Authenticator apps - do you use one?

[4tea2]

I've become much more concerned about security of my many onlie accounts following the loss of my android tablet. I don't know if I have a problem, but wonder if I should tighten my security a bit. With this in mind, my thoughts have turned to 2FA. Should I tunr is on every where I can? Should I use an authenticator app?

Do you use an authenicator app? Are they as straightforward as suggested? If you do use one, how has it been? Would you recommend it?

Apologies, but I don't want to start using something and then find it makes access harder.

Thanks in advance.

 

[gramps]

I've used 2AFS but after a while I just found it a nuisance.

 

[lindsay]

2FA is good and works well for me to make me feel more secure. I use both MS and Google Authenticator apps, which are fine, but I tend to prefer it when a code is texted to my phone. It depends what the particular service offers or accepts.

 

[ChrisR]

2FA is good and works well for me to make me feel more secure. I use both MS and Google Authenticator apps, which are fine, but I tend to prefer it when a code is texted to my phone. It depends what the particular service offers or accepts.

I reckon the "text a code" thing is fine for most of us. I'm a little less happy with "email a code", as emails tend to get about a bit, just read your headers!

I understand though that we should be wary of "text a code" for high value sites (for most of us that would be banks) or high value individuals. SIM swap scams are apparently only too easy these days for the folk who'd like to half inch your hard-earned (yes, OTT sorry).

I combine 2FA with my password manager, which seems to work reasonably well (except there's a continuing fight between 1PW and the Apple Password App, and I'm never quite sure which one is presenting me with what, recipe for disaster).

 

[JohnMcL7]

If you lose an Android device that doesn't have a screen lock on it and you're concerned about someone getting into it then you go to to find my phone within your Google account and set a lock screen password plus put your contact details on the lock screen. My Mum was caught out recently because she has an Android tablet she uses almost entirely at home and it doesn't have a lock screen set but then she went on holiday and left it on a train, my primary concern was someone getting access to the e-mail account. I set it to lock then she discovered she did still have it, the moment she put it onto a wireless network it immediately locked. It still meant someone could have read existing e-mails but there's not as much value to that as having live access to the e-mail account. I'm sure there's something similar for IOS devices and thought it might be useful for anyone else who finds a friend or relative has lost a device and wants to lock it.

In terms of which authenticator app to use, I don't think there's any singular one that supports everything. Some use their own software, some support standard authenticators so I have a number of authenticator apps set up on my phone to support the services I'm using.

 

[LongLensPhotography]

google one, mainly because it was like the only one when it all started.

I view it as a necessity.

ebay and others began pushing passkeys which I don't fully understand and am actually concerned they are not actually very safe. Please prove me wrong if you can.

I reckon the "text a code" thing is fine for most of us. I'm a little less happy with "email a code", as emails tend to get about a bit, just read your headers!

I understand though that we should be wary of "text a code" for high value sites (for most of us that would be banks) or high value individuals. SIM swap scams are apparently only too easy these days for the folk who'd like to half inch your hard-earned (yes, OTT sorry).

I combine 2FA with my password manager, which seems to work reasonably well (except there's a continuing fight between 1PW and the Apple Password App, and I'm never quite sure which one is presenting me with what, recipe for disaster).

I read somewhere text is much less safe, or perhaps it is a way of them telling they don't want text fees. You could in theory setup a spoof antennae, and take over the comms. This is more likely if government agencies are on your tail, but high profile criminals can surely do this for high wealth targets too. Probably not me and you at this point.
A more practical reason not to rely on text is if your phone reception is patchy. It truly can be. Even if data is fine, calls / texts are bloody unreliable. I call everyone I can on Whatsapp

If you lose an Android device that doesn't have a screen lock on it and you're concerned about someone getting into it then you go to to find my phone within your Google account and set a lock screen password plus put your contact details on the lock screen. My Mum was caught out recently because she has an Android tablet she uses almost entirely at home and it doesn't have a lock screen set but then she went on holiday and left it on a train, my primary concern was someone getting access to the e-mail account. I set it to lock then she discovered she did still have it, the moment she put it onto a wireless network it immediately locked. It still meant someone could have read existing e-mails but there's not as much value to that as having live access to the e-mail account. I'm sure there's something similar for IOS devices and thought it might be useful for anyone else who finds a friend or relative has lost a device and wants to lock it.

In terms of which authenticator app to use, I don't think there's any singular one that supports everything. Some use their own software, some support standard authenticators so I have a number of authenticator apps set up on my phone to support the services I'm using.

yes, no lock screen / password is truly asking for a huge trouble down the line.

