Authenticator app

What is an authenticator app?

An authenticator app is a security application that usually runs on your mobile device, generating temporary codes for multi-factor authentication. The temporary code is used along with user ID and password as part of an enhanced login protocol meant to provide increased security. These enhanced login protocols may apply when logging into websites, software, or other apps.

Some authenticator apps have additional capabilities, but the primary task is to replace delivery of a temporary 6-8 digit code via text, voice, or email. An authenticator app is more secure than many MFA options (particularly SMS text) and can be easier to use.

What does multi-factor authentication mean?

Multi-factor authentication (MFA) is a login process that requires multiple forms of proof of identity, often including a password, biometric data, or a security token. Each item submitted with the user ID is called a factor. MFA requires more than one factor to authenticate the individual’s stated identity. A good MFA process requires different types of factors, including factors that are very difficult for a hacker to acquire. MFA is becoming more common because phishing attacks and data breaches have weakened the security of the traditional single-password login.

The prevalent MFA login setup, sometimes called two-factor authentication or 2FA, is a user ID followed by a password (the first factor) and then a 6- to 8-digit temporary code (the second factor), usually transmitted to the user via SMS text message. This temporary code is called a one-time passcode, or OTP. While OTPs in general add additional security to the login process, using SMS texts to deliver the OTP can introduce security risks.

Authenticator apps provide a more secure method of delivering OTPs by replacing the vulnerable SMS text method with a tool that’s in the possession of the user. Since the OTP comes directly from the app on the user’s phone, there are no transmissions that can potentially be intercepted. It also reduces the possibility of a user becoming a victim of a phishing attempt to steal a texted OTP.

How do authenticator apps work?

An authenticator app—which relies on cryptography—creates a time-based, one-time passcode (TOTP). This TOTP algorithm calculates an OTP based on the time of day, and a secret known only by your authenticator app and the service you’re logging into. The private algorithm is passed from the service to the authenticator app during the setup process. The TOTP changes frequently, using the same algorithm and the new current time.

When you need a TOTP to log in to a site or service, the authenticator app has one ready to go. This all happens on your phone—there’s no network interaction. You enter the code as part of the login; the service then uses the same algorithm and the current time to verify the code you entered. When the entered code matches the code calculated by the service, you have successfully logged in.

Some authenticator apps, in coordination with the service providers, can do more than just provide TOTPs. They can also replace password entry with biometric factors like fingerprint or face scans. Some can set up push notification protocols—a process that pauses the regular login procedure to request approval of the login by the account owner.

Why are authenticator apps a good choice?

Authenticator apps offer several improvements over other MFA procedures:

• SMS messaging isn’t encrypted, and is easy to intercept. TOTPs provided by authenticator apps are never transmitted, and so can’t be intercepted.
• SMS codes are valid for longer time periods (15 minutes is common), giving a hacker time to use the stolen code. In contrast, authenticator app codes are only valid for a minute or less.
• Some phones display text messages while the phone is at rest, including displaying an OTP. This means anyone can potentially view the texted OTP. Authenticator apps require you to unlock the phone, and possibly even the app, before you can view the OTP.
• Authenticator apps are easier to use—they don’t require checking email or text messages, or listening to a voice message. An individual is more likely to use an authenticator app on more accounts, increasing overall security.
• It’s less likely that a hacker can hijack or copy your authenticator app functionality. They would have to either intercept the initial code-generating algorithm, gain access to the app once it’s installed on your phone, or take control of your phone number through a SIM swapping attack (which is possible but less common).

Are authenticator apps different from password managers?

The main goal of a password manager is to keep track of static (permanent) passwords, and sometimes user IDs and other personal information. However, there are some password managers that can also act like an authenticator app and provide OTPs. Other password managers will sync with certain authenticator apps to streamline the MFA process. Using a password manager to act as an authenticator app, or integrate with one, has the advantage of syncing everything over all your devices.

Selecting and setting up an authenticator app

In a work or school setting, you may be required to use a specific authenticator app by an IT admin. For personal use, you should select one from your phone’s official app store. Base your selection on what features matter to you and what platform you need it to run on (iOS or Android, for instance). Some authenticator apps focus on privacy or security, while others may prioritize functioning within work networks, or offer access through peripherals like a smartwatch. Authenticator apps are generally free. Be wary of ones that cost up front or require in-app purchases—fees may indicate a shady developer.

While all authenticator apps perform the basic task of generating TOTPs, there are some good features to look for. An app that allows you to back up your data in case you lose or change phones can be a big time saver down the road. Other things to look for are encrypting stored data, functionality on multiple platforms (mobile and desktop), and integration with a password manager. Choosing an app from a reputable publisher is always a good idea.

Once the app is installed, and you’ve set up any required account with the authenticator (not all authenticator apps require an account), go to each service provider’s website and start the process there. In the security settings section, turn on MFA or 2FA and then select “authenticator app” as the method. Registering your app with the website usually just requires scanning a QR code displayed on the screen and then confirming with a TOTP.

Other security best practices

Using an authenticator app is a great step toward increasing the security of your online accounts. Here are some additional steps you can take:

• Keep the authenticator app on a secure device—your phone should need something like a PIN, or a fingerprint or face scan to unlock.
• Turn on the MFA option whenever available.
• If the only MFA option available is OTP SMS codes, then it’s still recommended to use it over nothing. However, it’s recommended that you have a separate prepaid phone number or Google Voice phone number to use only for receiving these OTP SMS codes.
• Never share a one-time password with anyone else.
• Don’t rely on an authenticator app to provide all the security you need. Continue to practice good password habits by creating strong, unique passwords.
• Use a password manager to help manage the login process. This increases security and makes logging in easier.