{"id":20786,"date":"2023-03-03T07:29:06","date_gmt":"2023-03-03T12:29:06","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-and-security\/20786\/"},"modified":"2023-03-04T11:06:17","modified_gmt":"2023-03-04T07:06:17","slug":"authenticator-apps-and-security","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-and-security\/20786\/","title":{"rendered":"Authentication with one-time codes: pros and cons"},"content":{"rendered":"<p>Information security experts have long agreed that the most reliable form of two-factor authentication with a one-time code is an authenticator app. Most services offer this method as a second level of account protection, while in some cases, two-factor authentication using a code from an app is the only available option.<\/p>\n<p>But the reasons why one-time codes are considered so safe is rarely discussed, so legit questions arise as to whether it\u2019s really a good option, how reliable it is, what dangers are worth considering, and what you need to keep in mind when using this two-factor authentication method. The main purpose of this post is to answer those questions.<\/p>\n<h2>How authenticator apps work<\/h2>\n<p>Generally, such apps operate as follows: the service in which you\u2019re authenticating and the authenticator itself share a number \u2014 a secret key (it is contained in a QR code that you use to enable authentication for this service in the app). The authenticator and the service simultaneously use the same algorithm to generate a code based on this key and the current time.<\/p>\n<p>When you enter the code that your app has generated, the service compares it with what it generated itself. If the codes match, everything is fine, and you can access the account (and if not, you can\u2019t). Also, when you connect the authenticator app via a QR code, a lot of information is transferred in addition to the secret key. This includes the one-time code\u2019s expiration period (usually 30 seconds).<\/p>\n<p>The most important information \u2014 the secret key \u2014 is transmitted just once, when the service pairs with the authenticator, and then both parties remember it. That is, with each new login to the account, no information is transmitted from the service to your authenticator at all, so there\u2019s nothing to intercept. In fact, authenticator apps don\u2019t even need internet access to perform their main function. All that a hacker can theoretically get is the actual one-time code that the system generates for you to enter. And this code is valid for just half a minute or so.<\/p>\n<p>We\u2019ve already discussed in more detail how authenticator apps work in a <a href=\"https:\/\/www.kaspersky.com\/blog\/authenticator-apps-compatibility\/47063\/\" target=\"_blank\" rel=\"noopener nofollow\">separate post<\/a>. Read it if you want to know about authentication standards, the information contained in QR codes to connect those apps, and about services that are incompatible with the most common authenticators.<\/p>\n<h2>How secure is 2FA with a one-time code?<\/h2>\n<p>Let\u2019s summarize the main advantages of one-time code authentication from an app:<\/p>\n<ul>\n<li>Good protection against leaks: a password alone isn\u2019t enough to gain access to an account \u2014 you also need a one-time code.<\/li>\n<li>Decent protection against interception of this one-time code. Since the code is valid for just 30 seconds, hackers don\u2019t have much time to use it.<\/li>\n<li>It\u2019s impossible to recover a secret key from a one-time code, so even if the code is intercepted, attackers won\u2019t be able to clone the authenticator.<\/li>\n<li>No internet connection is required on the device generating one-time codes. It can be kept completely isolated from it.<\/li>\n<\/ul>\n<p>As you can see, the system is well thought out. Its developers have done everything in their power to make it as secure as possible. But no solution is completely safe. So even when using authentication by code from an app, there are some risks to consider and precautions to take. That\u2019s what we\u2019ll talk about next.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kpm-download\">\n<h2>Leaks, e-mail hacking and workarounds<\/h2>\n<p>I mentioned above that authenticating with one-time codes from an app is great protection against password leaks. And in a perfect world, it would be. Unfortunately, we don\u2019t leave there, There\u2019s a crucial nuance, which stems from the fact that services usually don\u2019t want to lose their users because of such a small annoying detail like losing the authenticator (which can happen to anyone); therefore, they usually provide an alternative way to log into accounts: sending a one-time code or confirmation link to an associated e-mail address.<\/p>\n<p>This means that if a leak has occurred and attackers know both the password and the e-mail address it\u2019s linked to, they can try to use this alternative method to log in to the account. And if your e-mail is poorly protected (especially if you use the same password for it and don\u2019t enable two-factor authentication) it\u2019s very likely that hackers would be able to bypass entering a one-time code from an app.<\/p>\n<p>What\u2019s worth doing about it:<\/p>\n<ul>\n<li>Keep an eye out for data leaks, and promptly change passwords for affected services.