This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Authenticator App
Authenticator App

Version management

Difference between version and

At line 1 added 37 lines
!!! Overview
[{$pagename}] is an [Authenticator] which implements an additional [Authentication Factor] for [authentication] as typically used within [Multi-Factor Authentication].
[{$pagename}] typically implement their services using the [Time-based One-time Password Algorithm] ([TOTP]) and [HMAC-based One-Time Password Algorithm] ([HOTP])
[{$pagename}] Often is on a [Mobile Device]
Many [{$pagename}]s are generated using open standards developed by the [Initiative for Open Authentication] ([OATH]) (which is unrelated to [OAuth]).
Some implementations:
* [Google Authenticator]
* [Authy]
* DUO - Acquired by [CISCO]
!! Pros and cons of [Authenticator App] Code
! Pros
* [SIM] swapping won’t [hijack] your [MFA] codes if you’re using an [{$pagename}]. The codes depend on the app itself, not on your [SIM] card.
* [{$pagename}] does not require a connection to the [Mobile Network]
* [{$pagename}] is capable of having more features such as displaying countdown timers and barcodes.
!! [Security Considerations]
[Authenticator App]s depend on a shared secret that both the app and the server need to store. This "seed" is combined with the time to generate the [MFA] code. If an [Attacker] can crack the app or the server and recover the secret, they can clone your [MFA] codes indefinitely. [SMS] codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.
Some [{$pagename}]s use services using the [Time-based One-time Password Algorithm] ([TOTP]) and/or [HMAC-based One-Time Password Algorithm] [HMAC] which only depends on a time factor and does not require a [seed].
__Protect the [QR-code]__[1]
The [QR-code] remains valid and usable; nothing will make it stop working. This actually makes it very dangerous to [leak|Credential Leakage] the [QR-code]. If an [attacker] sees it, even years after you use it the first time, they can set up their own [TOTP] ([Authenticator]) [Application] to use your [QR-code], and it will generate the same [tokens] yours does, which can potentially help the [attacker] [hijack] whatever account the [TOTP] code is protecting. If you are protecting something sensitive, you should generate a new code (this can usually be done by turning [2FA] off, and then on again). Then, even if anybody got the __old__ [QR-code], it won't do them any good.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [https://security.stackexchange.com/a/105891/70391|https://security.stackexchange.com/a/105891/70391 |target='_blank'] - based on information obtained 2017-04-13-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop