and then turn it back on again afterwards.

Go on, ask me how I know this!

Apple devices will not migrate the contents of authentication apps.

Surely that's the just the App's design - be easy to write an app to use device specific encryption code for the device, so once ported it won't unencrypt.

Bumping this again as work are "forcing" MFA via Authy or MS Authenticator apps but both have pretty scathing reviews on Google Play Store.
So, are these easy apps to un-install and do away with if I decide they are shite/too much hassle?

As my current phones' battery seems knackered, I'm probably going to need a new phone within the next couple of weeks so which one is less shite when it comes time to migrate phones?
(If I do have to change,I will be staying on Android).

(Note: my personal Google and Microsoft accounts have alternate email addresses associated with them for validation purposes if needed, so I don't think I'm vulnerable to being locked out).
For work stuff, we've got sys admins for dealing with this crap so I don't particularly care about MFA on work stuff...

work are “forcing” MFA via Authy or MS Authenticator apps but both have pretty scathing reviews on Google Play Store.
...
As my current phones’ battery seems knackered

Work will presumably be providing you with a mobile device fit for purpose to enable this, then. If you're expected to use your personal mobile, stick a Nokia 3210 in your pocket.

Just got a new iPhone and MS authenticator was the only app that didn’t just work on the new phone. In theory I could backup from the old phone and restore to the new one, which showed all of my accounts in the app. But none of them worked. I’ve managed to get one of them (office 365 for work) setup again, but only by deleting it at both ends and starting again.

Google authenticator here. Works just fine. Duo on the other hand is a steaming pile of bloated poo.

I think you can scan the QR code from a screen shot if using the same device for both actions.

So, are these easy apps to un-install and do away with if I decide they are shite/too much hassle?

The apps are just like any phone app and easy enough to uninstall - but if your company requires MFA for accessing their systems (which any company that takes IT security remotely seriously should be doing) then you need to get used to using them.

I have the MS authentication app on my work phone. Seems fine. It works quite nicely as rather than having to enter a code from the phone into the computer my phone just pings a message asking if it's me trying to access work apps. I click yes and I'm in.

It's really not a big deal.

Only if you display messages on the lock screen (which would be very daft).

But seems to be the default setting on new Androids? Anyone who doesn't understand the vulnerability or isn't happy burrowing through settings will leave it like that.

Go on, ask me how I know this!

I found that out the hard way too. You're not the only one.

With my security hat on,

Only if you display messages on the lock screen (which would be very daft).

But seems to be the default setting on new Androids? Anyone who doesn’t understand the vulnerability or isn’t happy burrowing through settings will leave it like that.

The thing here though is, 2FA / MFA is Multi Factor Authentication. For MFA we can have:

Something you know (eg password, PIN)
Something you have (eg credit card, phone)
Something you are (eg fingerprint)

MFA requires authentication from more than one of these different categories. Granted some are far more secure than others but one single method is not intended to replace all the rest.

In the above scenario a hacker would need your password AND your phone. Either is pretty likely, both not so much.

As for "too much hassle" I'd say, get used to it. Using MFA on important accounts is probably the single most impactful step you can take to improve your security today. I don't know what "forcing" in inverted commas is supposed to mean but if your employer isn't enforcing it across the board then they really should be, and depending on your industry there may be compliance rules or legislation in place which means they have no choice.

I've just changed iPhones, and the Google Authenticator stuff wasn't magically transferred as part of the process. Doing it via the app was dead straightforward though, it can generate one big QR on your old phone which you scan on your new phone and it magically adds everything in one go. On iOS anyway so don't see why Android couldn't do that.

Where that sort of thing gets complicated is if your old device is lost or broken. If part of your MFA is "something you have" and you don't have it, you need some means of recovering from that situation.

There are varying ways of achieving this. An account, for instance, might allow you to add verification email address, a phone number, a couple of security questions, a second device, backup recovery codes... all of these things make it easier for you to recover your account, but also potentially make it easier for someone else to do so.

Security vs usability is a difficult balancing act. Some people have a second lock on their front door for added security. Great, so why not be even more secure with three? Seven? Twenty? Because by the time you've locked up you'll have forgotten why you'd gone out so you'll likely get into the habit of not bothering with 18 of them, and in any case none of them will be worth shit if I can just come along and hammer the pins out of the hinges.

Recovery codes for my main email address in my password manager, and accept the fact that as basically everything else is accessed via or can be reset from that email address, if someone guesses the password AND gets the MFA code AND doesn't get stopped by Google catching a log in attempt from an unusual IP (which was what prompted me to setup MFA in the first place many years ago), well they're in.

Nail / head.

One of the opening questions I ask when talking about this stuff is, "what's your most important account?" People will think of the obvious things like their bank but no, it's your primary email account. Most every other account will have a little link under the login box going I forgot my password which will email you a reset link. If your primary email account is compromised, it's game over.

Unless, of course, you have MFA on those accounts...

So, which is the "best" authenticator app?
As I'm not a serial phone upgrader, I'm more concerned about losing or breaking my existing phone so not having a "backup" on a device I can access when I get a replacement phone.

@cougar: "forcing" means they require a app to be installed on my personal phone - they don't provide work phones to non-operationl staff (which has been fine by me as I don't want to be dragged into out-of-hours support crap...)

(Note: my personal Google and Microsoft accounts have alternate email addresses associated with them for validation purposes if needed, so I don’t think I’m vulnerable to being locked out).

zero help if someone gets your password, this is what MFA is important.

For work stuff, we’ve got sys admins for dealing with this crap so I don’t particularly care about MFA on work stuff…

but they do (if they are any good) so you are going to have to get used to it.

I have to say that the modern passwordless authentication options (Windows Hello, Windows Hello for Business, FIDO2 keys etc) are almost that magical moment where greater security and improved user experience come together. If you can go passwordless with your user account, then you effectively stop something like 90% of attacks. You only really then have to focus on avoiding those nasty fishing emails and dodgy web sites. Add in MFA with an authenticator app and you are adding a serious amount of security to your life for very little effort and inconvenience.

“forcing” means they require a app to be installed on my personal phone – they don’t provide work phones to non-operationl staff

That's easy then. "I don't have one."

I don't know why people put up with this sort of shit from employers. They should be providing you with the tools required to do your job. If the only requirement is 2FA, there are plenty of alternatives to an Android / iPhone app.

I don’t know why people put up with this sort of shit from employers. They should be providing you with the tools required to do your job. If the only requirement is 2FA, there are plenty of alternatives to an Android / iPhone app.

Solved by installing Authy on my work laptop...

Where that sort of thing gets complicated is if your old device is lost or broken

You can use MS Authenticator on more than one device though. I use it on an iPad (through work) and an iPhone (my own) for the same account. They had to be set up separately, but that wasn’t much of a hassle. I prefer an authenticator app to SMS as I don’t need to share my phone number with whichever service I want to use.

SMS is inherently problematic anyway.

But that's a longer conversation and I think one that is increasingly needing to be fielded with a blog post.

For anyone who’s dubious about enabling 2FA as widely as possible, at the very least have it on your primary email. You know, the address all the requests for confirmation of password changes go to…

Just noticed that Outlook can be used “passwordless”, but does this have any advantage over using a password as part of MFA ??