I am a firm believer in, and user of two-factor authentication (TFA or 2FA). Heck, if there was three-factor authentication I would probably sign up. The two most popular authenticator apps are Authy and Google Authenticator. I primarily use Google Authenticator wherever I can. I use SMS when Authenticator isn’t an option, or won’t work. I had trouble, for instance, getting Facebook to work and so I settled for SMS when logging into Facebook.
In researching this story, I did
The Good, the Bad, and the Ugly of authenticator app codes
- Authenticator apps are encrypted, which keeps them from falling victim to phone or SIM card cloning attacks.
- Authenticator apps can work even when you don’t have mobile coverage, you can create an save a list of one-time passcodes for those times.
- The Authenticator can also generate codes for third-party applications, such as password managers, file hosting services, and other applications such as g-Syncit for MS Outlook.
- Getting to the code can be inconvenient. In my particular case, first I enter my user name and password into a protected site, then a one-time passcode box opens. Turning to my phone, I first unlock the screen with my 5 digit screen lock passcode. Then I flip to the Authenticator app, and open it. Then I enter the 6-digit code into the passcode box. This does take time, but most websites will leave you logged in, even for a few days. Maybe that’s bad that I do that
- Authenticator apps use a shared secret that both the app and the server need to store. This is called a “seed.” Using fancy math, the seed is combined with the time of day to generate the TFA code. If the app or the server is breached and the seed stolen, the bad guys can clone your TFA codes indefinitely. On the other hand, SMS codes are random values sent by the server, so there is no way to predict the next one in sequence.
- If you are using online services from the same smartphone that has the authenticator app, an attacker could conceivably access both your password and TFA at the same time.
The Good, the Bad, and the Ugly of SMS codes
- SMS codes are convenient. There’s no app to install and configure for every account you want to include.
- SMS authentication can warn you if someone’s trying to break in to your account. The TFA messages on your phone from a website you are not accessing is a clue that your password has been compromised and needs to change.
- If you don’t have a smartphone, this is the only option.
- NIST has declared that SMS-based TFA is insecure, and can no longer be used except in very particular cases using tightly defined methods.
- An attacker can hijack your SMS codes if they can clone or swap your SIM card. If they can convince the mobile phone provider that they are you, they can get a replacement SIM with your phone number.
So there you have it. On Friday we are going to look at the problem that NIST has with SMS two-factor, so you will probably want to check that out, too.Share