<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is an [Authenticator] which implements an additional [Authentication Factor] for [authentication] as typically used within [Multi-Factor Authentication].

[{$pagename}] typically implement their services using the [Time-based One-time Password Algorithm] ([TOTP]) and [HMAC-based One-Time Password Algorithm] ([HOTP])

[{$pagename}] Often is on a [Mobile Device]

Many [{$pagename}]s are generated using open standards developed by the [Initiative for Open Authentication] ([OATH]) (which is unrelated to [OAuth]).


Some implementations:
* [Google Authenticator]
* [Authy]
* DUO - Acquired by [CISCO]

!! Pros and cons of [Authenticator App] Code

! Pros
* [SIM] swapping won’t [hijack] your [MFA] codes if you’re using an [{$pagename}]. The codes depend on the app itself, not on your [SIM] card.
* [{$pagename}] does not require a connection to the [Mobile Network]
* [{$pagename}] is capable of having more features such as displaying countdown timers and barcodes.

!! [Security Considerations]
[Authenticator App]s depend on a shared secret that both the app and the server need to store. This &quot;seed&quot; is combined with the time to generate the [MFA] code. If an [Attacker] can crack the app or the server and recover the secret, they can clone your [MFA] codes indefinitely. [SMS] codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence. 

Some [{$pagename}]s use services using the [Time-based One-time Password Algorithm] ([TOTP]) and/or [HMAC-based One-Time Password Algorithm] [HMAC] which only depends on a time factor and does not require a [seed].

__Protect the [QR-code]__[1]

The [QR-code] remains valid and usable; nothing will make it stop working. This actually makes it very dangerous to [leak|Credential Leakage] the [QR-code]. If an [attacker] sees it, even years after you use it the first time, they can set up their own [TOTP] ([Authenticator]) [Application] to use your [QR-code], and it will generate the same [tokens] yours does, which can potentially help the [attacker] [hijack] whatever account the [TOTP] code is protecting. If you are protecting something sensitive, you should generate a new code (this can usually be done by turning [2FA] off, and then on again). Then, even if anybody got the __old__ [QR-code], it won't do them any good.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [https://security.stackexchange.com/a/105891/70391|https://security.stackexchange.com/a/105891/70391 |target='_blank'] - based on information obtained 2017-04-13- 
</pre>