As one of the core functions of network security, authorization has never been as important as it is today. Between remote work and cloud services, a lot of us are in and out of our accounts all day—signing in to all kinds of services and network applications. Today, we’ll take a look at four apps that can help strengthen your sign-in experience and discuss how to recover your logins on a new device with these apps.
Common authentication app features
Four widely-used authentication apps are Microsoft Authenticator, Google Authenticator, Authy, and Duo Mobile. Each of these apps use your mobile device to authenticate you when you log into an account. There’s some overlap here in the features and functionality because they are all a “something you have” type of authentication. This is a security concept that uses the physical possession of your mobile device to say “yes, this is you.” The other two authentication concepts are “something you know,” like a password or “something you are,” like a retinal scan or fingerprint. Using two or more of these for authenticating users is called Muli-Factor Authentication, or MFA.
The functionality of these apps centers around what are commonly called verification codes. These are one time passwords that you can use to sign into a service (with another device) when prompted. If you’ve ever linked an app like Spotify or YouTube to a media device, you’ve probably been prompted to just enter a code on the screen at a specific URL on another device. This is the same technology, but for each time that you log in to a secure service.
Where authentication apps is used
Unlike some of the comparisons that we’ve done on this blog in the past, what app you use for authentication isn’t exactly up to you, the end user. Typically if a service uses authenticator apps, you’ll set up the MFA within the service (Dropbox, WordPress, Skype, etc.) and select the authenticator app from some options. For example, BitWarden can use Authy, Google Authenticator, or Duo as two-step verification providers. Setting up multi-factor authentication on your password vault is a very strong way to keep all of your passwords safe, since it requires “something you know” (your master password) as well as “something you have.”
The most straightforward of these apps is Google Authenticator, which is known for its lack of features. If you use it with a service, then it will receive six-digit verification codes to authenticate you in the service. While its reputation is built off of being limited in its functions, Google has recently (four months ago, as of this writing) added an important feature that brings them closer to parity with the other authenticators: cloud syncing across all of your devices.
Authentication, Password Management, and Push Notifications
Microsoft Authenticator uses cloud storage as well, and links with your Microsoft account to save passwords and sign you into Microsoft apps. It can be your two-step verification provider for your Google, Amazon, or Facebook accounts, for instance, and it securely backs up your account information to the cloud. Since it also has some features of a password manager, it can generate and store passwords for some of your accounts.
Authy is also known for its cloud backup and unified experience. Once you’ve installed Authy, you can set it up with a service that can use it by scanning the QR code provided (by Google or Facebook or whomever). It’s also a prettier app than Google Authenticator, allowing you to organize all of your logins by logo and name.
Duo Mobile is an app from Cisco that is widely trusted and used for authentication. It’s a leader in the space because a lot of large organizations use it to manage authentication of users. One thing that it’s known for is its push notifications, which pop up a notification on your mobile device’s screen when you’re logging in. You can approve the login, meaning that you really are logging in, or deny it if it isn’t you. There are other ways of using it with phone calls or text messages, but as we’ll see in the next section, it’s unclear whether or not it’s a good idea to use the phone system for authentication.
The SIM-spoofing vulnerability
There’s a major issue with authentication by something you have: if that thing that you have is your phone then upgrading or replacing your device is going to look the same as someone else using their device to hack into your account. The authentication process relies on the consistency of your device and your possession of it, and if you upgrade to a new phone, well, the new one isn’t proof that you’re you. Using a new device to authenticate yourself is exactly how SIM-card based attacks look to a service you’re logging in to.
A flaw that is often discussed with Authy is that it relies on sending text messages to set up a new device. Since it uses cloud backup to make your passcodes accessible on any device, having it send you a text message to set it up makes it possible to spoof your SIM card, impersonate your phone number, and intercept those text messages. Once that’s done, an attacker can now simply log in to your accounts, because their device is now an authenticator for your identity.
How good are these apps at restoring your authentication after losing a phone?
All four of these apps have some kind of cloud backup that can be used to transfer your accounts from device to device. To use the restore features on Google and Microsoft’s authenticators, you just need to log in to your account on the device with the app installed, then select the setting to restore. In the case of Google Authenticator, if you don’t want to transfer them to the cloud, you can manually transfer them to your new device as well (via scanning a QR code on your old device). Both should be fairly seamless processes, but don’t forget that you should deactivate the old device in your security settings.
As mentioned above, Authy can be set up on a new device by logging in and entering the passcode from a text message. This makes it very straightforward if you’re moving your SIM card to a new phone, but that convenience is sometimes seen as a vulnerability.
Duo is usually managed by your organization’s IT team, so if you have any problems with it then you can reach out to your admins to tell you what to do. It could be as simple as clicking the button to Send Activation Code if you have the same phone number (and operating system). If you’re changing numbers (or mobile operating system), you’ll likely need to deactivate your old device and register your new device.
Ultimately, the process for deactivating a stolen or lost device should be similar in these four apps. Old devices need to be deactivated (by going into the app’s settings on the web), and new devices need to have the cloud backup made available to them by signing into your account for the authenticator app, then restoring your logins.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team