1

I am clear on how Google Authenticator works when logging on to a website and I am clear on that. However, these days everyone is using apps for everything. The Twitter app, the Facebook app, the Instagram app etc thus not bothering much for the web interface.

So my question is this: does Google Authenticator protect these apps too? I am about to start using Google Authenticator but I don't understand how it will keep me safe when I am using the Twitter app or the Facebook app. Could somebody please explain, in simple terms because I'm not technical at all, how Google Authenticator protects my social media account when I'm using the app?

For example, if someone somehow finds my Twitter password and installs the Twitter app on their smartphone wouldn't they get instantaneous access to my Twitter account? So how exactly does Google Authenticator on my device stop the hacker from accessing my account when they are not going to access it over the web in the first place? (Say they'll use a "burner" phone).

I would really, really appreciate any answer on this because I've spent the entire day trying to find it on the Internet and there is absolutely nothing available (or I'm just too dumb and couldn't figure it out when I read it).

Thank you very much.

Tasos
  • 21
  • 2
  • 1
    It generates 2-factor authentication codes(OTP) for those accounts for which you set up 2 factor authentication. It doesn't protect any app. – defalt Jan 16 '19 at 03:14
  • The @defalt: Thank you for your help. I am still unclear: so if someone somehow finds my Twitter password and installs the Twitter app on their smartphone they will get access to my Twitter account? Even though I may have Google Authenticator activated on the Web? – Tasos Jan 16 '19 at 03:18
  • 1
    If you have setup 2-factor on your twitter account, it will ask for OTP after every time you enter your password. Without the OTP, you can't login. Did you ever use OTP via SMS for online banking transactions? – defalt Jan 16 '19 at 04:02
  • Yes, I have used OTP via a little dongle type device which would generate pass codes for a few seconds for online banking. So I am clear on that part. But aren't the OTPs only for when logging onto the Twitter/Facebook/other account over the Web using a browser? Or are you saying that Google Authenticator also generates OTPs even when using the Twitter/Facebook/other app on my smartphone? Meaning, when I launch the app on my smartphone the app will ask me for an OTP just like it would have happened when trying to log on over the Web interface? Thank you for not giving up on me, defalt. – Tasos Jan 16 '19 at 05:33

1 Answers1

1

For example, if someone somehow finds my Twitter password and installs the Twitter app on their smartphone wouldn't they get instantaneous access to my Twitter account? So how exactly does Google Authenticator on my device stop the hacker from accessing my account when they are not going to access it over the web in the first place? (Say they'll use a "burner" phone).

Twitter will require a second factor for authentication everywhere, including on the web, app on the phone and so forth. So to log in you need your username, password and 2. factor.

Google Authentitcator (or any other TOTP-generator) doesn't have to be on the same piece of equipment as the app. It does not directly interact with the app in any way.

The 2. factor is derived from a shared key and current time. The shared secret key must be kept secret from an attacker, but the time-based codes generated will not reveal anything about the code.

In case you use third party apps that does not support 2FA, many services lets you generate app specific passwords, which is more secure as they often are rather long, and not entered more than once, making them less susceptible to phishing attacks - and they can usually be invalidated with a single click.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Thank you very much! I have understood everything you have said. But, just to be sure: so when I use the Twitter app on my smartphone (after I have activated 2FA on my account on the Web) the app will somehow show a "third" field (aside from the usual 2 fields where I usually enter my username and my password) and in this "third" field I will be asked to enter the code generated by Google Authenticator? Have I understood correctly? – Tasos Jan 16 '19 at 07:17
  • How it is done depends on the app. But generally you submit username and password, for then to be queried for 2fa. – vidarlo Jan 16 '19 at 07:18
  • Queried by the app, whichever way each app does the querying, right? – Tasos Jan 16 '19 at 07:21
  • Yes. It's up to the app how to handle this. – vidarlo Jan 16 '19 at 07:21
  • So then this also means that even if an attacker gets hold of my username and password he'll have a difficult time logging in because he won't have a way to get the code, right? So whether the attacker uses the app on his smartphone or the Web interface he will have a problem (unless he somehow manages to steal my smartphone). Right? – Tasos Jan 16 '19 at 07:26
  • 1
    That is the general idea behind 2FA. Even if he manages to acquire a valid code, it will quickly (minutes) become invalidated, and it will not reveal any information about the next code. – vidarlo Jan 16 '19 at 07:27
  • vidarlo I cannot thank you enough for clarifying this for me! Thank you so much! I have spent hours on the Web researching this but found nothing. So what do I do to the initial answer you gave me, do I click on the "up arrow" or the "check mark" to show my appreciation? – Tasos Jan 16 '19 at 07:31
  • Yes, accepting an answer indicates that it answered your question. That's the checkmark. Feel free to upvote it with the uparrow as well if it was useful. – vidarlo Jan 16 '19 at 07:35