Investigating the safety of MFA methods: are authenticator apps secure?

Imagine you’re an employee of a software development company. 

You log into an authentication provider like Okta and, after entering the login and password details, you get a push to your app to confirm the login. Then you open github and enter the one-time authentication code to access the repository you’re working with. 

At the same time you decide to check your current bank balance. And so you open your mobile banking app which also requires a one-time password (OTP) to login. 

As we continue to integrate technology into virtually every aspect of our daily lives, the security of our digital data has become a critical concern. From private email exchanges and social media accounts to sensitive banking and healthcare information, vast quantities of data are now stored online and so can be vulnerable to cyber threats. 

One of the most prevalent threats we face today is phishing attacks. Every day, cybercriminals trick individuals into revealing sensitive information such as usernames and passwords -  typically through bogus emails or text messages.

Traditional security measures such as password protection are increasingly inadequate against these sophisticated attacks. It's a well-known fact that many individuals use weak passwords or reuse them across multiple platforms. And this makes it much easier for attackers to compromise our defenses. In 2022, a study revealed that 82% of breaches involved a human element, such as falling for phishing scams or using weak passwords.

This alarming statistic helps to explain the move towards Multi-Factor Authentication (MFA), which adds an additional layer of security. The idea behind MFA is a simple one: provide more than one form of verification to confirm the identity of the user. This typically includes something the user knows (a password), something the user has (a mobile device or a hardware token), and something the user is (biometrics like fingerprints or facial recognition).

In this article we’ll take a look at the different types of MFA available and we’ll compare them from a security perspective. We’ll pose an important question: are authenticator apps secure? And we’ll explore how to keep authenticator apps safe to use as they evolve in the coming years.

Perhaps the most common and widely-known method of MFA is SMS-based verification. This is when a code is sent to the user's mobile device which they must then input to access their account. But this method, though popular, can be vulnerable to SIM swapping, and the 2FA codes can even be intercepted.

Hardware tokens are another MFA method where codes are generated that users can input to gain access. These tokens are separate physical devices and, while they're quite secure, they can be inconvenient due to the need to carry around an additional device.

A more secure and convenient method is authenticator apps. These are applications installed on a user's device that generate a code - often time-based - for the second factor authentication. Notable examples include Google Authenticator, Microsoft Authenticator, and Authy. The codes are generated within the app on the device itself and are not transmitted over the network, making them a safer choice for 2FA.

There is an important caveat and wider problem with MFA here, though: 

The original idea and assumption behind two-factor authentication was that users would never be logging in and receiving second factor codes on the same device. So, if you were logging in via a web-interface, you’d receive a one-time code to your mobile device. For obvious reasons this makes the whole process much more secure (and helps to explain why hardware tokens on a separate physical device were seen as the safest option for a long time.)  

But plenty of companies - including authentication software, banks, and even internet giants like Apple - break this rule. 

Let’s go back to the example we asked you to imagine at the beginning of this piece. If you’re logging in to Okta from your mobile browser, you’ll most likely receive the OTP on your mobile device. Or, if you’re entering iCloud from a browser on your MacBook, it will send the OTP to the very same MacBook. 

When you think about it, this makes 2FA useless if we judge it strictly based on its original purpose and intentions. If you’ll allow us to circle back to a rather common topic here at Licel (and one you’ll recognise if you’re a regular reader of our blogs) it’s almost as if convenience and security aren’t always the best bedfellows. 

At the very least it’s something you should keep in mind while using 2FA apps.

While two-factor authentication (2FA) offers a robust shield against security breaches, not all 2FA methods are created equal. Among the three most popular methods - SMS, hardware tokens, and authenticator apps - the first two face unique challenges that can potentially compromise the safety of user data.

Let’s start with SMS.

SMS-based 2FA

For lots of people, their only interaction with (and understanding of) MFA is SMS based. This makes sense given the simplicity of SMS and the global familiarity with it for the past two decades. Indeed, it’s this familiarity that presents the biggest challenge to alternative forms of MFA like authenticator apps. 

After all, it’s quite an ask for people to switch from receiving a text message on a familiar and convenient channel. Especially when that channel might not even require any actions from the user given that many applications can extract the OTP from the SMS automatically. 

SMS-based 2FA is certainly a more secure option than single-factor authentication. But it has several limitations. 

Let’s start with the fact that a unique authentication code transmitted over a mobile network is susceptible to attacks:

When codes are sent over the air, technically savvy hackers can employ techniques to intercept the messages and gain access to the authentication codes. This can happen for example when a trojan is deployed to a mobile device and is programmed to intercept the code. This particular attack was highly popular in the earlier days of Android when the OS didn’t have the sophisticated permissions system it has today. 

Nowadays, code interception still happens - but with different mechanisms. Instead of directly listening to SMS events, mobile malware implements Accessibility APIs and tricks users into allowing it. Once access is granted, the malware can scan input codes and intercept notifications which inevitably leads to stolen OTPs. 

Hackers can also manipulate the mobile service provider into transferring a user's phone number to a new SIM card owned by the attacker. Bad actors might obtain a copy of the target user ID and claim the original sim was lost or malfunctioning. If successful, the attacker will receive all SMS messages intended for the victim, including 2FA codes.

Cybercriminals can also dupe users into revealing their 2FA codes via phishing attacks where the attacker impersonates a trusted authority and persuades the victim to share their sensitive information. This kind of attack can happen to any of us at any time, so we need to remain vigilant and suspicious at all times.   

Hardware tokens

Hardware tokens are physical devices that generate 2FA codes. These tokens, while extremely secure, present unique challenges of their own.

Because they are physical objects, hardware tokens can be lost, stolen, or damaged. If a token falls into the wrong hands, then the owner’s accounts could potentially be at risk. Hardware tokens look like flash-drives after all; and we all know somebody who has lost one of those.

Then there’s the fact that having to carry an additional piece of hardware can be pretty inconvenient. Especially in an age when we’re so used to storing everything on our phones. 

As we’ve hinted at already in this article, users will typically be attracted to the most convenient form of MFA. And so the inconvenience of hardware tokens can actually discourage users from setting up 2FA at all, creating associated security risks.

What’s more, hardware tokens can be expensive to produce and distribute, making them a less attainable option for many individual users and smaller organizations. 

Imagine you’re the head of security at your company. It’s likely the idea of purchasing, configuring, and distributing thousands of tokens among employees and the associated costs and energy this entails might make you think twice about signing off on hardware tokens. And that’s before you get round to coming up with procedures for replacements.

Again, it's vital to find a 2FA method that offers a good balance between security and convenience. 

And that's where authenticator apps come into play.

Authenticator apps appear to occupy the sweet spot between security and user friendliness. And this helps to explain why they’ve emerged as the preferred option for many individuals and businesses.

Functionality and usage of authenticator apps

Authenticator apps work by generating time-sensitive, one-time-use codes on the user's device. After linking the app to your online accounts - typically done by scanning a QR code during the setup process - the app will produce a unique code every 30 seconds (or some other predetermined time interval) for each account.

To use the code, you simply open the app, find the code associated with the account you're trying to access, and enter it on the login page after inputting your password. Because these codes are generated on your device and expire after a short time, they offer a secure means of 2FA that is less susceptible to some of the common MFA attacks we’ve covered in this article (including interception and phishing.)

The differences between authenticator apps and SMS based 2FA

The primary difference between authenticator apps and SMS-based 2FA is in the delivery method of the codes. With authenticator apps, the codes are generated on the user's device, making them less vulnerable to interception or phishing attacks. In contrast, SMS-based 2FA codes are sent over the network, making them more susceptible to such threats.

Authenticator apps don't require a network connection to generate codes either, which makes them a more reliable choice in situations where network coverage is spotty or non-existent.

The encryption behind 2FA codes

Encryption plays a vital role in securing our digital lives. And it's at the core of how authenticator apps work, too.

Authenticator apps generate 2FA codes using specific algorithms, typically either the Time-Based One-Time Password (TOTP) algorithm or the HMAC-Based One-Time Password (HOTP) algorithm.

As the name suggests, TOTP generates a one-time password that is valid only for a short period of time - typically 30 seconds. It does this by combining a secret key with the current timestamp using a cryptographic hash function. The result is then typically truncated to a six-digit number.

The HMAC-Based One-Time Password algorithm also uses a secret key but combines it with a counter that increments with each new password. Like TOTP, the result is then truncated (usually to a six-digit number). The password remains valid until it's used, at which point the counter advances and a new password is required.

An authenticator app’s encrypted communication with the server

Consider the process of logging into an account protected by 2FA using an authenticator app.

You enter your username and password as usual and the server then asks for your 2FA code.

You open your authenticator app which uses the shared secret key and either the current timestamp (TOTP) or a counter (HOTP) to generate a code. Then you enter this code on the server.

And the server itself, having the same secret key and knowing the algorithm used, generates a code and compares it with the one you’ve inputted. If they match, the server grants you access.

Even with the added security of authenticator apps, it's crucial to understand that no system is entirely immune to threats. One challenge for some authenticator apps is the lack of encryption for stored secrets. If an attacker were able to access the device and the app's storage isn't encrypted, they could potentially extract the secret keys. 

More secure authenticator apps address this by encrypting the stored secrets and making use of hardware enclaves where available. Hardware enclaves are secure areas of the processor where data can be stored and used but not extracted, offering an additional layer of security.

An authenticator app's primary function is to securely generate 2FA codes using a secret key. If an attacker were to steal the secret key, then they’d be able to generate their own valid codes, which was demonstrated here. 

So, secure storage of the secret keys and using encryption and hardware enclaves wherever possible is crucial for protecting against sophisticated threats.

Whether to trust a user's device to act as an authenticator or to use a separate hardware token like a FIDO or Google Titan key is another question. Smartphones are already a target due to the amount of personal data they hold - adding authenticator functionality only makes them more attractive to attackers. 

Finally, if a device with an authenticator app is lost, stolen, or broken, users need a way to restore their secrets to a new device. Some authenticator apps offer a backup functionality, either by allowing the user to create a backup code during setup that can be used to restore the secrets, or by storing an encrypted backup in the cloud. But the backup process itself must be secured. If an attacker gained access to the backup, they could potentially restore the secrets to their own device instead.

Keeping in mind the threats listed above, what can we do to ensure the security of authenticator apps? 

Let’s take a look at a few approaches. 

Use strong, unique passwords for associated accounts

Remember, an authenticator app is a second layer of security. The first layer, your password, should be as strong as possible. Use a unique password for each of your accounts and make sure it's long, complex, and includes a mix of letters, numbers, and symbols. Using a reputable password manager can make this process more manageable.

Protecting the smartphone itself

The device hosting your authenticator app should be protected with a strong lock mechanism. This could be a complex passcode, a pattern, or biometric security like a fingerprint or facial recognition. This step ensures that even if your device fell into the wrong hands, the perpetrator wouldn’t be able to access your authenticator app. 

Also, your device should never be jailbroken or rooted. This modification significantly increases the risk of data loss and therefore rendering the 2FA protection obsolete. 

Don’t ignore software updates and patches

Regularly updating your device's software is crucial for its security. Updates often include patches for known vulnerabilities that could be exploited by attackers. So, keeping your device up to date helps protect not only your authenticator app but all of the data on your device.

Avoid downloading apps from untrusted sources

Only download apps - including authenticator apps - from reputable sources like the Apple App Store or Google Play Store. Apps from other sources may not have undergone rigorous security checks and could potentially contain malware or other security threats.

Encrypt sensitive data

Encrypting sensitive data on your device provides an additional layer of security. If an attacker did gain access to your device, encryption would help to ensure they can't read your data. Some devices offer full-disk encryption, while others allow you to encrypt specific sets of data.

In the case of authenticator apps, choose an app that encrypts your secret keys, as discussed in the previous section of this article. This feature provides an extra layer of security and protects your 2FA codes even if your device is compromised.

By following these best practices, you can ensure your authenticator app serves its purpose - to add an extra, secure layer of protection to your online accounts.

Beyond the essential end user advice outlined above, there are more advanced measures you can take to increase the security of your authenticator app. These steps may require more technical expertise or additional resources, but they offer substantial benefits in terms of security.

In addition to protecting your device with biometric security, you can also use biometric authentication to access your authenticator app. This functionality provides an additional layer of security, ensuring that even if someone can unlock your device, they can't access your 2FA codes without your unique biometric data. Unfortunately, at the time of writing, the most popular 2FA apps like Google Authenticator do not leverage this practice.

Secure backup of the secret keys used by your authenticator app is important, too. This process involves creating encrypted backups of your secret keys, either locally or on cloud storage, using a process known as key vaulting. This is a common practice in cryptographic security, which allows for the encrypted storage of digital keys in a secure device known as a key vault. This approach can prevent attackers from obtaining your keys, even if they gain access to your backup files.

Taking advantage of exploit mitigation techniques like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can prevent common types of attacks that might compromise your device. The most advanced attacks exploit errors in the OS components in a way that would allow the malware to put some code into an executable area, which normally is not accessible to the program. ASLR and DEP features make it so the malicious code cannot be executed, preventing the exploit from working.

Even with advanced protection measures in place, it's a good idea to be prepared for the unfortunate eventuality that your authenticator app might be compromised. Recovery from such breaches requires swift action and an understanding of the technical nuances involved.

Steps to take when an authenticator app is compromised

As soon as you suspect your authenticator app might be compromised, your first step should be to change the passwords for all of your associated accounts. Then, access the security settings of your accounts and revoke the current 2FA method. This action will invalidate the secret keys in the compromised authenticator app.

After that, you should try to determine the nature of the breach. Did malware compromise your device? Was your physical device stolen? Depending on the situation, consider wiping your device and restoring from a secure backup or even opting for a complete factory reset.

Once you’ve made sure your device is secure, re-enable 2FA for your accounts. This time, consider using a different method or a more secure authenticator app if the breach resulted from app vulnerabilities.

Monitor your accounts for any unauthorized activities. Check logs and notifications for any sign of illicit access. This can include password changes, email modifications, or unauthorized transactions.

Where possible, enable email or SMS alerts for suspicious account activities. This measure ensures that you're notified quickly in the event of any future breaches.

Dealing with account lockouts

If you find yourself locked out of an account due to 2FA issues, take the following steps.

Reach out to the platform's support team immediately. Most services have a procedure to handle 2FA lockouts, and they'll guide you through the recovery process. Be ready to provide them with additional identity verification. This may include answering security questions, providing ID documentation, or confirming other personal details linked to your account. For platforms that support it, consider having a backup authentication method, such as an alternative email or phone number.

The importance of recovery codes

When you enable 2FA on Github, the platform will ask you to save the so-called recovery codes. They are typically a set of unique codes provided by the platform when you set up 2FA. Each code can be used once and provides a way to access your account if you lose access to your 2FA method. Store your recovery codes in a secure place. This might be a secure password manager, a bank safe deposit box, or another secure offline location.

If you lose access to your authenticator app or device, use one of the recovery codes to regain access to your account. Remember, each code is usable only once.

Understanding the steps required for recovery is just as vital as the initial setup of 2FA. Being prepared and knowing what to do can help reduce the impact of a breach and ensure the continuity of your digital security.

As the cyber landscape continually evolves, so too must the technology underpinning our security tools. Authenticator apps, despite their present efficacy, will undeniably benefit from upcoming advancements in tech, especially from fields like machine learning.

First of all, future authenticator apps might leverage AI-driven behavioral analytics to offer more dynamic and adaptive security measures. By constantly learning from a user's typical behavior patterns, these apps could detect anomalies in real-time. For instance, if a 2FA request originated from a location or device the user has never accessed before, the system might trigger additional security challenges or temporarily block the request. These tactics also apply in battling zero-day attacks.

Machine learning algorithms could also be trained to detect emerging threats or vulnerabilities by analyzing vast datasets from across the web. For authenticator apps, this could mean pre-emptive measures taken before a known vulnerability is exploited.

One common critique of security tools is that they can sometimes impede user experience. AI can play a role in streamlining the 2FA process. For instance, an AI-based system might recognize that a user is trying to log in from their home on a previously authenticated device and might simplify or skip the 2FA step, whereas a login from an unknown device or location would still trigger the 2FA process.

At the same time, phishing remains one of the most significant threats to online security. Advanced ML algorithms can help in identifying and blocking phishing attempts in real-time. They can analyze patterns, domain names, and the content of web pages to determine if a user is being redirected to a fraudulent 2FA prompt.

In our increasingly digital world, the importance of robust online security cannot be overstated. Authenticator apps, as a cornerstone of multi-factor authentication, play a pivotal role in safeguarding our online activities. However, as cyber threats become more sophisticated, the tools we use must evolve in tandem.

The integration of AI and machine learning promises to propel authenticator apps to new heights. They offer the potential for these apps to not only react to threats but to proactively predict and counter them. Yet, it's crucial to remember that as we harness these advanced technologies, we must also ensure they remain secure and are used ethically.

In essence, the future of authenticator apps is not just about technological advancement but about balancing innovation with responsibility. It's a commitment to a safer online landscape, where users can enjoy both convenience and security.