Authenticator Apps - Is there any compelling reason to favor any given one of them?

[YeOldeStonecat]

How does Yubikey fit into this as I hear about it a fair bit but trying to understand is it actually something else or is it just a rebranding with physical security keys for MS and/or Google Authenticator?

Yubikey can act as a hardware token for services that support it...so it can have a direct 1 on 1 relationship with an identity. Such as, I can use my YubiKey..tied with Windows Hello for Business...which is tied to my Microsoft 365 Business Premium account...and I can use it to log into my computer..and split that into 3x steps.
1) Insert the Yubikey when asked...which is human attestation
2) Type in the require PIN tied to my account bound to that Yubikey...proving something I know
3) Follow up by "touching" the key...(also proving human attestation...since most people will just LEAVE the key in the computer...sorta bypassing step 1)....OR...proving something I am...via biometrics....certain Yubikey models support fingerprints.

HOWEVER, Yubikeys...combined with an app on your phone or on your computer, can ALSO act as a TOTP resource. That is, they can be used as a way to store those TOTP codes much like an authenticator app....for multiple accounts. So "yes they can also be an authenticator app"...they can store that data, unlocked by their app on your phone or computer...to get access to those revolving TOTP codes.

 

[YeOldeStonecat]

I have seen Microsoft Authenticator just plain old not issue codes, especially when trying to set up an account.

Never seen that happen...and I can't begin to count how many times per day we're getting clients set up on it....also, how many dozens of times per day each of us at our office is using it to authenticate to the many various accounts we use it for.

 

[nlinecomputers]

I use Authy except for Microsoft accounts which are on Microsoft Authenticator. But if I ever get a free weekend I will move authy 2FAS. I use Authy because it sync, having destroyed phones the ability to login to an account and restore is required. But Authy got hacked recently and they have no official method of export/backup. Third party services exist to rip the tokens out. 2FAS allows you to backup to cloud services, encrypted, so it’s the better choice.

 

[frase]

I am using MS Authenticator and I log in with my blood.

 

[The_Homer_Simpson]

I have in recent years started using Authy. Its simple use and can be used on multiple devices.

 

[britechguy]

Further report on 2FAS testing, an I'm loving it even more overall.

For anyone who's using it, and has not tried the companion browser extension, I cannot recommend that more highly. It takes all of the typing effort out of these &%^$&* 6-digit codes and automatically enters them for you in the fields where they belong (if the website asking for the OTP allows it, some won't).

You have to establish a connection between the website and the OTP token you want to use for it the first time. After that it will continue using that OTP token every time you log in.

At the same time, you must give approval, on your phone, for that token to be sent and auto-typed.

After the initial setup it's nothing beyond clicking the 2FAS extension button (or using the keyboard shortcut) when you are sitting in the OTP edit box, confirming on your phone that you approve the sharing of the current value, and it shoots it right over and fills it in for you.

This makes me change my attitude from cursing MFA as a sometimes necessary evil to almost liking it.

 

[Sky-Knight]

This makes me change my attitude from cursing MFA as a sometimes necessary evil to almost liking it.

Welcome to the club.

 

[britechguy]

Welcome to the club.

Thanks. But I stand by the "sometimes necessary" part. You'll never see me, for instance, putting MFA on my Kroger, Be My Eyes, Priceline, and the list goes on and on accounts.

It's got to be important and highly subject to monetary theft or manipulation such that if I'm locked out, life's a mess. Universal MFA remains a case of using Fort Knox to protect a broken bicycle in many, many cases.

 

[Sky-Knight]

Thanks. But I stand by the "sometimes necessary" part. You'll never see me, for instance, putting MFA on my Kroger, Be My Eyes, Priceline, and the list goes on and on accounts.

It's got to be important and highly subject to monetary theft or manipulation such that if I'm locked out, life's a mess. Universal MFA remains a case of using Fort Knox to protect a broken bicycle in many, many cases.

MFA all the things...

