Overview#

Authenticator App is an application which implements an additional Authentication Factor for authentication.

Authenticator App typically implement their services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-Time Password Algorithm (HOTP)

Authenticator App Often is on a Mobile Device

Some implementations:

Pros and cons of Authenticator App Code#

Pros#

  • SIM swapping won’t hijack your MFA codes if you’re using an Authenticator App. The codes depend on the app itself, not on your SIM card.
Authenticator apps work even when you don’t have mobile coverage.
  • Authenticator App does not require a connection to the Mobile Network
  • Authenticator App is capable of having more features such as displaying countdown timers and barcodes.

Cons#

Authenticator Apps depend on a shared secret that both the app and the server need to store. This "seed"" is combined with the time to generate the MFA code. If an Attacker can crack the app or the server and recover the secret, they can clone your MFA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.

Some Authenticator Apps use services using the Time-based One-time Password Algorithm (TOTP) and/or HMAC-based One-Time Password Algorithm HMAC which only depends on a time factor and does not require a seed.

Protect the QR-code[1]#

The QR-code remains valid and usable; nothing will make it stop working. This actually makes it very dangerous to leak the QR-code. If an attacker sees it, even years after you use it the first time, they can set up their own TOTP (Authenticator) app to use your QR-code, and it will generate the same tokens yours does, which can potentially help the attacker hijack whatever account the TOTP code is protecting. If it's something sensitive, you should generate a new code (this can usually be done by turning 2FA off, and then on again). Then, even if anybody got the old QR-code, it won't do them any good.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 13-Apr-2017 12:24 by jim