Overview#
Authenticator App is an Authenticator which implements an additional Authentication Factor for authentication as typically used within Multi-Factor Authentication.Authenticator App typically implement their services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-Time Password Algorithm (HOTP)
Authenticator App Often is on a Mobile Device
Many Authenticator Apps are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
Some implementations:
- Google Authenticator
- Authy
- DUO - Acquired by CISCO
Pros and cons of Authenticator App Code#
Pros#
- SIM swapping won’t hijack your MFA codes if you’re using an Authenticator App. The codes depend on the app itself, not on your SIM card.
- Authenticator App does not require a connection to the Mobile Network
- Authenticator App is capable of having more features such as displaying countdown timers and barcodes.
Security Considerations#
Authenticator Apps depend on a shared secret that both the app and the server need to store. This "seed" is combined with the time to generate the MFA code. If an Attacker can crack the app or the server and recover the secret, they can clone your MFA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.Some Authenticator Apps use services using the Time-based One-time Password Algorithm (TOTP) and/or HMAC-based One-Time Password Algorithm HMAC which only depends on a time factor and does not require a seed.
The QR-code remains valid and usable; nothing will make it stop working. This actually makes it very dangerous to leak the QR-code. If an attacker sees it, even years after you use it the first time, they can set up their own TOTP (Authenticator) Application to use your QR-code, and it will generate the same tokens yours does, which can potentially help the attacker hijack whatever account the TOTP code is protecting. If you are protecting something sensitive, you should generate a new code (this can usually be done by turning 2FA off, and then on again). Then, even if anybody got the old QR-code, it won't do them any good.
More Information#
There might be more information for this subject on one of the following:- [#1] - https://security.stackexchange.com/a/105891/70391
- based on information obtained 2017-04-13-