23&Me just notified me that they are recommending 2-factor authorization due to some kind of data breaching (based on passwords that users use on multiple sites, apparently). Fine, only they require an authentication app, rather than just texting my phone or something that I’m used to. I have resisted these apps up to now, I am reluctant to put apps on my phone that are mandated by some 3rd party because I am paranoid about access to my phone data.
*“Safe” to me means, safe for me vs. the company who is running the app possibly spying on my phone, and also safe from outside hacking.
The ones I have seen mentioned are from Google and Microsoft. Oh, boy, do I have confidence in the probity and security of those organizations? No, I do not. Are there others?
I’m not exactly sure what kind of spying you’re envisioning with a Google of Microsoft authenticator app. Are you so distrustful of them that you don’t use any Google or Microsoft apps on your phone or PC? That would take quite a lot of effort…
Yes, as far as I am able to discern. I use Opera and DuckDuckGo on my PC. I avoid things like Google Maps in favor of other apps like Waze on my phone.
In any case, I don’t think I was asking anyone to talk me out of my paranoia. The questions I asked were:
How safe are these apps?
Is using them better (i.e. safer from hacking) than other 2FA methods like texting my phone?
Is there a better or best choice among the apps available?
2-factor via SMS (texting) is not remotely safe. In many cases, attackers can simply call up your mobile provider and get phone access transferred to themselves.
It’s not about “Do I trust Google?” It’s “Do I trust Google more or less than AT&T (whichever other provider I use)?”
I don’t think I’ve ever had anyone offer a choice. A website will sometimes offer a choice of text, email or authenticator app for 2FA, but if they use an authenticator they will tell you which one. Google is the most common in my experience.
IF they just specify “authenticator app” or recommend Google Authenticator you can use any number of apps, as they are using an open standard.
The apps themselves are safe. You can use either Google or Microsoft Authenticator without ever signing in to anything or giving access to your phone data. I have seen some other shadier apps that do try to get info, but the big names don’t.
Anecdotally, company cell phone uses Microsoft Authenticator and the cyber security our IT (tier 1 defense prime) establishes is about as stringent as can be while still allowing some minimal level of device utility.
I’ve never actually given data to 23 and Me, but for some reason lost to time, I have an account with them. I’d completely forgotten this until I got the breach mail from them yesterday.
Anyway, I went and added 2 factor authentication to my account. The choice they gave me was TOTP. The remote site and your authenticator app share a code, and then new passwords are generated every 30 seconds. After entering your regular username and password, you need to enter the current six digit number from your authenticator app.
Because TOTP is a standard, it doesn’t really matter who creates the app. You can use the one from Google, Microsoft, Authy, Duo, etc. There may be more. This type of app doesn’t need network access, location access, or anything like that. They will usually want camera access, so it can load the shared code from a QR code, but camera access is not necessary for the app to function.
I recommend picking one from a company you find least objectionable, and use it.
My company just required all our accounts to be verified by MS Authenticator. I installed it tonight, will let you know how it works for me over the next few days.
You realize Google bought Waze a decade ago, don’t you?
They are now a single team.
Authenticator apps at their simplest simply take a generated key, synced to a time source, and give you a shifting (usually) 6 digit code. Microsoft’s also allows for a push code with number matching which is both easier and safer for most users.
The Authenticator app does pass back your GPS coordinates in this mode to allow for geofencing.
Depending on what you mean by “safe” both Google and Microsoft are unlikely to have their authenticator app compromised, and are unlikely to take nefarious action against you. Google is slightly more likely to use your data for advertising means (their primary revenue is advertising while Microsoft makes money on licensing), but as others have noted, authenticator apps don’t really have access to useful data on your phone.
The riskiest party in this discussion is probably 23&Me. Your DNA data can be shared with the government, and it’s not a stretch to imagine it getting in the hands of insurance companies in the future. Not that this is a big risk, but it’s more of a risk than an authenticator app.
And a final comment - like sex educators like to say about sex, there is no such thing as “safe” when it comes to security. There is only *safer".
Well, that ship has sailed a long time ago, and I don’t know if there’s anything I can do about it. Since I have no offspring, and damn few living blood relatives, I’m not sure how much future risk there actually is. If I turn out to be related to a serial killer, I’ll be glad to help identify them.
Yes. Texting your phone is probably the least safe way of doing 2FA. If a hacker knows your phone number they can clone your phone and receive the text message containing the confirmation code. That can’t be done if you’re using an authenticator app.
:eek: