What are multi-factor authenticators, and how do we use them?
[lwptoc]
Authenticators are additional forms of authentication beyond just a username and password. They provide an extra layer of security by requiring the user to prove their identity through something they have or are.
Some common examples of authenticators include:
-
One-time passwords (OTPs) are randomly generated codes sent via SMS or generated by an app that are only valid for a single login attempt.
-
Security keys – Physical devices like YubiKey that connect via USB or NFC to cryptographically prove the user’s identity.
-
Biometrics: Using fingerprint, face, or iris scans to verify the user’s identity based on unique biological characteristics.
-
Push notifications – Approving login attempts via notifications sent to a previously registered mobile device.
The main purpose of authenticators is to enhance account security beyond passwords, which can be guessed, stolen, leaked, or cracked. By requiring an additional factor, such as possession of a particular device or biometric trait, authenticators make it much harder for unauthorized users to gain access.
How do authenticators work?
Authenticators generate one-time codes that provide an extra layer of security when logging into accounts. There are two main types:
Time-based authenticators generate a new code after a certain time, usually 30 seconds. When you log in, you’ll enter your password and the current code displayed on the authenticator app or device. This code is only valid for a short window, so even if your password is compromised, an attacker won’t be able to access your account without also having the authenticator.
Event-based authenticators generate a new code when you take an action, like clicking a button. The code is valid until you use it to log in. This type may be preferable if your device doesn’t have an accurate timer to generate time-based codes.
Both types work by having your authenticator in sync with the service you’re logging into. When you set up two-factor authentication, the service gives your authenticator some information to generate valid codes. The codes are generated locally on your device using cryptographic algorithms, so connecting to a network is unnecessary.
Once your authenticator has the shared secret information, it can generate valid codes indefinitely or until the secret key is reset. As long as your codes match what the service expects, you can log in. Using these one-time codes provides an additional layer of security beyond just a password.
Why are Authenticators Important for Security?
Passwords have been the standard method of authentication for decades. However, passwords come with significant security risks. Many users create weak, easy-to-guess passwords or reuse the same passwords across accounts. This makes it easy for hackers to gain access through password leaks, phishing, or brute-force attacks.
Once a password is compromised, the attacker can access the account and sensitive personal information. Authenticators provide an extra layer of protection on top of passwords to mitigate this risk.
With an authenticator set up, even if a hacker manages to steal the password, they won’t be able to access the account without the authenticator’s unique one-time code. This greatly reduces the risk of account takeovers and fraudulent activity. Authenticators effectively make user accounts much more secure against many common attacks.
Adding authenticators is one of the most important steps for users to lock down their online accounts. The minor inconvenience of occasionally entering a secondary code is worth the enhanced security. As cyberattacks become more prevalent, authenticators will likely become a standard requirement for protecting sensitive accounts.
Types of Authenticators
Authenticators come in different forms and use protocols to generate the one-time codes. Here are some of the main types:
TOTP (Time-based One-time Password)
TOTP is the most common type of authenticator code. It generates a new 6-8 digit code every 30 seconds that is valid for a short period. Apps like Google Authenticator and Authy use the TOTP protocol. The code is based on the current time and a shared secret key.
HOTP (HMAC-based One-Time Password)
HOTP also generates one-time codes, but they are based on a counter rather than time. Each code can only be used once as the counter increments. Even if the same code is generated again later, it will be rejected. HOTP authenticators are less common than TOTP.
FIDO U2F (Universal 2nd Factor)
This protocol uses a physical USB security key instead of a generated code. The user inserts their key and presses a button to authenticate. It relies on public key cryptography rather than one-time codes. FIDO U2F is considered very secure and convenient.
FIDO2 / WebAuthn
WebAuthn is a newer standard that improves upon U2F. It allows using built-in authenticators like fingerprint readers and facial recognition instead of separate keys. The credentials are tied to the specific device. WebAuthn is gaining adoption among major websites and platforms.
So in summary, authenticators come in different forms like app codes, physical keys, biometrics, etc. But they all serve the purpose of providing a second factor that is separate from the password. This makes account logins much more secure against many threats.
Setting up authenticators
Setting up authenticators is a straightforward process that adds an extra layer of security to your online accounts. Here are the steps to set up some common types of authenticators:
Setting up an authenticator app
-
Download an authenticator app like Authy or Google Authenticator on your mobile device.
-
When you create an account or log into an existing account that supports 2FA, look for an option to enable authenticator app verification.
-
The app prompts you to scan a QR code, which links the account to your authenticator app.
-
The app generates random 6-digit codes that refresh every 30 seconds. When prompted, enter the current code to verify your identity.
Setting up a security key
-
Purchase a physical security key like YubiKey. Plug it into your computer’s USB port.
-
When creating or accessing an account, look for an option to enable security key verification.
-
You will be asked to insert or tap your security key. This links the key to your account.
-
Going forward, simply insert or tap the key when prompted to authenticate.
Setting up SMS verification
-
Provide your mobile number when creating an account or enabling 2FA.
-
You’ll receive a text message with a 6-digit code when logging in.
-
Enter this code on the verification screen to confirm your identity.
The setup process takes just a few minutes. Once configured, authenticators provide a simple extra layer of account security with codes only useful for short periods.
Using Authenticators
Authenticators add an extra layer of security to the login process by requiring you to enter a one-time code in addition to your username and password. Here’s how to use authenticators when logging in:
When you enable an authenticator app or security key for a particular account, it generates a new 6-8-digit code every 30 seconds or so. When you log in to that account, after entering your username and password, you’ll be prompted to enter the current code from your authenticator app or security key.
Open the authenticator app or plug in your security key to view the current code. Type this code into the login prompt and submit to complete the login. The authenticator provides the “second factor” of authentication beyond just the password.
Some best practices for using authenticators:
-
Make sure to have a backup method for accessing codes in case you lose your phone or security key. Some authenticator apps support backup codes you can print out and store securely.
-
For convenience, try consolidating authenticators into one main app like Authy rather than using the standalone authenticator with each account. This allows you to view all codes in one place.
-
When adding new accounts, accurately scan the QR code or enter the provided key to link the authenticator. Test it by logging in to verify it works before relying on that authenticator.
-
While authenticators add security, be careful not to over-rely on them. Make sure you still use strong, unique passwords for each account. The authenticator codes are only helpful if your password remains secure.
The added login step can feel tedious, but it is worthwhile for securing your important accounts. Properly implementing authenticators ensures you can benefit from the enhanced security without too much inconvenience.
Best Authenticator Apps for Android and iOS
Authenticator apps like Authy, Google Authenticator, and Microsoft Authenticator allow you to generate time-based one-time passwords (TOTP) that provide an extra layer of security beyond just a password. These apps are available on iOS and Android devices.
Some of the most popular authenticator apps include:
-
Authy – Provides cloud sync across devices, can be used for multiple accounts, and supports backups.
-
Google Authenticator – Created by Google, it is simple and easy to use and supports multiple accounts.
-
Microsoft Authenticator – Integrates with Microsoft accounts, supports other services, and provides notifications for suspicious activity.
-
LastPass Authenticator – Integrates with LastPass password manager and can store one-time passwords securely.
-
1Password – Integrates with 1Password manager, supports TOTP and push notifications.
The main differences between these apps are cloud sync features, the number of accounts supported, and integration with specific password managers. Authy stands out for its cloud backup capabilities, while apps like Google Authenticator provide a more barebones authenticator experience.
Google Authenticator is a good option for most users since it’s simple, trusted, and supports most sites and services. But if you want backup capabilities or integration with a password manager, Authy or Microsoft/LastPass Authenticator are great choices.
Security Keys
Security keys are physical devices that connect to your computer or phone to provide an additional layer of authentication beyond just a password. They use public key cryptography to prove your identity.
When logging into an account that supports security keys, you’ll be prompted to insert or tap your key after entering your username and password. This proves to the service that you have physical possession of the key, which is much more secure than just using a code from an authenticator app that could potentially be phished.
Some benefits of security keys over OTPs from authenticator apps:
-
Protection against phishing – An attacker can’t just phish your one-time code; they would need physical possession of your security key. This makes your accounts much more secure.
-
Convenience – Security keys work by just plugging into your device during login. There’s no need to open an app and copy/paste codes.
-
No reliance on your phone—If you lose your phone, you can still log in with the physical key. However, with OTP apps, you could get locked out if you don’t have your phone.
-
Support for multiple accounts – One key can be registered to protect multiple accounts simultaneously. OTP apps require managing codes for each account separately.
-
Encrypted communication – Security keys use secure protocols to encrypt your login process. This protects against man-in-the-middle attacks.
Overall, security keys boost account security and are more convenient than OTP apps in many ways. The main downside is the need for the physical key device, but the security tradeoff is worth it for high-value accounts. As more sites adopt key support, they will become a standard part of robust authentication.
Best practices
Using authenticators is one of the best ways to protect your online accounts, but there are some best practices to follow:
-
Don’t reuse authenticators across accounts. For maximum security, each account should have its own unique authenticator. Reusing authenticators defeats the purpose of having them.
-
Store backup codes somewhere safe if you lose access to your authenticator device. Backup codes let you get back into your account if your authenticator app or key is lost or stops working. Keep printed copies secure or use a password manager.
-
For authenticator apps, make sure you can transfer the codes to a new device if needed. The app should have export options. Test transferring to a new phone or tablet periodically.
-
Don’t let other people use your authenticators. They are tied specifically to your account for a reason. Don’t give out codes or lend your security key to anyone.
-
Keep your authenticator device physically secure. Don’t leave your phone unlocked or your security key lying around. Anyone who gains access can potentially get into your accounts.
-
Pay attention to where you use your authenticators. Only enter codes or use your security key on legitimate sites you trust. Scammers may try to trick you into giving them your codes.
-
If you lose an authenticator device, immediately remove that authenticator from your online accounts. Generate new backup codes and create new authenticators to replace the lost ones.
-
Check your account settings periodically to audit attached authenticators and remove any you’re no longer using. Don’t let old authenticators remain active.
Following these tips will help you securely manage multi-factor authentication and maximize the use of authenticators to protect your online presence.
The future of passwordless authentication
The future of authentication is moving towards passwordless systems based on emerging standards like FIDO2 and WebAuthn. These use public key cryptography instead of passwords to authenticate users.
With FIDO2 and WebAuthn, users can log into websites using biometrics like fingerprint scans or facial recognition on their devices. This removes the need to remember passwords. The website stores a cryptographic key that gets unlocked when the biometric or device matches.
Experts predict the death of passwords within the next 5-10 years. Apple, Google, Microsoft, and the FIDO Alliance are all pushing for a passwordless future. The FIDO2 standard has widespread support from major browsers like Chrome, Safari and Firefox.
As more websites adopt FIDO2 and WebAuthn, passwords will phase out. Users will no longer need to remember dozens of complex passwords. Instead, their fingerprint or face will authenticate them. This eliminates phishing risks and makes logging in far more convenient.
The passwordless future improves both security and user experience. Users no longer bear the burden of password management. Businesses reduce helpdesk costs dealing with forgotten passwords. With major industry support, passwordless authentication will likely become the norm in the years ahead.