An authenticator app is a secure and easy method of identity verification that works by generating number codes that users enter alongside their credentials to access an account. Keep reading for details on how authenticator apps work and how to use them.
What Does an Authenticator App Do?
Authenticator apps are used as an additional method of verification for Multi-Factor Authentication (MFA). MFA is an important security measure that protects your account in case your password is compromised. Passwords are compromised frequently in today’s cybersecurity environment due to data breaches and sophisticated phishing attacks, among other types of cyber threats.
Some of the most popular apps include Google Authenticator and Microsoft Authenticator. To verify your identity, an authenticator app generates a code called a Time-based One Time Password (TOTP) that you enter along with your username and password when you log into an account. The code is usually six to eight digits.
Why You Should Use an Authenticator App
Experts recommend using MFA on every account that it’s available to increase security and better protect your personal data. An authenticator app is a free, simple and secure way to use MFA, and most accounts with security settings offer it as an option.
How Authenticator Apps Work
Authenticator apps work based on the TOTP verification model. When you set up MFA on your account and choose TOTP, the account server will create a QR code that the authenticator app will scan. The QR code contains a secret algorithm that uses the current time as a factor in generating TOTP codes.
The authenticator app and the account server will be the only parties that possess the secret algorithm. They will independently use the secret to generate the exact same codes at the exact same time.
When the user logs in, they will enter the code displayed in the authenticator app. The server will check if the entered code matches the code that it generated. If the codes match, the user is granted access. If not, user access is denied.
There are many options for authenticator apps. Popular standalone phone apps include Google Authenticator and Microsoft Mobile Phone Authenticator.
Authenticator apps can also be integrated into a password manager like Keeper Password Manager. A password manager securely stores all your credentials, including passwords, passkeys and TOTP codes. This option is the most convenient because password managers sync across all devices and some can autofill your TOTP code along with your credentials. It also means you don’t have to wrangle with multiple devices just to log in.
Are Authenticator Apps Secure?
Authenticator apps are secure because they keep the code local to your device and the codes are not sent unencrypted over the internet. This means they can’t be intercepted through common cyber attack methods. Since the codes reset every thirty to sixty seconds, it’s difficult for cybercriminals to steal them. Because using an authenticator app is simple, free and secure, it’s now the most recommended type of MFA.
For a long time, the default MFA method was a one-time code sent by SMS text to your phone or by email. However, there are a number of security flaws with this method. These messages are not encrypted. Since they are not encrypted, cybercriminals will be able to see the codes in plain text if they intercept them. These codes are often valid from fifteen minutes to a few hours, which gives cybercriminals time to steal the codes and use them to log into your account.
SIM swapping also makes this type of MFA vulnerable. SIM swapping is an attack in which a cybercriminal impersonates you to convince a phone provider to switch your phone number to a new SIM card on their phone so they can receive your phone calls and texts – including the SMS codes sent for MFA.
Authenticator apps are unlikely to be compromised, but there are some rare instances in which they could be. The codes can be stolen if a hacker gains access to the app on your device. That means, if you have a standalone authenticator app, a hacker that steals and hacks into your physical device might be able to access your codes.
Theoretically, if a cybercriminal stole the QR code itself, and thus the secret algorithm, they could hack into your accounts. But this is uncommon in practice. This is only possible if the account servers are insecure, if you compromise the QR code by sharing it with others or if you save a screenshot of it in an insecure location.
To protect the TOTP codes in your authenticator app, you should keep your device protected with a PIN code so only you can open the device. You should also keep the QR code a secret by not sharing it or saving screenshots of it.
Steps To Set Up an Authenticator App
Here are the steps to set up an authenticator app:
- Choose your authenticator app. We recommend using a password manager, but you have a few different options to choose from. Choose whatever is easiest for you to use.
- Download the application to your device. If you’re using a standalone authenticator app we recommend downloading it onto your phone because you are most likely to have your phone whenever you need to log into an account.
- Request a QR code from your account. This can usually be found in the security settings of the account you want to secure under your MFA options.
- Scan the QR code with the authenticator app. The application you’re using will use either the device camera or a screenshot function to scan the QR code.
- You’re ready to go! Use the displayed TOTP code in the authenticator app to log into your account. If you choose to use a password manager for your TOTP codes, they will autofill for you upon login.
Use Authenticator Apps for MFA
Authenticator apps are highly secure and easy to set up and use. We highly recommend the use of an authenticator app for MFA. Keeper Password Manager integrates authenticator app functionality right into its application, which streamlines your cybersecurity and makes it easy to secure your accounts.
Start a free 30-day trial of Keeper Password Manager to see how we can make your digital life more secure.
