How secure are authenticator apps? (2024)

Information security experts have long agreed that the most reliable form of two-factor authentication with a one-time code is an authenticator app. Most services offer this method as a second level of account protection, while in some cases, two-factor authentication using a code from an app is the only available option.

But the reasons why one-time codes are considered so safe is rarely discussed, so legit questions arise as to whether it’s really a good option, how reliable it is, what dangers are worth considering, and what you need to keep in mind when using this two-factor authentication method. The main purpose of this post is to answer those questions.

How authenticator apps work

Generally, such apps operate as follows: the service in which you’re authenticating and the authenticator itself share a number — a secret key (it is contained in a QR code that you use to enable authentication for this service in the app). The authenticator and the service simultaneously use the same algorithm to generate a code based on this key and the current time.

When you enter the code that your app has generated, the service compares it with what it generated itself. If the codes match, everything is fine, and you can access the account (and if not, you can’t). Also, when you connect the authenticator app via a QR code, a lot of information is transferred in addition to the secret key. This includes the one-time code’s expiration period (usually 30 seconds).

The most important information — the secret key — is transmitted just once, when the service pairs with the authenticator, and then both parties remember it. That is, with each new login to the account, no information is transmitted from the service to your authenticator at all, so there’s nothing to intercept. In fact, authenticator apps don’t even need internet access to perform their main function. All that a hacker can theoretically get is the actual one-time code that the system generates for you to enter. And this code is valid for just half a minute or so.

How secure is 2FA with a one-time code?

Let’s summarize the main advantages of one-time code authentication from an app:

Good protection against leaks: a password alone isn’t enough to gain access to an account — you also need a one-time code.
Decent protection against interception of this one-time code. Since the code is valid for just 30 seconds, hackers don’t have much time to use it.
It’s impossible to recover a secret key from a one-time code, so even if the code is intercepted, attackers won’t be able to clone the authenticator.
No internet connection is required on the device generating one-time codes. It can be kept completely isolated from it.

As you can see, the system is well thought out. Its developers have done everything in their power to make it as secure as possible. But no solution is completely safe. So even when using authentication by code from an app, there are some risks to consider and precautions to take. That’s what we’ll talk about next.

Leaks, e-mail hacking and workarounds

I mentioned above that authenticating with one-time codes from an app is great protection against password leaks. And in a perfect world, it would be. Unfortunately, we don’t leave there, There’s a crucial nuance, which stems from the fact that services usually don’t want to lose their users because of such a small annoying detail like losing the authenticator (which can happen to anyone); therefore, they usually provide an alternative way to log into accounts: sending a one-time code or confirmation link to an associated e-mail address.

This means that if a leak has occurred and attackers know both the password and the e-mail address it’s linked to, they can try to use this alternative method to log in to the account. And if your e-mail is poorly protected (especially if you use the same password for it and don’t enable two-factor authentication) it’s very likely that hackers would be able to bypass entering a one-time code from an app.

What’s worth doing about it:

Keep an eye out for data leaks, and promptly change passwords for affected services.
Don’t use the same password for different services. This is especially important for e-mail to which other accounts are linked.
Some services allow you to disable alternative methods of logging in. For especially valuable accounts, it may be worth doing this (but don’t forget to back up the authenticator — there’s more on this below).

Physical access and people looking over your shoulder

Someone might look over your shoulder when you’re using an authenticator app and see the one-time code. And not only one code, as authenticators often display several codes in a row. So the intruder could log in to any of those accounts if they saw the code. Of course, hackers would not have much time to take advantage of what they caught sight of. But it’s better not to take any chances — 30 seconds might be enough time for a nimble-fingered cybercrook…

Phishing sites

Most phishing sites designed for mass attacks are quite primitive. Their creators are usually satisfied with stealing logins and passwords, followed by selling them dirt cheap wholesale somewhere on the dark web. Of course, two-factor authentication is perfect protection against such hackers: even if someone gets your login credentials, they’re completely useless without a one-time code from an app.

However, on more carefully and plausibly crafted phishing sites, particularly those designed for targeted attacks, phishers can also imitate the two-factor authentication verification mechanism. In this case, they’ll not only intercept the login and password, but also the one-time code. After that, the attackers will quickly log into the victim’s real account, while the phishing site may issue an error message and suggest retrying.

Unfortunately, despite its apparent simplicity, phishing remains an extremely effective trick for criminals, and it can be difficult to protect yourself against sophisticated versions of scams. The general advice here is as follows:

Don’t click on links in e-mails — especially those received from unknown or suspicious addresses.
Carefully check the address of the pages where you’re entering your account information.
Use a reliable solution with automatic phishing protection.

Stealing malware

To put it mildly, people don’t really like going through the full authentication process. Therefore, services try not to bother their users unnecessarily. In fact, in most cases, you only have to be fully authenticated with a password and confirmation code when you log in to your account on each device for the first time. Or maybe a further time — if you’ve accidently cleared the cookies from your browser.

After successfully logging in, the service saves a small cookie on your computer, which contains a long and very secret number. This file is what your browser will present to the service for authentication from now on. So if someone manages to steal this file, it can be used to sign into your account. No password or one-time code will be needed for this at all.

Such files (along with a bunch of other information like browser-saved passwords, cryptocurrency wallet keys and other similar goodies) can be stolen by Trojan stealers. If you’re unfortunate enough to get a stealer on your computer, there’s a very good chance that your accounts will be hijacked, even with all the other precautions.

To prevent this from happening:

Don’t install programs from dubious sources.
Be sure to use reliable protection all your devices.

The lack of authenticator backups

Access to your accounts can also be lost due to protection being too strong. Like if after you’ve prohibited getting into your accounts without a code from an app, you somehow lose the authenticator. In this case, you might permanently lose your accounts and information in them. Or at least you’re assured of a few fun days of tearful correspondence with support for access restoration.

There are in fact quite a few circ*mstances where you might lose your authenticator:

A smartphone can break in a way that you can’t get any information out of it.
You might lose it.
And of course, it could be stolen.

All these are unpredictable events, so it’s better to prepare for them in advance to avoid any unpleasant consequences:

Be sure to back up the authenticator data. Many apps allow backup to the cloud; some can also save it as a local file.
It may be wise to install the authenticator on two different devices or even use several different apps. This protects you from being locked out from your backup if the cloud infrastructure of a single authenticator is unavailable at the most inopportune moment.

How to stay safe

Let’s summarize. Two-factor authentication itself seriously reduces the risk of your accounts being hijacked, but it doesn’t guarantee complete security. It’s therefore worth taking extra precautions:

Be sure to set a password to log in to the device where the authenticator is installed.
Use an authenticator app that knows how to hide one-time codes from unwanted eyes and allows you to set a password to log in to the app itself.
Don’t forget to back up the authenticator.
Don’t use simple passwords and don’t use the same passwords for different accounts. A password manager will help you generate and remember unique and secure character sequences.
Watch out for leaks, and promptly change passwords from affected services, especially if it’s the e-mail to which other accounts are linked. Incidentally, Kaspersky Password Manager tracks password leaks and warns you about them.
To protect yourself from phishing and stealing malware, install a reliable security solution on all of your devices.
Watch out for login attempts to your accounts and respond quickly to suspicious activity. By the way, we have a tutorial that tells you what to do if your account is hacked.

FAQs

How secure are authenticator apps? ›

Are Authenticator Apps Secure? Authenticator apps are secure because they keep the code local to your device and the codes are not sent unencrypted over the internet. This means they can't be intercepted through common cyber attack methods.

Read On ›

How safe is an authenticator app? ›

With authenticator apps, the codes are generated on the user's device, making them less vulnerable to interception or phishing attacks. In contrast, SMS-based 2FA codes are sent over the network, making them more susceptible to such threats.

Discover More Details ›

What is the disadvantage of the authenticator app? ›

Drawbacks of authenticator apps

Device dependency: If a user loses their device, or it malfunctions, they lose access to their authenticator app. They may need to go through a lengthy account recovery process as some auth apps do not offer backup codes.

Can an authenticator be hacked? ›

Can an authenticator be hacked? A time-based passcode generated by an authenticator app is harder to hack than an SMS text message, but that doesn't mean an authenticator app can't be hacked — especially if it generates codes that allow you to log into your accounts.

See Details ›

Can someone log into my authenticator app? ›

By default, App Lock is turned on when you set up a PIN or biometric on your device. Unfortunately, there's no guarantee that App Lock will stop someone from accessing Authenticator.

Find Out More ›

Is it better to use an authenticator app? ›

You should use an authenticator app over SMS authentication because it is more secure and less likely to be intercepted by cybercriminals. Authenticator apps generate 2FA codes locally on a device, rather than sending them unencrypted over text message.

Tell Me More ›

Can authenticator apps track you? ›

Does the Microsoft Authenticator track me? The Microsoft authenticator does not track you and it does not log location data. It will list your logins to MCC-protected resources as a method for you to recognize unauthorized access attempts.

Show Me More ›

Why avoid Google Authenticator? ›

Backup is cumbersome.

Also, the services often offer reserve codes instead of explicitly suggesting to save the secret. If you lose your secret and log in with a reserve code, you will have to redo the entire TOTP registration process again. Backup codes are sent online, which is often insecure.

Explore More ›

What is the safest authentication? ›

1. Biometric Authentication Methods. Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.

Is Google Authenticator safe in 2024? ›

Google Authenticator: Best for secure offline authentication

The app works by generating time-based one-time passcodes that users enter in addition to their passwords when logging into their accounts. These passcodes are secure as they are generated locally (on the device) and not transmitted over the internet.

Show Me More ›

Can hackers get past two-step authentication? ›

Can two-factor authentication be hacked? We now know how 2FA prevents hacking, but can hackers get past 2FA? The short answer: Yes, 2FA can be bypassed by hackers. But before we get into the potential weaknesses of 2FA, it's worth noting that even the biggest cybersecurity companies aren't immune to digital attacks.

Read The Full Story ›

Does authenticator store passwords? ›

Microsoft Authenticator can generate, store, and apply passwords at websites via an autofill feature. Beyond supporting iOS, iPadOS, and Android devices, the autofill option works in the desktop flavors of Google Chrome and Microsoft Edge via an extension.

See Details ›

What happens to authenticator app if you lose your phone? ›

What should I do if I lose a phone with Google Authenticator installed? If you lose your phone with Google Authenticator on it, you should erase your phone remotely and use an alternative method to sign into your accounts with 2FA set up until you can install Google Authenticator on a new phone.

Get More Info Here ›

How do I secure my authenticator app? ›

This can usually be found in the security settings of the account you want to secure under your MFA options. Scan the QR code with the authenticator app. The application you're using will use either the device camera or a screenshot function to scan the QR code. You're ready to go!

What happens if I remove an account from authenticator app? ›

Open the app, locate your account, tap it, and select 'remove'. That's all it takes! You won't get any codes or notifications for that account anymore. Don't worry – unlinking the account doesn't affect your accounts or their security.

Is 2FA 100% safe? ›

Still, like most online activities, there are ways that criminals can bypass 2FA security and access your account. For example, lost password recovery usually resets your password via email, and it can bypass 2FA. Even though it's not 100% secure, 2FA can bolster your online security and is recommended.

View Details ›

Can I trust Microsoft Authenticator app? ›

Microsoft describes their Authenticator as “More secure. Passwords can be forgotten, stolen, or compromised. With Authenticator, your phone provides an extra layer of security on top of your PIN or fingerprint.”

Can I trust Google Authenticator app? ›

Google Authenticator has long been a go-to because it's simple and reliable. There are also some unique and valuable features, such as the option to export your account information securely using just a QR code. It also allows you to use a Google Account to back up your logins.

Learn More ›

Why would someone have authenticator app? ›

An authenticator app is a mobile application that provides an extra layer of security to your online accounts by generating time-based one-time passwords (TOTPs). These passwords are used for two-factor authentication (2FA) and help protect your accounts from unauthorized access.

Discover More Details ›