Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Universal Authenticator Apps

Wando64

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,338
3,109
One of the financial companies I deal with suggested I could be using two factor authentication, so i thought OK I have done this before, you get a text with a number, you type the number and... Bingo. Two factors authentication, right?
Well, not in this case. Apparently I need to install an Authenticator App (such as GA or Microsoft or Authy, etc...).
After googling a little I realised I must be the only person on the planet that has never heard of authenticator Apps, let alone used one.

OK, I understand the concept, but why? When most companies offer two factor authentication based on text messages, what is the purpose of an authenticator app?

What am I missing?
 
T

TiggrToo

macrumors 601
Aug 24, 2017
4,205
8,838
Wando64 said:
One of the financial companies I deal with suggested I could be using two factor authentication, so i thought OK I have done this before, you get a text with a number, you type the number and... Bingo. Two factors authentication, right?
Well, not in this case. Apparently I need to install an Authenticator App (such as GA or Microsoft or Authy, etc...).
After googling a little I realised I must be the only person on the planet that has never heard of authenticator Apps, let alone used one.

OK, I understand the concept, but why? When most companies offer two factor authentication based on text messages, what is the purpose of an authenticator app?

What am I missing?
Click to expand...

2FA via SMS is horribly insecure and no one in their right mind would consider that a suitable method today.
 
  • Like
  • Love
Reactions: Peter K. and Runs For Fun
MisterSavage

MisterSavage

macrumors 601
Nov 10, 2018
4,853
5,751
SMS spoofing. Someone uses social engineering to get control of your number and the 2FA codes are sent to them instead of you. Also with an authenticator app you don't need connectivity to get a code.
 
  • Like
Reactions: Peter K.
Wando64

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,338
3,109
TiggrToo said:
2FA via SMS is horribly insecure and no one in their right mind would consider that a suitable method today.
Click to expand...

MisterSavage said:
SMS spoofing. Someone uses social engineering to get control of your number and the 2FA codes are sent to them instead of you. Also with an authenticator app you don't need connectivity to get a code.
Click to expand...

Quite possibly SMS is insecure, but it is not my choice to implement it for two factor authentication.
This choice is made for me by the company I am dealing with.

As I said, I never used this method before, therefore can you please explain how do I chose to use an Authenticator App code if the company I am dealing with uses SMS 2FA? (e.g. Yahoo)

I have installed Microsoft Authenticator just to look at it and now when I try to log into Microsoft (OneDrive) it offers me the option to use Authenticator, but critically the option to use the password is still present. What is the point of that? That is not 2FA. It just gives me the option to use whichever method I prefer, one or the other instead of both together as it ought to be for proper 2FA.
EDIT: I have now resolved this. Even though I can use the passwor, it will still require authentication from the Authenticator App.

As a final comment, in response to not needing connectivity to get a code... frankly if I don’t have connectivity I wouldn’t know what to do with the code... so...
 
Last edited:
MisterSavage

MisterSavage

macrumors 601
Nov 10, 2018
4,853
5,751
Wando64 said:
As a final comment, in response to not needing connectivity to get a code... frankly if I don’t have connectivity I wouldn’t know what to do with the code... so...
Click to expand...

You're using a computer with a wired Internet connection and want to log into your Gmail account. You don't currently have a cellular or WiFi connection. Happened to me on a cruise. I could still log into with 2FA because I was using one time passwords from an authenticator app instead of a text message.
 
  • Like
Reactions: Peter K. and Wando64
Wando64

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,338
3,109
I had more time to look at this.
Whilst it is undeniable that it is a very convenient method of authenticating log-ins, I think that on balance this might not be quite right for me, save for some very specific cases (i.e. where nothing else is accepted).

The requirement for storing Recovery Codes else risking losing your access forever seems a step backwards, rather than innovation.

The hassle associated with the real possibility of losing your phone at any time seems huge.
Should you be so unfortunate as to lose both your phone and your Recovery Codes, you'd be truly in trouble.
Finally, it is recommended that Recovery Codes should be printed (!) and stored safely, possibly in a fire proof safe.
On which planet this is a secure method of protecting access to your data?

I don't know, maybe I will change my mind in time, but for now I think I'll stick to SMS messages.

