Why It's Smart to Use Authentication Apps for Multifactor Security
The apps generate short-lived codes to use along with a password. That can be safer than having codes texted to you.
In a world riddled with data breaches, having a strong password isn’t always enough to keep your personal and financial information safe. That’s why security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (aka two-factor authentication). But many people who use multifactor authentication (MFA) may not be using it in the most secure way, according to security professionals.
When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.
But many security experts say there’s a better option: switching to an authentication app, which uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds.
Authy, owned by Twilio, is available for both iOS and Android as well as desktop and laptop computers. It offers encrypted cloud backup and support for a secondary device, such as a laptop, tablet, or even another phone. Security experts disagree on whether this is a good idea or not; you're slightly more likely to run into trouble because the tokens are on multiple devices. But it makes it easy to recover your tokens if you lose your phone or get a new one. You just have to add the new device to your account and disable the old device. Authy uses large icons for each banking or other account you add, making it easy to find the one you need. Even though some sites mention support only for Google Authenticator, Authy can be used in its place.
Duo Mobile, owned by Cisco, is targeted mainly at corporate users, but it also offers a free multifactor authentication option for individuals that’s available on Android and iOS devices. Like Authy, it can be used in place of Google Authenticator. Also like Authy, Duo Mobile uses icons for each account, making it easier to find the one you’re looking for. Although there’s no way to add a secondary device to a free Duo Mobile account, the company does allow you to back up your tokens to iCloud or Google Drive with a recovery password. When you get a new phone, you download the app and recover your tokens from the cloud to start using Duo Mobile on the new device.
Google Authenticator, available for Android and iOS devices, can be used with many different online accounts. As mentioned above, a site may say that it's compatible with Google Authenticator and not mention additional options, but you'll still be able to use one of the other apps. Google Authenticator lacks separate icons for each account, so you may need to do some more scrolling and reading to find the tokens you need. If you get a new phone, you download the app and scan a QR code from the app on your old phone to transfer all the tokens. (Until recently, that worked only for Android phones; iPhone users needed to scan a separate QR code for each account. But that tedious process has now been fixed.)
Storing MFA Tokens in Password Managers
The most important way to protect online accounts is to have a strong, unique password for each of them, and for that many security professionals say you should use a password manager. Consumer Reports tests password managers, and a number of them can also double as authentication apps.
“For the average person, it’s just going to make sense to use your password manager to store your tokens," Honeywell says.
Consumer Reports’ top password manager picks, Bitwarden, 1Password and Keeper, offer this option. For example, if you use 1Password, simply select the “password” category on the app, enter the name of the account you’re setting up, and click the plus sign next to “add new one-time password.” (As we discussed above, a token is also called a time-based, one-time password, or TOTP.)
If you’re an iPhone user, you can even set up your phone to automatically copy one-time passwords to your clipboard when you select a log-in for Autofill.
What If You Lose Your Phone?
Getting locked out of an account that’s central to your digital life can be almost as catastrophic as having your account taken over by an attacker. But if you have MFA set up (as you should) and you're using an authenticator app (a great idea), what happens if you lose your phone?
Online accounts give you options for unlocking your account, but going through that process for one account at a time is difficult.
Some authenticator apps allow you to print out or save a list of one-time backup codes to use if you lose access to your authentication app or your phone. Each code can be used just once. You’ll want to keep these safe but accessible.
While some security experts think that saving a list of tokens is dangerous, Honeywell says that line of thinking is a security nightmare for the average person. “To make people go through the hassle of resetting up their TOTP keys again is not necessary, and it does lead to locking people out of their account,” she says.
One More Option: Security Keys
Authentication apps won’t stop you from accidentally entering your code into a fake or fraudulent website designed to steal your log-in information.
“If you can get someone to enter that one-time password at just the right time, then using that authentication app, TOTP is still phishable,” said Martin Shelton, principal researcher at the Freedom of the Press Foundation. He recommends that individuals who think they're at high risk for being hacked instead buy a physical security key such as Yubikey, which provides protection from phishing attacks.
Also remember that your MFA tokens are only as secure as the devices you keep them on, so make sure to use good passwords or passcodes for your phone, tablet, and laptop, and install security updates whenever they become available.