[LOCKDOWN] How Authenticator Apps Protect Your Accounts
I made several security recommendations in response to Facebook’s loss of 50 to 90 million user “access tokens.” One of them is to use a secure authentication app such as Google Authenticator. A reader requested more info on that, and I am happy to oblige. Read on for the scoop on how Authenticator can lock down your online accounts...
Protect Your Accounts with an Authenticator App
If you missed my article on the Facebook data breach that resulted in hackers being able to access your account without your password, see When Your Friend is Not Your Friend for background. Let's move on to our discussion of how an authentication app can add an extra layer of security to your online accounts.
An authentication app provides the second factor in a two-factor authentication (2FA) log-in system. The most widely used authenticator is a standard SMS text message delivered to a device presumed to be in your possession. If you correctly enter the six-digit code included in such a text message, the server believes you are who your username and password claim you are.
But there are serious vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers. (See my article [ALERT] SIM Swapping Scams.)
Google Authenticator (hereafter, simply “Authenticator”) is a far more secure implementation of two Internet Engineering Task Force standards: RFC 6238 and RFC 4226. As such, Authenticator works with any server software that also conforms to the standards. Authenticator is available for Android, iOS, and Blackberry devices.
Authenticator is not limited to Google accounts such as Gmail, Drive and Youtube. It can be used to secure your accounts with Facebook, Microsoft, Dropbox, Amazon, WordPress, and many other online services. See TwoFactorAuth.org/ for a long list of websites that support Two-Factor Authentication.
The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check our Authy or the Lastpass Authenticator.
How Do Authenticator Apps Protect You?
Authenticator, Authy and similar apps provide a six- to eight-character one-time password which a user must enter in addition to their username and password in order to access a Google Account, log in to Google services such as Gmail and YouTube, or log into any other online service that uses compatible 2FA algorithms. Alternatively, Authenticator can pass its codes to third-party password managers such as Dashlane, making the act of logging in nearly effortless as far as the user is concerned. Another alternative is a QR code that can be read from your device’s display; I have not tried that method.
The connection between Authenticator and the challenging server is protected end-to-end with 128- or 160-bit encryption. The code changes every 30 seconds, and is not confined to one million combinations of ten primary digits, so it is not practical to crack the code by brute force. Combined with a password manager’s very long and very random passwords, Authenticator provides the most formidable software-based security available. Only a dedicated hardware key, such as a YubiKey, is better.
The latest Facebook security fiasco could not have happened if everyone was required to use an authentication app. The standards call for one-time passwords, so there would have been no database of reusable access tokens for thieves to steal.
I urge you to use an authenticator app on every service that supports it. Lobby your important online services to do so. It will save everyone much grief as bad actors exploit data breaches and SMS-based authentication’s vulnerabilities in ever-increasing attacks. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 11 Oct 2018
|For Fun: Buy Bob a Snickers.|
[RECAP] Google's 2018 Hardware Event
The Top Twenty
[REVIEW] Google Safe Browsing Protection
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [LOCKDOWN] How Authenticator Apps Protect Your Accounts (Posted: 11 Oct 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved