[LOCKDOWN] How Authenticator Apps Protect Your Accounts

Category: Security

I made several security recommendations in response to Facebook’s loss of 50 to 90 million user “access tokens.” One of them is to use a secure authentication app such as Google Authenticator. A reader requested more info on that, and I am happy to oblige. Read on for the scoop on how Authenticator can lock down your online accounts...

Protect Your Accounts with an Authenticator App

If you missed my article on the Facebook data breach that resulted in hackers being able to access your account without your password, see When Your Friend is Not Your Friend for background. Let's move on to our discussion of how an authentication app can add an extra layer of security to your online accounts.

An authentication app provides the second factor in a two-factor authentication (2FA) log-in system. The most widely used authenticator is a standard SMS text message delivered to a device presumed to be in your possession. If you correctly enter the six-digit code included in such a text message, the server believes you are who your username and password claim you are.

But there are serious vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers. (See my article [ALERT] SIM Swapping Scams.)

Authenticator apps

Google Authenticator (hereafter, simply “Authenticator”) is a far more secure implementation of two Internet Engineering Task Force standards: RFC 6238 and RFC 4226. As such, Authenticator works with any server software that also conforms to the standards. Authenticator is available for Android, iOS, and Blackberry devices.

Authenticator is not limited to Google accounts such as Gmail, Drive and Youtube. It can be used to secure your accounts with Facebook, Microsoft, Dropbox, Amazon, WordPress, and many other online services. See TwoFactorAuth.org/ for a long list of websites that support Two-Factor Authentication.

The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check our Authy or the Lastpass Authenticator.

How Do Authenticator Apps Protect You?

Authenticator, Authy and similar apps provide a six- to eight-character one-time password which a user must enter in addition to their username and password in order to access a Google Account, log in to Google services such as Gmail and YouTube, or log into any other online service that uses compatible 2FA algorithms. Alternatively, Authenticator can pass its codes to third-party password managers such as Dashlane, making the act of logging in nearly effortless as far as the user is concerned. Another alternative is a QR code that can be read from your device’s display; I have not tried that method.

The connection between Authenticator and the challenging server is protected end-to-end with 128- or 160-bit encryption. The code changes every 30 seconds, and is not confined to one million combinations of ten primary digits, so it is not practical to crack the code by brute force. Combined with a password manager’s very long and very random passwords, Authenticator provides the most formidable software-based security available. Only a dedicated hardware key, such as a YubiKey, is better.

The latest Facebook security fiasco could not have happened if everyone was required to use an authentication app. The standards call for one-time passwords, so there would have been no database of reusable access tokens for thieves to steal.

I urge you to use an authenticator app on every service that supports it. Lobby your important online services to do so. It will save everyone much grief as bad actors exploit data breaches and SMS-based authentication’s vulnerabilities in ever-increasing attacks. Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 11 Oct 2018


For Fun: Buy Bob a Snickers.

Prev Article:
[RECAP] Google's 2018 Hardware Event

The Top Twenty
Next Article:
[REVIEW] Google Safe Browsing Protection

Most recent comments on "[LOCKDOWN] How Authenticator Apps Protect Your Accounts"

Posted by:

jim
11 Oct 2018

'...delivered to a device presumed to be in your possession.'

The problem with this is simply the word 'presumed'. What happens if the only device I have on me is my phone? Or my Ipad? I'm sorry, but the last thing I need is yet another complication to my life.


Posted by:

Ryan James
11 Oct 2018

This is fine for people who stay at home. If you travel extensively like we do, even the current 2 step authentication is a real pain. We are not able to get international services on our mobile phone, so when we travel, these things are a real pain.


Posted by:

Bob K
11 Oct 2018

"I urge you to use an authenticator app on every service that supports it."

And, how do I know which services support it?


Posted by:

TomP
11 Oct 2018

I use device ID a lot instead of TFA, do you think this is as secure as TFA?


Posted by:

john
11 Oct 2018

Bob, Why don't you recommend some of the many open source password managers. Some are even free. Many people feel safer with something open sourced than proprietary.


Posted by:

Kenneth Heikkila
11 Oct 2018

John, he does recommend them...often.

I use Authenticator and it does add a level of hassle, but the added security makes it worth it.

I also use Dashlane to manage my passwords and payments.

Beats the heck out of just using the password for every account as I had been known to do many years ago. Not that it ever cause me any problems- there are billions of us out there you know.


Posted by:

MartinW
11 Oct 2018

I'm pretty dense, I admit. I'd like to know if you need a separate Authenticator (Google dongle, whatever) for each device. Or is it an app? Or what? I ask because, right at this moment, I'm sitting with three laptops running in a quarter-circle around me. A fourth (my old emergency go-to) is on a desk six feet away. Within reach are three smartphones and a flip-phone connected to phone companies, as well as the Internet. One more smartphone is Internet-connected (no phone subscription). How many authenticators do I need and how long would it take me to do "things" on all of these?


Posted by:

Jim Horn
11 Oct 2018

I am a senior citizen who is active in many ways. I do a lot on my computer at home.

I have a 2" thick binder full of sites that I use and the myriad of passwords that I use. I never use the same password for more than one site.

The authenticator seems to be pretty neat, but it may be a pain to use a dozen or more times per day.

I've thought about a password manager, but where should or can I keep it with all of those passwords, on my cell phone, or on a thumb drive?


Posted by:

Bob K
12 Oct 2018

Jim:
I would go for a thumb drive.

Cell phones are subject to all kinds of problems (stolen, dropped, dunked in the toilet, etc).

Thumb drives are much cheaper, easy to duplicate and smaller than that 2" binder.

Just put a tag on it marked "VIRUS" and a normal person woun't try to look at it.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [LOCKDOWN] How Authenticator Apps Protect Your Accounts (Posted: 11 Oct 2018)
Source: https://askbobrankin.com/lockdown_how_authenticator_apps_protect_your_accounts.html
Copyright © 2005 - Bob Rankin - All Rights Reserved