Forum menu
Google authenticator here. Works just fine. Duo on the other hand is a steaming pile of bloated poo.
I think you can scan the QR code from a screen shot if using the same device for both actions.
So, are these easy apps to un-install and do away with if I decide they are shite/too much hassle?
The apps are just like any phone app and easy enough to uninstall - but if your company requires MFA for accessing their systems (which any company that takes IT security remotely seriously should be doing) then you need to get used to using them.
I have the MS authentication app on my work phone. Seems fine. It works quite nicely as rather than having to enter a code from the phone into the computer my phone just pings a message asking if it's me trying to access work apps. I click yes and I'm in.
It's really not a big deal.
Only if you display messages on the lock screen (which would be very daft).
But seems to be the default setting on new Androids? Anyone who doesn't understand the vulnerability or isn't happy burrowing through settings will leave it like that.
Go on, ask me how I know this!
I found that out the hard way too. You're not the only one.
With my security hat on,
Only if you display messages on the lock screen (which would be very daft).
But seems to be the default setting on new Androids? Anyone who doesn’t understand the vulnerability or isn’t happy burrowing through settings will leave it like that.
The thing here though is, 2FA / MFA is Multi Factor Authentication. For MFA we can have:
Something you know (eg password, PIN)
Something you have (eg credit card, phone)
Something you are (eg fingerprint)
MFA requires authentication from more than one of these different categories. Granted some are far more secure than others but one single method is not intended to replace all the rest.
In the above scenario a hacker would need your password AND your phone. Either is pretty likely, both not so much.
As for "too much hassle" I'd say, get used to it. Using MFA on important accounts is probably the single most impactful step you can take to improve your security today. I don't know what "forcing" in inverted commas is supposed to mean but if your employer isn't enforcing it across the board then they really should be, and depending on your industry there may be compliance rules or legislation in place which means they have no choice.
I've just changed iPhones, and the Google Authenticator stuff wasn't magically transferred as part of the process. Doing it via the app was dead straightforward though, it can generate one big QR on your old phone which you scan on your new phone and it magically adds everything in one go. On iOS anyway so don't see why Android couldn't do that.
Where that sort of thing gets complicated is if your old device is lost or broken. If part of your MFA is "something you have" and you don't have it, you need some means of recovering from that situation.
There are varying ways of achieving this. An account, for instance, might allow you to add verification email address, a phone number, a couple of security questions, a second device, backup recovery codes... all of these things make it easier for you to recover your account, but also potentially make it easier for someone else to do so.
Security vs usability is a difficult balancing act. Some people have a second lock on their front door for added security. Great, so why not be even more secure with three? Seven? Twenty? Because by the time you've locked up you'll have forgotten why you'd gone out so you'll likely get into the habit of not bothering with 18 of them, and in any case none of them will be worth shit if I can just come along and hammer the pins out of the hinges.
Recovery codes for my main email address in my password manager, and accept the fact that as basically everything else is accessed via or can be reset from that email address, if someone guesses the password AND gets the MFA code AND doesn't get stopped by Google catching a log in attempt from an unusual IP (which was what prompted me to setup MFA in the first place many years ago), well they're in.
Nail / head.
One of the opening questions I ask when talking about this stuff is, "what's your most important account?" People will think of the obvious things like their bank but no, it's your primary email account. Most every other account will have a little link under the login box going I forgot my password which will email you a reset link. If your primary email account is compromised, it's game over.
Unless, of course, you have MFA on those accounts...
So, which is the "best" authenticator app?
As I'm not a serial phone upgrader, I'm more concerned about losing or breaking my existing phone so not having a "backup" on a device I can access when I get a replacement phone.
@cougar: "forcing" means they require a app to be installed on my personal phone - they don't provide work phones to non-operationl staff (which has been fine by me as I don't want to be dragged into out-of-hours support crap...)
(Note: my personal Google and Microsoft accounts have alternate email addresses associated with them for validation purposes if needed, so I don’t think I’m vulnerable to being locked out).
zero help if someone gets your password, this is what MFA is important.
For work stuff, we’ve got sys admins for dealing with this crap so I don’t particularly care about MFA on work stuff…
but they do (if they are any good) so you are going to have to get used to it.
I have to say that the modern passwordless authentication options (Windows Hello, Windows Hello for Business, FIDO2 keys etc) are almost that magical moment where greater security and improved user experience come together. If you can go passwordless with your user account, then you effectively stop something like 90% of attacks. You only really then have to focus on avoiding those nasty fishing emails and dodgy web sites. Add in MFA with an authenticator app and you are adding a serious amount of security to your life for very little effort and inconvenience.
“forcing” means they require a app to be installed on my personal phone – they don’t provide work phones to non-operationl staff
That's easy then. "I don't have one."
I don't know why people put up with this sort of shit from employers. They should be providing you with the tools required to do your job. If the only requirement is 2FA, there are plenty of alternatives to an Android / iPhone app.
I don’t know why people put up with this sort of shit from employers. They should be providing you with the tools required to do your job. If the only requirement is 2FA, there are plenty of alternatives to an Android / iPhone app.
Solved by installing Authy on my work laptop...
Where that sort of thing gets complicated is if your old device is lost or broken
You can use MS Authenticator on more than one device though. I use it on an iPad (through work) and an iPhone (my own) for the same account. They had to be set up separately, but that wasn’t much of a hassle. I prefer an authenticator app to SMS as I don’t need to share my phone number with whichever service I want to use.
SMS is inherently problematic anyway.
But that's a longer conversation and I think one that is increasingly needing to be fielded with a blog post.
For anyone who’s dubious about enabling 2FA as widely as possible, at the very least have it on your primary email. You know, the address all the requests for confirmation of password changes go to…
Just noticed that Outlook can be used “passwordless”, but does this have any advantage over using a password as part of MFA ??