{"id":20654,"date":"2023-02-06T05:11:15","date_gmt":"2023-02-06T10:11:15","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-compatibility\/20654\/"},"modified":"2023-02-08T19:43:56","modified_gmt":"2023-02-08T15:43:56","slug":"authenticator-apps-compatibility","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-compatibility\/20654\/","title":{"rendered":"Is Google Authenticator irreplaceable?"},"content":{"rendered":"<style>\ncode {overflow-x: scroll;  white-space: nowrap; width: 100%}\n<\/style>\n<p>Many online services allow (and sometimes even require) you to set up two-factor authentication (2FA) with one-time codes. Google Authenticator is the most well-known and widely used authenticator app that generates such codes. Almost all services are compatible with it, and some even provide a link to the app when you set up 2FA. But is Google Authenticator the only option, or should you give one of the many alternatives \u2014 like Microsoft Authenticator or Twilio Authy \u2014 a whirl?<\/p>\n<p>Since these alternatives exist and clearly have a userbase, you might assume they could be full-fledged replacements for Google Authenticator. But what, if any, are the pitfalls? For those who have no time to read to the end, here\u2019s the answer straight away: don\u2019t worry, Google Authenticator is more than replaceable. But if you\u2019re curious about the whats, whys, and hows \u2014 read on\u2026<\/p>\n<h2>How authenticators work<\/h2>\n<p>\nLet\u2019s start with how authenticator apps work in general. Several open standards for strong authentication have been created under the umbrella of the Initiative for Open Authentication (OATH). Authenticator apps are based on these standards (along with some other things, but which aren\u2019t the topic of this post).<\/p>\n<h3>OATH HOTP<\/h3>\n<p>\nWay back in 2005, the <a href=\"https:\/\/en.wikipedia.org\/wiki\/HMAC-based_one-time_password\" target=\"_blank\" rel=\"nofollow noopener\">OATH HOTP<\/a> (hash-based one-time password) authentication standard appeared. This laid down the fundamentals of authentication using one-time codes that are synchronously generated on the client and server sides.<\/p>\n<p>The idea is that both the app and the service you\u2019re using \u2014 remember the same secret key. Next, a cryptographic algorithm is applied to generate a unique code based on this key and a counter value. A counter is essentially a number that increments each time a new one-time code is generated. The data for calculating this code is the same on both sides, so if everything goes according to plan, the two codes will be identical. What remains is to compare them: should the code you entered match the server-generated one, the authentication is successful.<\/p>\n<p>After each request for a generation session, the counter value changes so that the code is one-time and unique. An algorithm is used that rules out performing reverse calculations and extracting the secret key from this code. So even if someone intercepts the one-time code, they won\u2019t be able to calculate the secret key, reproduce the authenticator, and generate their own new codes.<\/p>\n<p>There are two main issues with HOTP. First, the counter values easily get out of sync. For example, if you request the authenticator to generate a code but don\u2019t use it, the client-side authenticator changes the counter value, while on the service side it remains the same. As a result, the generated codes no longer match. Second, the code stays valid until the counter value changes \u2014 potentially giving an attacker time to use the intercepted code if they somehow manage to distract the victim.<\/p>\n<h3>OATH TOTP<\/h3>\n<p>\nIn 2011, a new standard was unveiled \u2014 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Time-based_one-time_password\" target=\"_blank\" rel=\"nofollow noopener\">OATH TOTP<\/a> (time-based one-time password), which uses the current time as a counter. The principle remains the same: a secret key known to both parties is used to calculate a one-time code with the same cryptographic algorithm. And because the counter is based on <a href=\"https:\/\/en.wikipedia.org\/wiki\/Unix_time\" target=\"_blank\" rel=\"nofollow noopener\">Unix time<\/a>, the code automatically changes at regular intervals, regardless of whether or not it is used.<\/p>\n<p>Any internet-connected device now knows the exact time, so there\u2019s no need to worry about one-time codes being out of sync. And since the interval after which the code changes is set rather short (30 seconds by default), if a one-time code is intercepted, the attacker won\u2019t have much time to use it.<\/p>\n<h3>Basic principles of authenticators<\/h3>\n<p>\nThese two standards are used by authenticator apps. TOTP is the more common of course, simply because it\u2019s better in every way, but HOTP can still be found in some prehistoric implementations.<\/p>\n<p>When creating an authenticator, the client and the server must set a common standard and share the key \u2014 this is the absolute minimum required for the authenticator app to work. Additional parameters can also be set for creating tokens. How do the app and the service come to an arrangement? In most cases, by means of a QR code. And this leads us to the next question: how does these codes work?<\/p>\n<h2>Authenticator QR code content<\/h2>\n<p>\nAs far as I know, this is not among the standards developed by OATH, but rather a voluntary adherence to the format <a href=\"https:\/\/github.com\/google\/google-authenticator\/wiki\/Key-Uri-Format\" target=\"_blank\" rel=\"nofollow noopener\">set<\/a> by Google Authenticator. But either way, app-based authentication systems tend to use QR codes, in which a link (strictly speaking, a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Uniform_Resource_Identifier\" target=\"_blank\" rel=\"nofollow noopener\">Uniform Resource Identifier, or URI<\/a>) containing all the necessary information is encoded. Here\u2019s an example of what it looks like:<\/p>\n<p><code> otpauth:\/\/totp\/Google:alanna@gmail.com?secret=IN2XE2LPOVZSYIDBOJSW4J3UEB4W65J7&amp;issuer=Google&amp;algorithm=SHA1&amp;digits=6&amp;period=30<\/code><\/p>\n<p>As you can see, a whole bunch of parameters are transferred in the QR code, indicating the following:\n<\/p>\n<ul>\n<li>The purpose of the URI \u2014 creation of an authentication token (that\u2019s what otpauth at the beginning is for)<\/li>\n<li>The authenticator standard, HOTP or TOTP; in this case, TOTP<\/li>\n<li>The token label to be displayed inside the app \u2014 in our example, Google<\/li>\n<li>The username \u2014 in this case, alanna@gmail.com<\/li>\n<li>The secret key from which the codes are generated (in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Base32\" target=\"_blank\" rel=\"nofollow noopener\">Base32<\/a> format) \u2014 the most important part, a long string of random characters<\/li>\n<li>The name of the service that created the URI \u2014 in our example, Google again<\/li>\n<li>The algorithm used to generate the codes \u2014 in this case, <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-1\" target=\"_blank\" rel=\"nofollow noopener\">SHA1<\/a>\n<\/li>\n<li>The length of generated codes \u2014 usually six characters as shown here, but other variants are acceptable<\/li>\n<li>The period of time after which the code expires \u2014 usually 30 seconds, but other intervals can be set.<\/li>\n<\/ul>\n<p>Here\u2019s what the corresponding QR code looks like:<\/p>\n<div id=\"attachment_47066\" style=\"width: 1010px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2023\/02\/06141639\/authenticator-apps-compatibility-qr-alanna-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-47066\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2023\/02\/06141639\/authenticator-apps-compatibility-qr-alanna-1.png\" alt=\"QR code for connecting an authenticator app, specifying all available parameters\" width=\"1000\" height=\"500\" class=\"size-full wp-image-47066\"><\/a><p id=\"caption-attachment-47066\" class=\"wp-caption-text\">QR codes can pass a whole bunch of authentication token parameters<\/p><\/div>\n<p>In fact, as we mentioned above, many of these parameters can be omitted. The token label and the username can be arbitrary, while the name of the service isn\u2019t required at all \u2014 this information has no impact on code generation, and is there mainly for convenience. Some other parameters also aren\u2019t mandatory. The authenticator uses the default code generation algorithm (SHA1) and produces a six-digit code with a 30-second update period unless encoded otherwise in the URI.<\/p>\n<p>Essentially, the service and the authenticator only need to set the standard (HOTP or TOTP) and  share the secret key. Thus, the following URI and QR code would yield exactly the same authentication token in functional terms as the previous pair:<\/p>\n<p><code>otpauth:\/\/totp\/Whenever:Wherever?secret=IN2XE2LPOVZSYIDBOJSW4J3UEB4W65J7<\/code><\/p>\n<div id=\"attachment_47065\" style=\"width: 1010px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2023\/02\/06141731\/authenticator-apps-compatibility-qr-whoever-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-47065\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2023\/02\/06141731\/authenticator-apps-compatibility-qr-whoever-2.png\" alt=\"QR code for connecting an authenticator app without most parameters\" width=\"1000\" height=\"500\" class=\"size-full wp-image-47065\"><\/a><p id=\"caption-attachment-47065\" class=\"wp-caption-text\">Many QR code parameters can be omitted or set to arbitrary values; the main thing is to share the secret key and set a standard (HOTP or TOTP)<\/p><\/div>\n<p>The bottom line is that most services that use app-generated codes for authentication operate with such QR codes. Any authenticator app, in turn, has support for reading such QR codes and converting them into authentication tokens, which, in turn, generate the one-time codes. So, instead of Google Authenticator, you can choose any of the dozens of alternatives that take your fancy.<\/p>\n<h2>A few exceptions: services that are incompatible with regular authenticators<\/h2>\n<p>\nFor some reason that\u2019s beyond me, not everyone in the IT industry follows the above standards: some prefer to come up their own. Here are some companies whose services and programs are not compatible with third-party authenticator apps (including Google Authenticator).