If for no other reason that when done correctly it can eliminate passwords of any kind. This is imperative, because password retention and use by humans isn't getting any better over time. Meanwhile, machines are getting better daily at breaking passwords.

Passwords must die, they've never been good... MFA via TOTP code is a band-aide, and doesn't solve the basic problem that passwords suck.

You see MFA as Fort Knox, I know it to be a rickety fence blown over by a stiff breeze. Passwords are a mound of sand, that have all but vanished from our view due to the wind.

 

[britechguy]

Passwords are a mound of sand, that have all but vanished from our view due to the wind.

I really have no idea what world you live in because you keep repeating this. Passwords remain ubiquitous, and are indeed still used in conjunction with MFA, and will continue to be long after we're both dead.

You exaggerate, grossly, the state of passwords and where they fit into the system. The sad part is I know you have to know what you're saying is patently incorrect, and is almost certain to remain patently incorrect for the foreseeable future.

 

[Sky-Knight]

I really have no idea what world you live in because you keep repeating this. Passwords remain ubiquitous, and are indeed still used in conjunction with MFA, and will continue to be long after we're both dead.

You exaggerate, grossly, the state of passwords and where they fit into the system. The sad part is I know you have to know what you're saying is patently incorrect, and is almost certain to remain patently incorrect for the foreseeable future.

No... I'm not. Every system dependent on passwords must be reworked, just as surely as the sun rises in the East.

Something you know, will simply never be able to act as a security safeguard against ever increasing processing power.

Just ten years ago the text string: This-Password! Required years to crack, today it takes about a day. All the effort being shoved into machine learning right now is fueling a huge surge in GPU development. GPUs just happen to be the tool of choice for password breaking. The better they get every single password on the planet gets weaker. There's simply no way a human will ever keep up.

Sure you can lengthen things out: This-Password-Is-Much-Better! would take centuries to break given current technology, but there's no guarantee tomorrow we won't see a huge leap in GPU tech, or new technique found to weaken it to hours. All we have to do is go to bed tonight, and this will happen.

That's why passwordless authentication systems are the future, they must be. If the token is stolen, the machine can simply make a longer one and replace it. The human changes nothing. As long as we're reliant on a human to come up with ever longer authentication tokens we're playing a losing game. MFA techniques are a necessary step in this progress we're all making, and it's a useful one, but as long as we use passwords as the primary factor we're playing a losing game.

This topic by the way, is well written on. These are not my ideas.

 

[britechguy]

@Sky-Knight

This isn't about most of the things you insist it is about. What it is about is what the public is willing to accept.

I will be cold and in my grave for decades before password use is over. It doesn't matter if I like it, it doesn't matter if you like it, it doesn't matter if it's grossly inferior to what you propose (and it is).

You have this belief that the industry can force this change. There is ample, way more than ample, evidence that this is not the case. I live with someone who I could never, in a billion years, convince to MFA every account. He's just not having it. Many of my clients won't have it. That actually matters, no matter how much you hate that fact (and it is a fact).

If you think universal MFA is in the near future, and passwords are going to be totally dead, have fun pushing that string up that hill or nailing that jello to a tree.

 

[Sky-Knight]

@Sky-Knight

This isn't about most of the things you insist it is about. What it is about is what the public is willing to accept.

I will be cold and in my grave for decades before password use is over. It doesn't matter if I like it, it doesn't matter if you like it, it doesn't matter if it's grossly inferior to what you propose (and it is).

You have this belief that the industry can force this change. There is ample, way more than ample, evidence that this is not the case. I live with someone who I could never, in a billion years, convince to MFA every account. He's just not having it. Many of my clients won't have it. That actually matters, no matter how much you hate that fact (and it is a fact).

If you think universal MFA is in the near future, and passwords are going to be totally dead, have fun pushing that string up that hill or nailing that jello to a tree.

The industry will not force the change... The attackers will. (and already have actually)

Passwords are crap, you can prep now or be run over. The "good guys" have lost the fight, and there's no way to win it while still using passwords.

Heck, it's not all that winnable even with good authentication tokens... but that's another thread.

Those that refuse to accept modern authentication will soon be left with no systems they can interact with. Left, in the dust bin of history where they belong. Your personal circumstances are irrelevant... the insurance companies have spoken.

 

[NETWizz]

Thanks to all who've been giving input. Just curious if anyone has tried/is using Duo (from Cisco)?

2FAS looks interesting, and I like open source software.

I am managing a Cisco DUO tenant and really like it... It's SAML SSO support is phenomenal.

I have it working with Global Protect VPN, One Identity Password Manager, and had it working with Pulse Secure in the past. Also it is authenticating our Network people to Cisco ISE (Identity Services Engine), so MFA when logging onto switches and firewalls.

 

[YeOldeStonecat]

It's nice to have options for MFA apps....
For non-Microsoft 365 stuff, the 2FAS looks cool.....supports a lot of various services. I have not checked out how the backup/restore works.

But for Microsoft 365 clients....if you're not using the Microsoft Auth app...you will miss out on some features specific to the MS Auth app. (some substantially desirable features)

I think I mentioned earlier, but if the 2FAS app supports push notifications resulting in a prompt on the phone to "allow" or "deny"...I encourage not using that method. Or at the very least...highly...highly educating the end user to pay attention. One of the reasons Microsoft removed that feature from default behavior was..end users got tired of phone nags...resulting in "MFA Fatigue"...and they just click "approve" so they have the phone stfu. We've had a few clients let bad guys in due to that.

 

[britechguy]

I think I mentioned earlier, but if the 2FAS app supports push notifications resulting in a prompt on the phone to "allow" or "deny"...I encourage not using that method.

It's not a matter of choice, though, and it has only occurred for me when I have the 2FAS browser add-on configured. And even then, you're triggering the Allow/Deny prompt directly, yourself via the add-on and that prompt only confirms that you want to send the OTP to yourself. I've not seen that style of pop-up come up under 2FAS otherwise.

If someone else using 2FAS knows otherwise, let me know. The main reason I'm using the browser add-on is so that I don't constantly have to be picking up my phone, looking at my OTP digits, and almost invariably fat-fingering them when entering them at least once about 25% of the time.

MFA is damned inconvenient, and that's why so many, including myself, avoid it except when the protection it offers is deemed necessary and useful. What's funny is that two of the instances where I'd most like to have it, at two separate credit unions I've done business with for decades now, it is not offered. One offers nothing but password, the other does a push notification to the phone, not using SMS, that asks you to verify it's you logging in (much like the dreaded Approve/Deny, but it's very clear exactly who that message is from).

 

[phaZed]

Just FYI, I switched to 2FAS - because of this convo. Pretty neat.

Brian, ya, it looks like you still have to auth from the phone - the browser add-on looks like it just saves you from physically typing it in. To be corrected.

 

[Sky-Knight]

2FAS is an HOTP and TOTP authenticator. The latter is just the 6 digit numeric rotating code we've been using for ages. The former is almost a FIDO2 key. It's that arena where it probably functions a lot like a fully enrolled MS Authenticator can. But that only matters in MS space, or something SSO'd to an Entra ID back end.

For personal use on various online whatevers? 2FAS has all the features it needs to be very good at what it does.

 

[britechguy]

Brian, ya, it looks like you still have to auth from the phone - the browser add-on looks like it just saves you from physically typing it in. To be corrected.

That's absolutely true. If you install the browser add-on, when you click the 2FAS button a push message comes up on your mobile device where you have to authorize the auto-typing of the token. If you happen to have more than one account (e.g., two PayPal accounts) you also have to pick which one you want the token from.

 

[britechguy]

2FAS vs Microsoft Authenticator
2FAS vs Google Authenticator
2FAS vs Authy
2FAS vs Duo