<\/li>\n<li>Don\u2019t use the same password for different services. This is especially important for e-mail to which other accounts are linked.<\/li>\n<li>Some services allow you to disable alternative methods of logging in. For especially valuable accounts, it may be worth doing this (but don\u2019t forget to <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-backup-authenticator-app\/42103\/\" target=\"_blank\" rel=\"noopener nofollow\">back up the authenticator<\/a> \u2014 there\u2019s more on this below).<\/li>\n<\/ul>\n<h2>Physical access and people looking over your shoulder<\/h2>\n<p>Someone might look over your shoulder when you\u2019re using an authenticator app and see the one-time code. And not only one code, as authenticators often display several codes in a row. So the intruder could log in to any of those accounts if they saw the code. Of course, hackers would not have much time to take advantage of what they caught sight of. But it\u2019s better not to take any chances \u2014 30 seconds might be enough time for a nimble-fingered cybercrook\u2026<\/p>\n<p>The situation is more dangerous if someone manages to get their hands on an unlocked smartphone with an authenticator. In this case, that someone could well take the opportunity to log into your accounts without much haste or trouble.<\/p>\n<p>How to minimize such risks:<\/p>\n<ul>\n<li>Use an authenticator app that doesn\u2019t display the codes on screen by default (there are <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/\" target=\"_blank\" rel=\"noopener nofollow\">quite a lot of <\/a>them).<\/li>\n<li>Set a strong password to unlock the smartphone on which the authenticator app is installed and turn on auto screen locking after a short period of inactivity.<\/li>\n<li>Use an app where you can additionally set a login password (such apps exist, too).<\/li>\n<\/ul>\n<h2>Phishing sites<\/h2>\n<p>Most phishing sites designed for mass attacks are quite primitive. Their creators are usually satisfied with stealing logins and passwords, followed by selling them dirt cheap wholesale somewhere on the dark web. Of course, two-factor authentication is perfect protection against such hackers: even if someone gets your login credentials, they\u2019re completely useless without a one-time code from an app.<\/p>\n<p>However, on more carefully and plausibly crafted phishing sites, particularly those designed for targeted attacks, phishers can also imitate the two-factor authentication verification mechanism. In this case, they\u2019ll not only intercept the login and password, but also the one-time code. After that, the attackers will quickly log into the victim\u2019s real account, while the phishing site may issue an error message and suggest retrying.<\/p>\n<p>Unfortunately, despite its apparent simplicity, phishing remains an extremely effective trick for criminals, and it can be difficult to protect yourself against sophisticated versions of scams. The general advice here is as follows:<\/p>\n<ul>\n<li>Don\u2019t click on links in e-mails \u2014 especially those received from unknown or suspicious addresses.<\/li>\n<li>Carefully check the address of the pages where you\u2019re entering your account information.<\/li>\n<li>Use <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">a reliable solution with automatic phishing protection<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n<h2>Stealing malware<\/h2>\n<p>To put it mildly, people don\u2019t really like going through the full authentication process. Therefore, services try not to bother their users unnecessarily. In fact, in most cases, you only have to be fully authenticated with a password and confirmation code when you log in to your account on each device for the first time. Or maybe a further time \u2014 if you\u2019ve accidently cleared the cookies from your browser.<\/p>\n<p>After successfully logging in, the service saves a small <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/cookie\/\" target=\"_blank\" rel=\"noopener\">cookie<\/a> on your computer, which contains a long and very secret number. This file is what your browser will present to the service for authentication from now on. So if someone manages to steal this file, it can be used to sign into your account. No password or one-time code will be needed for this at all.<\/p>\n<p>Such files (along with a bunch of other information like browser-saved passwords, cryptocurrency wallet keys and other similar goodies) can be stolen by <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-psw-psw-password-stealing-ware\/\" target=\"_blank\" rel=\"noopener\">Trojan stealers<\/a>. If you\u2019re unfortunate enough to get a stealer on your computer, there\u2019s a very good chance that your accounts will be hijacked, even with all the other precautions.<\/p>\n<p>To prevent this from happening:<\/p>\n<ul>\n<li>Don\u2019t install programs from dubious sources.<\/li>\n<li>Be sure to use <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">reliable protection<\/a> all your devices.<\/li>\n<\/ul>\n<h2>The lack of authenticator backups<\/h2>\n<p>Access to your accounts can also be lost due to protection being too strong. Like if after you\u2019ve prohibited getting into your accounts without a code from an app, you somehow lose the authenticator. In this case, you might permanently lose your accounts and information in them. Or at least you\u2019re assured of a few fun days of tearful correspondence with support for <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-recover-authenticator-app\/41967\/\" target=\"_blank\" rel=\"noopener nofollow\">access restoration<\/a>.