Using Authenticator Apps to Enhance Login Security

By Ernie Svenson on September 19, 2023

Lawyers need to understand what authenticator apps are to improve password security for logins.

Why use authenticator apps?

Authenticator apps, like Google Authenticator, Microsoft Authenticator or Authy provide security that’s better than Two-Factor Authentication (2FA).

That’s because they generate valid verification codes regardless of whether your phone is online (unlike SMS-based two-factor authentication (2FA), which requires a cellular network to deliver a code).

How authenticator apps work

Time-Based One-Time Password (TOTP)

The primary method these apps use is TOTP. This algorithm generates a one-time password based on the current time and a shared secret key.

Setting up the Authenticator:

When you first set up an authenticator app for a particular service:

The service provides a QR code.
You scan this QR code with your authenticator app.
This QR code encodes a shared secret key that’s specific to your user account on that service.
Both the server (the online service) and your app now have the same shared secret, but it’s never exposed or sent over the internet again after the initial setup.

Generating Codes:

When you open the app, it uses the TOTP algorithm to generate a code. This involves taking the shared secret and the current time as inputs and producing a 6-digit (usually) number as output.

The server knows your shared secret (from when you first set up the authenticator) and the current time. So, when you log in and provide the 6-digit number, the server can replicate the TOTP algorithm on its end. If the code the server generates matches the code you input, it knows the login attempt is legitimate

Time Window:

The generated codes are only valid for a short window of time, typically 30 seconds. After that, a new code is generated. This is why the codes in the app change periodically. The server is aware of this time window, so even if an attacker manages to intercept or glimpse your code, it won’t be useful for very long.

Offline Operation: Since the code generation is based on a combination of the shared secret and the current time, and not on any communication with the server, your phone doesn’t need an internet or cellular connection to generate valid codes once the initial setup is complete.

Backup and Recovery: Some authenticator apps offer backup solutions, such as encrypted cloud backups or manual backup codes, to ensure you don’t lose access to your accounts if you lose your phone.

Advantages Over SMS: Authenticator apps are generally considered more secure than SMS-based 2FA. SMS codes can be intercepted, especially if an attacker has convinced a mobile phone operator to redirect your text messages to them (a SIM swap attack).

Moreover, SMS-based 2FA becomes problematic if you’re in an area with no cell reception.

Bottom Line:

Remember, while 2FA using an authenticator app significantly increases account security, no method is 100% invulnerable.

Always be wary of phishing attempts and other social engineering methods that might be used to try to compromise your security.