Authenticator Apps

Like many security professionals, we at Pythia Cyber are not overly impressed with passwords. If they are good passwords then they are hard to remember and hard to type. If you take security seriously, they are a pain to manage: a unique one for every account, changing them at random intervals. Worse, the target systems keep exposing them to criminals.

So what to use instead? Two-factor authentication is a big step up: you still have a password, but you are not relying solely on that password. That is what the "two" means: a password plus something else.

(Passkeys are also an option, but they get their own post.)

All second factors produce a temporary authentication code which is required in addition to your password. But not all second factors are created equal. In order of effectiveness, the common options are:

1. An authenticator app
2. A code sent via text message
3. A code sent via email

Before we talk about the best we will dispose of the rest.

In last place is a temporary code sent via email. The system to which you want access makes up a code and sends it to the email address on file for your account. This is better than nothing, as it will stop someone who has stolen your password. But it has a number of issues:

• If the evildoer has compromised your email account then this method provides zero protection.
• If the evildoer can see your email come down the wire then zero protection.
• If the evildoer can see your physical screen when the code comes then it is a race.

A huge problem is that people are not used to thinking of their email accounts as critical digital assets, so breaking into an email account is often easier than it should be. Compounding this problem is the fact that so many systems now accept or even require an email address as your user ID. So if I break into your email account I know your user ID and if this is how you do two-factor authentication, I will get the temporary authentication code. Now all I need to do is guess your password for the target system, which all too often is the same as your email password.

This method exists only to support people who do not have a smart phone. It is not a great option. Don't select it unless you don't have a smart phone or can't reliably use your smart phone.

How about the temporary code sent via text message? The level of effort to defeat this method is higher, but the drawbacks are essentially the same: if your text messages are vulnerable, either digitally or physically, then you are not protected.

The authenticator apps solve all these problems because they do not rely on communication with the target system. Instead, they rely on both the app and the system being able to use a secret to generate the same temporary authentication code at the same time. There is no communication to intercept. Unless the evil doer has managed to get your physical phone there is almost no chance that they can guess the the code in the 30 seconds that the code is valid. Even if they physically see the code, it is hard to imagine how they could win the race to enter it.

What is it like to use such an app? You download your app of choice to your trusty smart phone (we use Duo or Google's app internally but there are others which work just as well). Then whenever a system offers two-factor authentication, you use that system's authenticator app configuration QR code to create an authentication account in your app for the target system. Then whenever you log in, you provide your user ID, your password and the temporary authentication code generated by the app, which needs to match the temporary authentication code generated by the system in order to complete the logging in process.

How does this work? When you  create the authentication account in your app the target system generates and shares a secret. Now your app the target system share a secret tied uniquely to your account. When you try to log in both your app and the target system use the secret, the current time (rounded to the nearest 30 seconds) and the same formula to generate a temporary code. The code is temporary because the current time changes all the time. 

The problem that these using these apps does not solve is someone gaining access to your physical phone, so using these apps makes your phone a critical digit assets and now you really need to treat it as such.

All two-factor authentication is not created equal. Choose the best option. Don't put all your security eggs in one email basket. Don't hope that text messages are impossible to intercept or view. Choose any of the big-name and free authenticator apps and use it. Passwords suck. Email-based two-factor authentication isn't much better. Text messages are pretty good. Authenticator apps are excellent.