<\/p>\n<p>There are in fact quite a few circumstances where you might lose your authenticator:<\/p>\n<ul>\n<li>A smartphone can break in a way that you can\u2019t get any information out of it.<\/li>\n<li>You might lose it.<\/li>\n<li>And of course, it could be stolen.<\/li>\n<\/ul>\n<p>All these are unpredictable events, so it\u2019s better to prepare for them in advance to avoid any unpleasant consequences:<\/p>\n<ul>\n<li>Be sure <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-backup-authenticator-app\/42103\/\" target=\"_blank\" rel=\"noopener nofollow\">to back up the authenticator data<\/a>. Many apps allow backup to the cloud; some can also save it as a local file.<\/li>\n<li>It may be wise to install the authenticator on two different devices or even use several different apps. This protects you from being locked out from your backup if the cloud infrastructure of a single authenticator is unavailable at the most inopportune moment.<\/li>\n<\/ul>\n<h2>How to stay safe<\/h2>\n<p>Let\u2019s summarize. Two-factor authentication itself seriously reduces the risk of your accounts being hijacked, but it doesn\u2019t guarantee complete security. It\u2019s therefore worth taking extra precautions:<\/p>\n<ul>\n<li>Be sure to set a password to log in to the device where the authenticator is installed.<\/li>\n<li>Use an authenticator app that knows how to hide one-time codes from unwanted eyes and allows you to set a password to log in to the app itself.<\/li>\n<li>Don\u2019t forget to <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-backup-authenticator-app\/42103\/\" target=\"_blank\" rel=\"noopener nofollow\">back up the authenticator<\/a>.<\/li>\n<li>Don\u2019t use simple passwords and don\u2019t use the same passwords for different accounts. A <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">password manager<\/a> will help you generate and remember unique and secure character sequences.<\/li>\n<li>Watch out for leaks, and promptly change passwords from affected services, especially if it\u2019s the e-mail to which other accounts are linked. Incidentally, Kaspersky Password Manager <a href=\"https:\/\/www.kaspersky.com\/blog\/make-your-passwords-stronger-with-kaspersky-password-manager\/40269\/\" target=\"_blank\" rel=\"noopener nofollow\">tracks password leaks and warns you about them<\/a>.<\/li>\n<li>To protect yourself from phishing and stealing malware, install a <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">reliable security solution on all of your devices<\/a>.<\/li>\n<li>Watch out for login attempts to your accounts and respond quickly to suspicious activity. By the way, we have a tutorial that tells you <a href=\"https:\/\/www.kaspersky.com\/blog\/tips-for-hacked-account\/36760\/\" target=\"_blank\" rel=\"noopener nofollow\">what to do if your account is hacked<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>We explain how two-factor authentication with one-time codes works, what the benefits and risks are, and what else you can do to better protect your accounts.<\/p>\n","protected":false},"author":2726,"featured_media":20787,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1226,9],"tags":[1047,1931,1021,1183,187,76,2151],"class_list":{"0":"post-20786","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-tips","9":"tag-2fa","10":"tag-authenticators","11":"tag-kaspersky-password-manager","12":"tag-leaks","13":"tag-passwords","14":"tag-phishing","15":"tag-stealers"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/authenticator-apps-and-security\/20786\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/authenticator-apps-and-security\/25345\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/authenticator-apps-and-security\/27957\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/authenticator-apps-and-security\/25638\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/authenticator-apps-and-security\/26070\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/authenticator-apps-and-security\/28521\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/authenticator-apps-and-security\/34781\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/authenticator-apps-and-security\/47426\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/authenticator-apps-and-security\/20291\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/authenticator-apps-and-security\/20916\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/authenticator-apps-and-security\/29890\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/authenticator-apps-and-security\/25948\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/authenticator-apps-and-security\/31660\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/authenticator-apps-and-security\/31367\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/2fa\/","name":"2FA"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20786"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20786\/revisions"}],"predecessor-version":[{"id":20788,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20786\/revisions\/20788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20787"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}