Why It's Smart to Use Authentication Apps for Multifactor Security
The apps generate short-lived codes to use along with a password. That can be safer than having codes texted to you.
In a world riddled with data breaches, having a strong password isn’t always enough to keep your personal and financial information safe. That’s why security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (aka two-factor authentication). But many people who use multifactor authentication (MFA) might not be using it in the most secure way, according to security professionals.
When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.
But many security experts say there’s a better option: switching to an authentication app, which uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds.
Authy
Price: Free
Authy, owned by Twilio, is available for Android and iOS, as well as desktop and laptop computers. It offers encrypted cloud backup and support for a secondary device, such as a laptop, a tablet, or even another phone. Security experts disagree on whether this is a good idea; you’re slightly more likely to run into trouble because the tokens are on multiple devices. But it makes it easy to recover your tokens if you lose your phone or get a new one. You just have to add the new device to your account and disable the old device. Authy uses large icons for each banking or other account you add, making it easy to find the one you need. Even though some sites mention support only for Google Authenticator, Authy can be used in its place.
Duo Mobile
Price: Free
Duo Mobile, owned by Cisco, is targeted mainly at corporate users, but it also offers a free multifactor authentication option for individuals that’s available on Android and iOS devices. Like Authy, it can be used in place of Google Authenticator. Also like Authy, Duo Mobile uses icons for each account, making it easier to find the one you’re looking for. Although there’s no way to add a secondary device to a free Duo Mobile account, the company does allow you to back up your tokens to iCloud or Google Drive with a recovery password. When you get a new phone, you download the app and recover your tokens from the cloud to start using Duo Mobile on the new device.
Google Authenticator
Price: Free
Google Authenticator, available for Android and iOS devices, can be used with many different online accounts. As mentioned above, a site may say that it’s compatible with Google Authenticator and not mention additional options, but you’ll still be able to use one of the other apps. Google Authenticator lacks separate icons for each account, so you may need to do some more scrolling and reading to find the tokens you need. If you get a new phone, you download the app and scan a QR code from the app on your old phone to transfer all the tokens. (Until recently, that worked only for Android phones; iPhone users needed to scan a separate QR code for each account. But that tedious process has now been fixed.)
OTP Auth
Price: Freemium (Free or $4)
OTP Auth is only available for iOS devices, but if you’re an Apple user, you can take advantage of some neat features. It lets you create encrypted backups of all of your accounts, and import or export them using AirDrop, Dropbox, iCloud, or Mail. You can create custom folders to arrange your accounts, which can be really helpful if you want to organize them. (For example, you could put all your work-related timed one-time passwords in a single folder, and create a folder for passwords for a specific site or project.) The app allows you to scan a bar code with a camera or from a screenshot, making setup easy even if you don’t have two devices. And if you pay $4, you get some additional features, like the ability to customize the icons for your saved accounts.
Storing MFA Tokens in a Password Manager
The most important way to protect online accounts is to have a strong, unique password for each of them, and for that many security professionals say you should use a password manager. Consumer Reports tests password managers, and a number of them can also double as authentication apps.
“For the average person, it’s just going to make sense to use your password manager to store your tokens,” says Tall Poppy’s Honeywell.
Consumer Reports’ top password manager picks—1Password, Bitwarden, and Keeper—offer this option. For example, if you use 1Password, simply select the “password” category on the app, enter the name of the account you’re setting up, and click the plus sign next to “add new one-time password.” (As we discussed above, a token is also called a time-based, one-time password, or TOTP.)
If you’re an iPhone user, you can even set up your phone to automatically copy one-time passwords to your clipboard when you select a log-in for Autofill.
What If You Lose Your Phone?
Getting locked out of an account that’s central to your digital life can be almost as catastrophic as having your account taken over by an attacker. But if you have MFA set up (as you should) and you’re using an authenticator app (a great idea), what happens if you lose your phone?
Online accounts give you options for unlocking your account, but going through that process for one account at a time is difficult.
Some authenticator apps allow you to print out or save a list of one-time backup codes to use if you lose access to your authentication app or your phone. Each code can be used just once. You’ll want to keep these safe but accessible.
While some security experts think that saving a list of tokens is dangerous, Honeywell says that line of thinking is a security nightmare for the average person. “To make people go through the hassle of resetting their TOTP keys again is not necessary, and it does lead to locking people out of their account,” she says.
One More Option: Security Keys
Authentication apps won’t stop you from accidentally entering your code into a fake or fraudulent website designed to steal your log-in information.
“Just like someone might try to trick you into entering your password on a fake log-in page, they can also get you to enter your one-time password,” says Martin Shelton, principal researcher at the Freedom of the Press Foundation. “If they can get you to enter that one-time password at just the right time, then using that authentication app, TOTP is still phishable.” He recommends that individuals who think they’re at high risk for being hacked instead buy a physical security key such as Yubikey, which provides protection from phishing attacks.
Also remember that your MFA tokens are only as secure as the devices you keep them on, so make sure to use good passwords or passcodes for your phone, tablet, and laptop, and install security updates whenever they become available.
Consider Keeping a Copy Off-Site
It’s a good idea to keep an extra copy of your recovery code printouts or a security key tied to your main email account somewhere outside of your home, in case of a fire or other emergency, Honeywell says. You could put it in a safe deposit box or a locked drawer at work, or leave it with a trusted friend or family member. If none of these options are possible, you could use a fire safe or fireproof document bag in your home.
