Forum menu
I've had to register on a finance-related website and they are pushing me to install and use an authenticator app.
Previously, when 2FA has been needed, I've just received a text message with a code. Job done...
So what are the benefits of installing an authenticator app? And which ones are kosher?
I had a quick look at the reviews of the Google Authenticator app and there's some scathing reviews.
Also, this website requires a QR code to be scanned to start the authentication process. So how are you supposed to scan a QR code on the same device you installed the authenticator app?? Seems like you need access two devices for this to function or am I missing something?
SMS authentication is not very secure at all. App is very simple to use and doesn't need mobile signal.
If you can't scan the QR code there's a code you can enter manually.
I started using it yesterday at work via the Microsoft authenticator app when logging onto Teams and Office 365. It seemed to work okay, only requiring me to open my phone with my existing pin to authenticate my login. Just another pain in the bum reason to have to carry my phone around with me everywhere though. Bus ticket to Glasgow, Nextbike to University, Authenticate login so I can check emails etc, and check I'm not dying from diabetes with my Libre 2. If I forget my phone, my day is doomed!
I use the Microsoft one. The QR reader is built into the apps. They only feel slightly more secure as if your phone is lost you need a backup method and that is usually sms or email. But it is much faster
As per the above app based 2FA is generally more secure that SMS. If given the choice between the two I would always go the app route.
I use the Microsoft one. Haven't had any issues with it at all...
So what are the benefits of installing an authenticator app?
2FA confirms the person accessing your account has possession of your phone (or at least your phone number - it seems it not too difficult to call you a mobile provider and transfer someone's number away from them)
An authenticator app confirms the person in possession of your phone in you
Whenever I do training for people at work, I recommend that people use some sort of 2FA app. It doesn’t really matter which one (I use the Google one), but choose a good one and put it on everything hat supports it.
It’s probably the easiest way to make unauthorised access to your accounts more difficult for other people.
Just checked and I have 20accounts on my authenticator app at the moment as well as a couple of physical keys. It's just part of modern digital life
Duosec and Microsoft authenticator here. Bit of pain on the ms one as it only allow some item unlocked using the finger reader but mine is not set up very well and is very hard to get right
Bus ticket to Glasgow, Nextbike to University, Authenticate login so I can check emails etc, and check I’m not dying from diabetes with my Libre 2. If I forget my phone, my day is doomed!
At least you won't be far from home though as you'll still be at the bus stop.
😂😂😂 @peekay
Oh and Authenticator apps are brill. The QR code is generally only used once to add the account, quick and easy. Make sure it gets backed up so if you need to set it up again because you lose your phone or whatever you can just restore it all from the backup rather than having to re-setup all the accounts which I imagine would be a complete PITA.
I generally like authenticator apps - although currently have an issue where I'm working in a secure room that I can't take my phone into so I have to leave, get the code on my phone and run back before it expires, hoping no one talks to me on the way so that I don't forget it... Hopefully they see sense and get some physical tokens sorted for use on the project
as people have said before - SMS is not secure, it's now been deprecated by the US Gov standards (NIST) as a method of authentication. The authenticator should require you to unlock your phone so a 2FA (something you have - phone and something you know / are - unlock code for your phone or fingerprint/faceID).
The qr code is just used to pair your app to your account (a bit like a bluetooth pairing) - otherwise there is no way to securely tie a phone to the account you're logging onto on the computer
In principle, they're perfectly ok.
In practice my workplace appears to have picked a broken one, which requires my device to be set up from scratch inside the authenticator, every day, every time I log in. Yes, I save the config. Yes, it forgets it. Every time. So, that's a PITA.
Bear in mind this thing is on apps I access using a work laptop over a VPN authenticated with password and hard token access key which has its own password.
I’ve been using authy, which you can install on multiple devices including Apple Watch, which is very convenient!!
I use MS authenticator and Google authenticator and they work fine. As others have said, once you start down this path, you need to keep them backed up securely.
Not much I can add to the above, really. There's some good comments here.
You really should be using some form of multi-factor authentication on anything you care about, it's one of the single best things you can do to improve your security today. Passwords are increasingly unfit for purpose.
SMS authentication is probably the least secure method of 2FA, but is still exponentially better than not doing it at all.
We use Duo at work. At first I was reluctant, but the (iPhone) app is very good. I can even authenticate by tapping my watch which still feels very futuristic even after I've done it daily for months! 2FA still makes it slightly slower to login, obviously, but it feels about as slick as it could be.
Google and Microsoft authenticator apps here, about 15 accounts across them. Working in IT, it's sort of a requirement, not only for work accounts.
As above, if you haven't got MFA/2FA set up, do it!!
Friend had a "sim swap" attack, where someone manages to convince your mobile network that you've lost your phone and need the number swapping to a new SIM. When the new one enables you lose your calls/texts and they can reset passwords and authenticate on all sorts of services that trust the mobile number they have stored as belonging to you.
Don't 2FA with SMS, and I'd avoid even having it as a backup option if you can.
An authenticator app confirms the person in possession of your phone in you
How is that any different to an SMS?
How is that any different to an SMS?
They have to have a phone unlocked in front of them. Not just a stolen (but locked) phone which can show text messages on the lock screen, or a stolen phone number via Sim replacement.
oh and from experience, make sure you know how to get back up access before you need it. Some will allow you to export a one time code to save somewhere safe for example. When you get a new phone you will need these...
They have to have a phone unlocked in front of them. Not just a stolen (but locked) phone which can show text messages on the lock screen, or a stolen phone number via Sim replacement.
Ah! I see. I only have notifications enabled, you can’t see the content with an unlock or facial recognition. Changing the sim won’t over ride that.
Anyway as mentioned 2FA is way better than just having a password.
Changing the sim won’t over ride that.
No, but calling your mobile provider with a few of your personal details and asking for a new sim to be issued on your number will. All they then need is to put the sim in their phone...
All they then need is to put the sim in their phone…
Yep. Although they are normally meant to check identity I've walked into a shop before and asked for a new sim for my daughter and been given it with zero fuss. Being confident, white, male and old goes a long way to getting by this stuff 🙁
When you get a new phone you will need these…
Not with Apple these days (I have no idea about other OS) - a new device can simply clone the contents of the old device. IIRC the only thing it doesn't do is copy across cards in the Wallet.
Google one works well enough for me for Playstation. We also have a work one which was previously a bit broken as it never worked first time and you had to repeat it a second time. However it looks like that's fixed now. It also has the option to require biometric auth to do the approval so even if someone ran off with your phone whilst it was unlocked they still wouldn't get in.
Have to use the MS one for work/school. It's a bit flaky as to when it asks for 2FA but when it does I have it set up biometric so all I need to do is open the notification to approve and then scan a fingerprint. Dead quick and I guess proves it's me holding the phone - if anyone wants my school resources badly enough to force me at gunpoint to approve authentication for them then I think they're probably welcome to my teaching PowerPoints!
Just think how many security codes are readable on your phone via text/email etc. - '123456 is the code you need for <insert bank name>' etc. - I knopw its a very niche attack vector but having you phone in their hands even without a pin potentially unlocks quite a lot.
Lots of banking apps also have built-in authenticator functions for validating transactions. All good in my book as they’re both more secure and more usable than passwords and can be linked to the phone biometrics (face and touch).
’ve walked into a shop before and asked for a new sim for my daughter and been given it with zero fuss.
To be fair, that's a damn good trade.
😀
The other thing with SMS / codes versus "is this you?" style app verification is, I don't even need access to your device.
Say I have your details but not your One Time Passcode. I log in to your bank, it prompts for your code. So I text you, "Hi, this is YourBank Plc. We've detected fraudulent activity on your account. To verify your identity and prevent your account being closed, please reply to this message with your six digit Authentication Code."
When you get a new phone you will need these…
Not with Apple these days (I have no idea about other OS) – a new device can simply clone the contents of the old device. IIRC the only thing it doesn’t do is copy across cards in the Wallet
Yeah, Android will migrate all your apps and their settings without a problem. Well, IME at least.
For anyone who's dubious about enabling 2FA as widely as possible, at the very least have it on your primary email. You know, the address all the requests for confirmation of password changes go to...
No, but calling your mobile provider with a few of your personal details and asking for a new sim to be issued on your number will. All they then need is to put the sim in their phone…
So now they’ll need your personal details, they also need to migrate your sim over without you receiving notification someone has done this. It’s not impossible but it involves a lot of work and hoping no one notices.
This is wholly true. But it hinges on the assumption that anyone else gives the slightest of shits about your security.
Your office can have all the mag locks, ID cards and security guards in the world. Now turn up with a stack of pizzas and see how close you can get to the boardroom. I'll wager they'll hold the doors open for you.
Now, about porting a mobile number to that new SIM card...
Android will migrate all your apps and their settings without a problem. Well, IME at least.
From memory this was true of 2 of the three apps I have (I think google did, but can't remember which of the other two was a pain - Duo or Microsoft). Frustratingly some services insist on a specific app which is a pain.
Just think how many security codes are readable on your phone via text/email etc. – ‘123456 is the code you need for <insert bank name>’ etc. – I knopw its a very niche attack vector but having you phone in their hands even without a pin potentially unlocks quite a lot.
Only if you display messages on the lock screen (which would be very daft).
Apple devices [b]will not[/b] migrate the contents of authentication apps. You must make sure you have backup codes, or turn off MFA for those services before you migrate your phone, and then turn it back on again afterwards.
Go on, ask me how I know this!
Apple devices will not migrate the contents of authentication apps.
Surely that's the just the App's design - be easy to write an app to use device specific encryption code for the device, so once ported it won't unencrypt.
Bumping this again as work are "forcing" MFA via Authy or MS Authenticator apps but both have pretty scathing reviews on Google Play Store.
So, are these easy apps to un-install and do away with if I decide they are shite/too much hassle?
As my current phones' battery seems knackered, I'm probably going to need a new phone within the next couple of weeks so which one is less shite when it comes time to migrate phones?
(If I do have to change,I will be staying on Android).
(Note: my personal Google and Microsoft accounts have alternate email addresses associated with them for validation purposes if needed, so I don't think I'm vulnerable to being locked out).
For work stuff, we've got sys admins for dealing with this crap so I don't particularly care about MFA on work stuff...
work are “forcing” MFA via Authy or MS Authenticator apps but both have pretty scathing reviews on Google Play Store.
...
As my current phones’ battery seems knackered
Work will presumably be providing you with a mobile device fit for purpose to enable this, then. If you're expected to use your personal mobile, stick a Nokia 3210 in your pocket.
Just got a new iPhone and MS authenticator was the only app that didn’t just work on the new phone. In theory I could backup from the old phone and restore to the new one, which showed all of my accounts in the app. But none of them worked. I’ve managed to get one of them (office 365 for work) setup again, but only by deleting it at both ends and starting again.