[DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts
Data breaches expose millions of account credentials (usernames, passwords and other personal info) on a frighteningly regular basis. But there are ways to protect your online accounts from criminals who buy and sell this information on the dark web. One of them is to use a secure authentication app such as Google Authenticator. Doing so will make you immune to account hijacking, even if your password is exposed. Read on for the scoop on how authenticator apps can lock down your online accounts...
Protect Your Accounts with an Authenticator App
If you missed my Octoboer 2018 article on the Facebook data breach that resulted in hackers being able to access your account without your password, see When Your Friend is Not Your Friend for background. Let's move on to our discussion of how an authentication app can add an extra layer of security to your online accounts.
An authentication app provides the second factor in a two-factor authentication (2FA) log-in system. The most widely used authenticator is a standard SMS text message delivered to a device presumed to be in your possession. If you correctly enter the six-digit code included in such a text message, the server believes you are who your username and password claim you are.
But there are vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers. (See my article [ALERT] SIM Swapping Scams.)
Google Authenticator (hereafter, simply “Authenticator”) is a far more secure implementation of two Internet Engineering Task Force standards: RFC 6238 and RFC 4226. As such, Authenticator works with any server software that also conforms to the standards. Authenticator is available for Android, iPhone and iPad devices.
Authenticator is not limited to Google accounts such as Gmail, Drive and Youtube. It can be used to secure your accounts with Facebook, Microsoft, Dropbox, Amazon, WordPress, and many other online services. See TwoFactorAuth.org/ for a long list of websites that support Two-Factor Authentication.
The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check our Authy or the Lastpass Authenticator.
Online businesses increasingly urge customers to use two-factor authentication. Some even insist upon it. If it sounds like a nuisance to enter both a password and a verification code every time you log in, well, you're right. But most services that offer two-factor authentication give you the option to enter the code once and check a box that says something like "trust this computer." If you do that, you won’t need to enter a verification code each time you sign in with that computer.
How Do Authenticator Apps Protect You?
Authenticator, Authy and similar apps provide a six- to eight-character one-time password which a user must enter in addition to their username and password in order to access a Google Account, log in to Google services such as Gmail and YouTube, or log into any other online service that uses compatible 2FA algorithms. Alternatively, Authenticator can pass its codes to third-party password managers such as Dashlane, making the act of logging in nearly effortless as far as the user is concerned. Another alternative is a QR code that can be read from your device’s display; I have not tried that method.
The connection between Authenticator and the challenging server is protected end-to-end with 128- or 160-bit encryption. The code changes every 30 seconds, and is not confined to one million combinations of ten primary digits, so it is not practical to crack the code by brute force. Combined with a password manager’s very long and very random passwords, Authenticator provides the most formidable software-based security available. Only a dedicated hardware key, such as a YubiKey, is better. (See my article Are You Ready for Hardware Security Keys? for an explanation of how they work, and some recommended products.)
I urge you to use an authenticator app on every service that supports it. Lobby your important online services to do so. It will save everyone much grief as bad actors exploit data breaches and SMS-based authentication’s vulnerabilities in ever-increasing attacks. Your thoughts on this topic are welcome. Post your comment or question below..
This article was posted by Bob Rankin on 15 Jun 2020
|For Fun: Buy Bob a Snickers.|
Time to Upgrade Your Hard Drive to SSD?
The Top Twenty
Trouble Seeing Your Computer Screen? Here's Help
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts (Posted: 15 Jun 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved