How authenticator apps enhance security

Since the advent of identity security and multi-factor authentication (MFA), experts have developed a variety of methods to verify user identities. Over the years, as threats to user identities escalated, the security mechanisms used for authentication also advanced. From basic methods like passwords, to advanced methods like FIDO2 passkeys and biometrics, organizations today employ different authentication methods based on their security policy, compliance requirements, and end-user experience to keep identity-based attacks at bay. Recent developments like risk-based authentication have further reinforced identity and access security while ensuring unhindered user productivity.

But not all authentication methods are created equal. The technology employed by some authentication methods to validate user identities can be susceptible to attacks and bypasses. For example, a password—the most rudimentary yet widely used authentication method—is vulnerable to various attack forms like brute-force attacks, password spray, and keylogging . Likewise, security questions and answers can falter against malicious impersonators with knowledge of a user's personal information. Although it was popular for a while, SMS-based authentication is vulnerable to exposure by SIM swapping and SIM interference. Email verification codes are also not exempt from exposure.

On the other hand, there are authentication techniques that can stand their ground against hacks. Authenticator apps are one such method.

What are authenticator apps and how do they work?

Authenticator apps are identity verification platforms built for mobile devices. They help include additional stages of authentication to create secure MFA flows for access into network endpoints and resources. Popular examples of authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, and Duo Mobile. They are predominantly available to users at no cost. They are generally developed to work on multiple types of mobile devices and OS platforms.

Authenticator apps primarily offer time-based one-time passwords (or TOTPs) as the authentication method. During setup, the user will configure the authenticator app by scanning a QR code displayed in the endpoint client. In this process, a private key is shared between the client and the authenticator app. The TOTPs are then generated in the authenticator app based on this shared key and the device time. They are then used to verify a user's identity, with each code remaining valid only for a short time before a new one is generated.

Here's how a typical authentication attempt is handled by an authentication app:

• The user accesses the endpoint login console and starts authentication.
• Depending on organizational authentication policy, the user may have to complete the first stage of authentication.
• If successful, the user is requested to enter the TOTP displayed on the organization's designated authenticator app.
• The user accesses the authenticator app, identifies the TOTP, and enters it into the endpoint's login console within the stipulated time.
• If the TOTP is correct, the user is authenticated.
• Depending on the policy, they may either complete more stages of authentication, or they may log in to the endpoint.

Authenticator apps often provide backup codes when the user cannot access the app or their mobile device; however, users have to generate these codes prior to when they need to authenticate their identity without the app or device.

Why are authenticator apps more secure than other methods?

Authenticator apps have an edge over other identity verification methods—like passwords, SMS- and email-based verification codes, security questions and answers, and push notifications—for the following reasons:

• Dynamic challenge-response: Authenticator apps generate time-sensitive, one-time passwords that are valid for only a short period (usually 30 seconds). This makes it difficult for attackers to reuse the codes even if intercepted.
• User involvement: TOTPs require users to be vigilant and enter the passcode accurately. Users cannot be negligent or accidentally respond to the challenge posed, like in the case of push notifications.
• Offline accessibility: Authenticator apps do not require an internet connection to generate codes once set up. This reduces the attack surface compared to other methods like SMS- and email-based verification codes.
• Secure technology: Following setup, the shared key is never transmitted between the endpoint client and the mobile device, making it harder for attackers to intercept and obtain.
• Continuous access: Authenticator apps allow you to sync your shared key securely across multiple devices. This ensures you can access your accounts even if you lose or replace your device.
• Strong encryption : Authenticator apps use strong encryption techniques to store the secret keys securely on your device, protecting them from unauthorized access.

Incorporating authenticator apps for comprehensive identity security

To maximize the benefits authenticator apps have to offer, it is vital to incorporate them as part of a holistic identity security policy. ManageEngine ADSelfService Plus—an identity security solution with MFA, SSO, and self-service password management capabilities—helps achieve this. ADSelfService Plus offers MFA to secure local and remote machine logins, enterprise application SSO, VPN access, and OWA logins. The solution supports the following authenticator apps for MFA:

• Google Authenticator
• Microsoft Authenticator
• Zoho OneAuth
• Duo Security

Along with these apps, the solution also supports integrating any custom or in-house TOTP provider. By choosing ADSelfService Plus, you can create an effective authentication policy that makes the most of your desired authenticator app with the following capabilities:

• Offline MFA for Windows and macOS machine logins, and peripheral Windows actions like UAC prompts and system unlocks.
• Provision to configure MFA policies with additional layers of authentication, besides username and password.
• Passwordless authentication for SSO access to SAML, OAuth, and OIDC-based enterprise applications.
• Granular enablement of specific authenticators for particular AD groups and OUs.
• Adaptive MFA that can heighten or relax authentication flows based on risk factors like time of access, IP address, geolocation, and device used.

For a further look into ADSelfService Plus' identity security capabilities, get your free, 30-day trial of the product here.