Written by Aranza Trevino
Edited by Anne Cutler
Reviewed by Darren Guccione
An authenticator app is a secure and easy method of identity verification that works by generating number codes that users enter alongside their credentials to access an account. Keep reading for details on how authenticator apps work and how to use them.
Authenticator apps are used as an additional method of verification for Multi-Factor Authentication (MFA). MFA is an important security measure that protects your account in case your password is compromised. Passwords are compromised frequently in today’s cybersecurity environment due to data breaches and sophisticated phishing attacks, among other types of cyberthreats.
Some of the most popular apps include Google Authenticator and Microsoft Authenticator. To verify your identity, an authenticator app generates a code called a Time-based One Time Password (TOTP) that you enter along with your username and password when you log into an account. The code is usually six to eight digits.
Experts recommend using MFA on every account that it’s available to increase security and better protect your personal data. An authenticator app is a free, simple and secure way to use MFA, and most accounts with security settings offer it as an option.
Authenticator apps work based on the TOTP verification model. When you set up MFA on your account and choose TOTP, the account server will create a QR code that the authenticator app will scan. The QR code contains a secret algorithm that uses the current time as a factor in generating TOTP codes.
The authenticator app and the account server will be the only parties that possess the secret algorithm. They will independently use the secret to generate the exact same codes at the exact same time.
When the user logs in, they will enter the code displayed in the authenticator app. The server will check if the entered code matches the code that it generated. If the codes match, the user is granted access. If not, user access is denied.
There are many options for authenticator apps. Popular standalone phone apps include Google Authenticator and Microsoft Mobile Phone Authenticator.
Authenticator apps can also be integrated into a password manager like Keeper Password Manager. A password manager securely stores all your credentials, including passwords, passkeys and TOTP codes. This option is the most convenient because password managers sync across all devices and some can autofill your TOTP code along with your credentials. It also means you don’t have to wrangle with multiple devices just to log in.
Authenticator apps are secure because they keep the code local to your device and the codes are not sent unencrypted over the internet. This means they can’t be intercepted through common cyberattack methods. Since the codes reset every thirty to sixty seconds, it’s difficult for cybercriminals to steal them. Because using an authenticator app is simple, free and secure, it’s now the most recommended type of MFA.
For a long time, the default MFA method was a one-time code sent by SMS text to your phone or by email. However, there are a number of security flaws with this method. These messages are not encrypted. Since they are not encrypted, cybercriminals will be able to see the codes in plain text if they intercept them. These codes are often valid from fifteen minutes to a few hours, which gives cybercriminals time to steal the codes and use them to log into your account.
SIM swapping also makes this type of MFA vulnerable. SIM swapping is an attack in which a cybercriminal impersonates you to convince a phone provider to switch your phone number to a new SIM card on their phone so they can receive your phone calls and texts – including the SMS codes sent for MFA.
Authenticator apps are unlikely to be compromised, but there are some rare instances in which they could be. The codes can be stolen if a hacker gains access to the app on your device. That means, if you have a standalone authenticator app, a hacker that steals and hacks into your physical device might be able to access your codes.
Theoretically, if a cybercriminal stole the QR code itself, and thus the secret algorithm, they could hack into your accounts. But this is uncommon in practice. This is only possible if the account servers are insecure, if you compromise the QR code by sharing it with others or if you save a screenshot of it in an insecure location.
To protect the TOTP codes in your authenticator app, you should keep your device protected with a PIN code so only you can open the device. You should also keep the QR code a secret by not sharing it or saving screenshots of it.
Here are the steps to set up an authenticator app:
Authenticator apps are highly secure and easy to set up and use. We highly recommend the use of an authenticator app for MFA. Keeper Password Manager integrates authenticator app functionality right into its application, which streamlines your cybersecurity and makes it easy to secure your accounts.
Start a free 30-day trial of Keeper Password Manager to see how we can make your digital life more secure.
You May Also Like
The safest way to send your Social Security number (SSN) is by using a password manager. A password manager is a tool used to keep passwords and other sensitive data secure at all times. A little-known...
Choose Language