 

[Craig1912]

I use the MS one for a variety of sites- some have no choice but to use an authenticator. Works fine for me on iPhone.

 

[robj20]

google one, mainly because it was like the only one when it all started.

I view it as a necessity.

ebay and others began pushing passkeys which I don't fully understand and am actually concerned they are not actually very safe. Please prove me wrong if you can.

I read somewhere text is much less safe, or perhaps it is a way of them telling they don't want text fees. You could in theory setup a spoof antennae, and take over the comms. This is more likely if government agencies are on your tail, but high profile criminals can surely do this for high wealth targets too. Probably not me and you at this point.
A more practical reason not to rely on text is if your phone reception is patchy. It truly can be. Even if data is fine, calls / texts are bloody unreliable. I call everyone I can on Whatsapp



yes, no lock screen / password is truly asking for a huge trouble down the line.

On android well my Pixel you can forget set the authenticator app to require a passkey to open if like me you have smart unlock on it means the authenticator app is locked down even when your phone is unlocked.

 

[Faldrax]

I use the MS and Google authenticators - mainly the MS one as that is the one that I need for work access, so it makes sense to use that, but Discord uses the Google Authenticator.

Both lock themselves independently of the phone, so even if my phone was lost/stolen someone would have to unlock both the phone and the authenticator to use them (same as banking apps).

The only downside is that it becomes harder to gain access to things yourself if you don't have your phone to hand.

 

[robj20]

I dread to think how difficult things get if your phone breaks.

 

[ChrisR]

I use the MS and Google authenticators - mainly the MS one as that is the one that I need for work access, so it makes sense to use that, but Discord uses the Google Authenticator.

That's interesting. I'd always assumed that the 2FA algorithm was pretty much universal, so any authenticator should work with any site!

 

[robj20]

That's interesting. I'd always assumed that the 2FA algorithm was pretty much universal, so any authenticator should work with any site!

They are and they do. I only use Google for everything including Microsoft office, we actually had a big debate at work about went we should have to use our personal phones for work.

 

[Faldrax]

That's interesting. I'd always assumed that the 2FA algorithm was pretty much universal, so any authenticator should work with any site!

I've not tried implementing 2FA, but I'd imagine when the site wants to authenticate someone, it will call a 2FA API to do so - it's up to the site which 2FA API's it interfaces to,

 

[hunnymonster]

For the love of $DEITY use a TOTP authenticator - your SIM can be easily slammed (so the new "owner" has your number to receive the MFA codes) emptying your bank account while you're wondering wtf happened. They can still slam my SIM but they can't get into any of my accounts - yet I still can. Means you can still access if the mobile network is incapable of delivering your SMS-based code (eg. In a basement or rural Scotland)

For extra points use an authenticator app that backs up the secrets - preferably in an open standard (but secure) format. My 2c - Proton Authenticator with Authy in second place. Authy used to allow you to backup & import into other apps - but they stopped that. Proton still allows it.

You don't want to have to setup 20+ MFA accounts after your phone breaks. Don't ask how I know.

 

[4tea2]

Thanks for the feedback. Encouraging me to give authenticator apps a try. It was interesting to find out that some sites require a specific app.

Also a very good point about considering how the app backs up codes. Does anyone have an experience of needing to recover security info to a new device?

 

[robj20]

Thanks for the feedback. Encouraging me to give authenticator apps a try. It was interesting to find out that some sites require a specific app.

Also a very good point about considering how the app backs up codes. Does anyone have an experience of needing to recover security info to a new device?

As far as i know they don't, you can use which ever app you like.
Google one for instance if you enable cloud backup, you only need to login to your google account and download the app again and all your codes will resync. You would have to choose an alternative 2FA method such as text or similar to login. If you just but a new phone there is a transfer option which is even simpler.

 

[hunnymonster]

Does anyone have an experience of needing to recover security info to a new device?

Not recently - but back when Twilio Authy allowed the PC app, it worked like a charm. This may not be the current experience.

Otherwise it's recover access to each one individually (painful process) and set up MFA again.

Security is not about being convenient - if it was too easy for you to reset all of your credentials, it would be similarly simple for a ne'er-do-well to achieve the same.

 

[JonathanRyan]

Does anyone have an experience of needing to recover security info to a new device?

Yes. It's very easy if you still have access to the old device, pretty easy if you have a cloud backup of the authenticator itself or the whole phone. Most Authenticators automatically back themselves up to their owner's Cloud - the MS one I use certainly does. Quite a bit harder if you don't have backups.

They are free, simple to use and extremely effective. If you're offered 2FA via an app I'd suggest you pick a major provider you like, get their app and use it.