Authenticator App Security

One would think that your authenticator app would be a secure app? Right? But what happens when your authenticator app tracks your usage and records your behaviours?

Well it seems that this is a fairly common practice amongst even the most popular of apps. Naomi Brockwell recently did a YT video discussing the results of a recent research project from Mysk, the results of which are quite surprising.

There’s a number of issues brought up in the research including tracking, analytics, seed storage, identity correlation and other.

Some apps require some sort of “sign-up’ including email and phone number, the aim being to tie this info to a specific person. Others register your usage against public trackers.

Surprisingly Google Authenticator came out as one of the best apps in this class, storing/requiring/sending the least amount of information from or about users. There’s no sign-up or account required. They do have an option now for backup but that requires authentication to Google’s system although seeds are stored unencrypted on Google’s servers (for convenience sake?). At least there’s a choice.

FOSS apps like FreeOTP and Aegis remain the best in class with little to no information stored or required about the user.

Here are some general tips on how to improve your 2FA security:

  • Type in the token code (instead of using the QR code) when importing a token
  • If you do use the QR code, use a QR code scanner to check the contents of the QR code first
  • Store backup codes securely and safely where provided ( for example in your password manager)
  • Use your 2FA app’s backup option if it offers a local backup
  • Only use mainstream/popular apps from their respective app stores
  • Choose to use a hardware key instead of authenticator apps where possible

2FA remains a generally secure method for authentication however there are some pitfalls to note. Use common security sense to make sure this security mechanism isn’t used against you.