It’s commonplace nowadays to be expected to have your mobile phone, charged and connected to WIFI to authenticate a login to your online services. This blog takes a look at Google Authenticator, and how all may not be as it seems in terms of convenience, security, and accessibility.
Why would someone use an Authenticator app?
An Authenticator app is a seemingly safe and convenient way to prove your identity. You can use the Authenticator app to sign in if you forget your password. All of your other account credentials can be backed up and restored using the app.
Authenticator apps work similarly to SMS multi-factor authentication, but instead of sending a text message, they send you the code via an app on your phone. This prevents the code on your SIM card from being intercepted remotely. The hacker would need physical access to your phone to obtain the code.
What is Google Authenticator?
Google Authenticator is a mobile security application. It is based on two-factor authentication (2FA) that helps to verify your identity to protect you from hackers. The Authenticator app uses the time-based one-time password (TOTP) system. To ensure that each passcode is unique, the TOTP algorithm generates a six-digit passcode that considers the current time of day. For added security, passcodes change every 30-60 seconds.
With MIRACL, you reduce this procedure to one single-step MFA. It eliminates the need for a second device or a passcode as MIRACL is based 100% on the browser, and is not reliant on a second tool for verification.
How do I use Google Authenticator?
Google Authenticator verifies that you are who you say you are using an online secret that you and the provider share. When you enter a website’s URL, your device generates a code based on the current time and the shared secret. You must manually enter this code on the website before it expires to complete your website login. That creates unnecessary friction in the login process, which MIRACL avoids. With MIRACL Trust, you only have to log in once and don’t need any codes that could expire.
Is Google Authenticator tied to your phone?
For security reasons, the authenticator settings are not transferred across devices when you use Google Authenticator for multi-factor authentication. You must manually configure the Authenticator on the new device, something you don’t have to do when using MIRACL.
Is Google Authenticator good?
Almost all online security today is based on a strong password and Multi-Factor Authentication (MFA). The Google Authenticator app was the gold standard for MFA authentication for many years, but that’s no longer the case.
Lost access to your Google Authenticator? You’re in trouble.
One user stated that he lost all data on his android phone and, after he logged in to his Google account, he couldn’t recover 2FA codes to websites. Another user downgraded his phone from Android 12 beta to 11, and all his data could be restored except for Google authenticator. He had a painful time trying to recover each account one by one.
Unfortunately, you can’t recover your codes if you’ve lost access to your original Google Authenticator app. To us, this is a massive flaw in Google’s app.
Printers
Google recommends printing a copy of your backup codes to store them somewhere safe. But be careful how you print. If you’re on WIFI, there could be a man-in-the-middle attack on your LAN. Anyone running Wireshark could see your documents in plain text as they are sent to the printer. Also, some laser printers have hard drives that store what is printed. The best option is to use an inkjet printer via a USB cable if you print sensitive info. Or you can avoid all this hassle by using MIRACL.
Phishing
But the real issue is phishing. It’s possible to create a phishing website that looks and acts exactly like the real thing. It even sends your password and the TOTP generated by an authenticator app to log in to the genuine service. It can act as if it were you - after all, the necessary credentials were provided. MIRACL’s “zero knowledge” concept authenticates users without exposing any sensitive information and is resistant to phishing.
What to look for in an authenticator app
Most people who use an MFA focus only on the technical aspects of cybersecurity. But another aspect is just as important: how user-friendly is the MFA application? Let’s consider the convenience factor. 92.1% of internet users access the internet using a mobile phone. These people are often on the move. They might use public transport where they have no access to the internet or be at a place where the WIFI is weak. Is there anything more frustrating than trying to log in to an account just to lose connection a few seconds later?
But the login time also has a direct impact on effectiveness.
Here’s an example: Tom has a startup. He wants to share a project with his team via a productivity tool. As these projects are sensitive, Tom protects his login with an MFA. But he commutes via London underground and has patchy access to WIFI there. He only has two overground stations.
If he can log in while at these two stations, he’s more likely to share projects with his team on time. He doesn’t have to wait another half an hour until he’s in an area with internet connectivity.
With Google Authenticator, you must manually input the code when logging in. That adds another step to the login process. You’ll also need to go through extra steps to back up. But some services offer reserve codes instead. If you log in with one of these codes, you’ll have to go through the whole registration process again.
The backup codes themselves have a weakness: they’re sent online. If hackers gain access to them, they can access your account. Using MIRACL as your authentication tool means you and your customers never have to worry about backup codes - they’re simply not needed.
The primary concern with using authenticators like the one from Google is that you have to simply trust the provider. They will store your data. But should you trust a provider? MIRACL works on the concept of zero-knowledge proof; it doesn’t store any security-related data in the cloud.
Then, there’s the jumping between open browser windows. To log in, you need multiple steps to open different apps. Users have to go back and forth to copy codes. That’s not only annoying; it takes time.
And time is of the essence. In a poll, 40% of internet users report abandoning a site if it takes longer than 3 seconds to load. Unlike other features, security tools aren’t particularly user-friendly. They’re seen as necessary but annoying. MIRACL users only need 2 seconds and a 4-digit PIN to log in, with error rates as low as 1/10th that of passwords.
What is the safest authentication method?
Any type of 2FA on an account is preferable to none at all, and even SMS-based 2FA means you’re more secure than if you only used a password. If you have the patience for it, a program like Google’s Advanced Protection Program can make your online life more secure than passwords alone. However, you must balance convenience and security.
But SMS-based 2FA is still far too easy to circumvent with a bit of reading and copy-pasting. And contrary to popular opinion, you don’t have to be wealthy to be targeted by hackers. A steady job is often enough. Your data and money are just as valuable to threat actors if it’s relatively easy to hack into your accounts. That means you should go the extra mile to protect your data.
MIRACL eliminates vulnerable password databases using the zero-knowledge proof protocol. Its single-step login MFA is resistant to all attacks, including Man-in-the-Middle, Replay, Credential Stuffing, Password Spraying, and Phishing. No security-related data is stored on servers, so there’s nothing to steal.
Because authentication takes place on the device, we don’t even need to know your PIN. That user generated PIN activates and deactivates your unique cryptographic key and is never shared with anyone, including MIRACL. We meet the Strong Customer Authentication (SCA) standards of the EU Revised Directive on Payment Services (PSD2).
Want to learn more about how MIRACL Trust can help your company to stay compliant while offering a simple user experience? Get in touch here or schedule a demo here.
Joining our newsletter is also a great way to get to know us.