<\/p>\n<ul>\n<li>\n<strong>Apple<\/strong>. The guys at Cupertino have their own 2FA system, which uses no third-party apps at all. Instead, the one-time codes are generated by the operating system simultaneously on all devices linked to an Apple ID. That\u2019s how they roll!<\/li>\n<li>\n<strong>Valve and Blizzard<\/strong>. For security on Steam and Battle.net, the developers offer 2FA of their own creation: Steam Guard (built into Steam apps for both Android and iOS) and Battle.net Authenticator, respectively. As far as I know, there\u2019s only one third-party authenticator app that supports these systems: <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/#winauth\" target=\"_blank\" rel=\"noopener nofollow\">WinAuth<\/a>.<\/li>\n<li>\n<strong>Microsoft<\/strong>. For Microsoft account authentication, you have to install Microsoft Authenticator. On the upside, there\u2019s no need to enter any codes: just confirm login by tapping a button in the app. As a bonus, Microsoft Authenticator also generates standard authentication tokens, which makes it a <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/#microsoft-authenticator\" target=\"_blank\" rel=\"noopener nofollow\">solid alternative<\/a> to Google Authenticator. Incidentally, you don\u2019t need a Microsoft account to use it.<\/li>\n<li>\n<strong>Adobe<\/strong>. The graphics software developer offers its own app for 2FA \u2014 Adobe Account Access \u2014 which works with similar logic to Microsoft Authenticator: login to your Adobe account is authenticated by tapping a button, not sending a code. In theory, the app also supports the creation of tokens for authentication in third-party services. However, to get Adobe Account Access to work, you must first link the app to your Adobe account, which, based on <a href=\"https:\/\/apps.apple.com\/us\/app\/adobe-account-access\/id1514571935\" target=\"_blank\" rel=\"nofollow noopener\">App Store<\/a> and <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.adobe.ims.accountaccess\" target=\"_blank\" rel=\"nofollow noopener\">Google Play<\/a> reviews, isn\u2019t advised.<\/li>\n<\/ul>\n<h2>So, do I have to use Google Authenticator?<\/h2>\n<p>Not necessarily. All services that work with Google Authenticator will let you set up two-factor authentication using any alternative app. What\u2019s more, many of them have significant advantages over Google\u2019s creation.<\/p>\n<p>Incidentally, we have a post about <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/\" target=\"_blank\" rel=\"noopener nofollow\">the most interesting authenticators<\/a> for each popular operating system \u2014 Android, iOS, Windows, and macOS. And finally, if you\u2019ve read this text in its entirety, then something tells us you might be interested in <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/#andotp\" target=\"_blank\" rel=\"noopener nofollow\">andOTP<\/a> if you\u2019re on Android, and <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/#otp-auth\" target=\"_blank\" rel=\"noopener nofollow\">OTP auth<\/a> if you\u2019re on iOS.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kpm-download\">\n","protected":false},"excerpt":{"rendered":"<p>How authenticator apps work and what alternatives there are to Google Authenticator.<\/p>\n","protected":false},"author":2726,"featured_media":20656,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1226],"tags":[1047,109,1931],"class_list":{"0":"post-20654","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-2fa","9":"tag-apps","10":"tag-authenticators"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-compatibility\/20654\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/authenticator-apps-compatibility\/25158\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/authenticator-apps-compatibility\/27789\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/authenticator-apps-compatibility\/25491\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/authenticator-apps-compatibility\/25941\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/authenticator-apps-compatibility\/28395\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/authenticator-apps-compatibility\/34625\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/authenticator-apps-compatibility\/47063\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/authenticator-apps-compatibility\/20115\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/authenticator-apps-compatibility\/20694\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/authenticator-apps-compatibility\/29758\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/authenticator-apps-compatibility\/25833\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/authenticator-apps-compatibility\/31532\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/authenticator-apps-compatibility\/31246\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/2fa\/","name":"2FA"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20654"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20654\/revisions"}],"predecessor-version":[{"id":20669,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20654\/revisions\/20669"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20656"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}