Obviously Banks' own authenticating Apps are a different thing altogether as they are never your only way to gain access to your funds. The ultimate proof of your identity is your Passport or ID card.
 
  • Like
Reactions: eltoslightfoot
MisterSavage

MisterSavage

macrumors 601
Nov 10, 2018
4,853
5,751
Wando64 said:
I had more time to look at this.
Whilst it is undeniable that it is a very convenient method of authenticating log-ins, I think that on balance this might not be quite right for me, save for some very specific cases (i.e. where nothing else is accepted).

The requirement for storing Recovery Codes else risking losing your access forever seems a step backwards, rather than innovation.

The hassle associated with the real possibility of losing your phone at any time seems huge.
Should you be so unfortunate as to lose both your phone and your Recovery Codes, you'd be truly in trouble.
Finally, it is recommended that Recovery Codes should be printed (!) and stored safely, possibly in a fire proof safe.
On which planet this is a secure method of protecting access to your data?

I don't know, maybe I will change my mind in time, but for now I think I'll stick to SMS messages.

Obviously Banks' own authenticating Apps are a different thing altogether as they are never your only way to gain access to your funds. The ultimate proof of your identity is your Passport or ID card.
Click to expand...

A lot of places let you store recovery codes *and* specify a list of trusted phone numbers that can also receive one time passwords. For my Google account I have several loved one's numbers listed and I have saved 10 backup codes. I store my backup codes in 1Password, which is backed up online. If I lost my phone and lost my backup codes and couldn't reach any of my loved ones I could still get to my backup codes from 1Password on my Mac or iPad.
 
  • Like
Reactions: Wando64
Wando64

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,338
3,109
MisterSavage said:
A lot of places let you store recovery codes *and* specify a list of trusted phone numbers that can also receive one time passwords. For my Google account I have several loved one's numbers listed and I have saved 10 backup codes. I store my backup codes in 1Password, which is backed up online. If I lost my phone and lost my backup codes and couldn't reach any of my loved ones I could still get to my backup codes from 1Password on my Mac or iPad.
Click to expand...
That’s a good point.
I use keychain as my password manager and that is backed up to iCloud and therefore replicated to all of my devices.

mmmm...
 
adrianlondon

adrianlondon

macrumors 603
Nov 28, 2013
5,536
8,360
Switzerland
I use Authy as it syncs between devices and the codes can be backed up in case you need to restore your phone. At the time I switched to it, the standard Google Authenticator didn't do this - it might now.

Most banks in Europe use sms. One day, my phone lost connection and I used a friend's to contact my mobile provider. Apparently my sim card was cancelled because I had declared it lost and ordered a replacement., Nope! Nothing to do with me. So they re-activated my existing one and cancelled the order. I can only assume someone tried to get one under my name after which they'd use it to try and hack various online accounts. Always regard a faulty/disabled sim card as a serious issue.
 
  • Like
Reactions: Peter K., eltoslightfoot and Wando64
Wando64

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,338
3,109
adrianlondon said:
Always regard a faulty/disabled sim card as a serious issue.
Click to expand...

I completely agree, however the password is always required as well as the SMS authentication.
The likelihood of someone obtaining both in close sequence is rather small.
 
  • Like
Reactions: adrianlondon
eltoslightfoot

eltoslightfoot

macrumors 68030
Feb 25, 2011
2,547
3,100
adrianlondon said:
I use Authy as it syncs between devices and the codes can be backed up in case you need to restore your phone. At the time I switched to it, the standard Google Authenticator didn't do this - it might now.

Most banks in Europe use sms. One day, my phone lost connection and I used a friend's to contact my mobile provider. Apparently my sim card was cancelled because I had declared it lost and ordered a replacement., Nope! Nothing to do with me. So they re-activated my existing one and cancelled the order. I can only assume someone tried to get one under my name after which they'd use it to try and hack various online accounts. Always regard a faulty/disabled sim card as a serious issue.
Click to expand...
Thank you for the suggestion of Authy. It solves the biggest problem with these freaking programs. WHAT IF YOU LOSE YOUR PHONE? And you have no backup codes?
 
  • Like
Reactions: adrianlondon
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom