[DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts

Category: Security

Data breaches expose millions of account credentials (usernames, passwords and other personal info) on a frighteningly regular basis. But there are ways to protect your online accounts from criminals who buy and sell this information on the dark web. One of them is to use a secure authentication app such as Google Authenticator. Doing so will make you immune to account hijacking, even if your password is exposed. Read on for the scoop on how authenticator apps can lock down your online accounts...

Protect Your Accounts with an Authenticator App

If you missed my Octoboer 2018 article on the Facebook data breach that resulted in hackers being able to access your account without your password, see When Your Friend is Not Your Friend for background. Let's move on to our discussion of how an authentication app can add an extra layer of security to your online accounts.

An authentication app provides the second factor in a two-factor authentication (2FA) log-in system. The most widely used authenticator is a standard SMS text message delivered to a device presumed to be in your possession. If you correctly enter the six-digit code included in such a text message, the server believes you are who your username and password claim you are.

But there are vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers. (See my article [ALERT] SIM Swapping Scams.)

Authenticator apps

Google Authenticator (hereafter, simply “Authenticator”) is a far more secure implementation of two Internet Engineering Task Force standards: RFC 6238 and RFC 4226. As such, Authenticator works with any server software that also conforms to the standards. Authenticator is available for Android, iPhone and iPad devices.

Authenticator is not limited to Google accounts such as Gmail, Drive and Youtube. It can be used to secure your accounts with Facebook, Microsoft, Dropbox, Amazon, WordPress, and many other online services. See TwoFactorAuth.org/ for a long list of websites that support Two-Factor Authentication.

The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check our Authy or the Lastpass Authenticator.

Online businesses increasingly urge customers to use two-factor authentication. Some even insist upon it. If it sounds like a nuisance to enter both a password and a verification code every time you log in, well, you're right. But most services that offer two-factor authentication give you the option to enter the code once and check a box that says something like "trust this computer." If you do that, you won’t need to enter a verification code each time you sign in with that computer.

How Do Authenticator Apps Protect You?

Authenticator, Authy and similar apps provide a six- to eight-character one-time password which a user must enter in addition to their username and password in order to access a Google Account, log in to Google services such as Gmail and YouTube, or log into any other online service that uses compatible 2FA algorithms. Alternatively, Authenticator can pass its codes to third-party password managers such as Dashlane, making the act of logging in nearly effortless as far as the user is concerned. Another alternative is a QR code that can be read from your device’s display; I have not tried that method.

The connection between Authenticator and the challenging server is protected end-to-end with 128- or 160-bit encryption. The code changes every 30 seconds, and is not confined to one million combinations of ten primary digits, so it is not practical to crack the code by brute force. Combined with a password manager’s very long and very random passwords, Authenticator provides the most formidable software-based security available. Only a dedicated hardware key, such as a YubiKey, is better. (See my article Are You Ready for Hardware Security Keys? for an explanation of how they work, and some recommended products.)

I urge you to use an authenticator app on every service that supports it. Lobby your important online services to do so. It will save everyone much grief as bad actors exploit data breaches and SMS-based authentication’s vulnerabilities in ever-increasing attacks. Your thoughts on this topic are welcome. Post your comment or question below..

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 15 Jun 2020


For Fun: Buy Bob a Snickers.

Prev Article:
Time to Upgrade Your Hard Drive to SSD?

The Top Twenty
Next Article:
Trouble Seeing Your Computer Screen? Here's Help

Most recent comments on "[DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts"

Posted by:

Robert Mansker
15 Jun 2020

Bob, All my banking is with my desktop will this Authenticator work with MS10.
Robt


Posted by:

11bravo
16 Jun 2020

Good for the US, but for travel... (at least when those days return...)

I always buy a local sim card so I don't have to pay roaming fees. There goes SMS notifications...

While Google might work, that assumes you can access Google. In China, unless you have a VPN, Google, and many other "common" sites are blocked by the Great Firewall. While VPN's still work, the firewall is getting smarter and smarter...

Bottom line, this is why I carry all my passwords stored locally (though maybe synced via the network, ala 1Password, so I don't have to worry about "blockages".

So what's an international solution for 2FA?


Posted by:

Doug
16 Jun 2020

Curious why you did not include the Microsoft authenticator. I have used for work for several years and it works well.


Posted by:

Stephan
20 Jun 2020

One thing to keep in mind with this 2-factor authentication: What if you don't have your phone with you? I don't have my phone with me 24/7 so that is an issue. If I forget/lose my phone then I won't be receiving those texts until I get a replacement/find the phone.


Posted by:

BARBARA FRANK
20 Jun 2020

Google keeps sending my code to my home phone, which cannot receive texts. It used to call me on that phone, but now has switched to texts. I am vision-impaired and texts are difficult, if not impossible, to read. How can I get Goodle to use voice rather thn texts to my home phone?

Can you suggest a 2FA method for the vision-impaired?


Posted by:

Doron Narkiss
30 Jun 2020

Terrible reviews on the Authenticator download site. It's a good idea, but I'll wait till Google irons out the bugs.


Posted by:

Pat
24 Sep 2020

For rural residents with no cell phone service, 2 factor is a non-starter.


Posted by:

DanP
09 Jul 2024

The thing that concerns me the most about authenticator apps is the worry of what to do if my phone breaks or gets lost. It's one thing to be separated from your phone as mentioned by Stephan above. But what if the phone dies completely? Anyone have a suggestion?


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML


Article information: AskBobRankin -- [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts (Posted: 15 Jun 2020)
Source: https://askbobrankin.com/digital_lockdown_authenticator_apps_protect_your_accounts.html
Copyright © 2005 - Bob Rankin - All Rights Reserved