IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [authenticator]

19 questions
24
votes
3 answers

Where to find Google Authenticator backup codes?

I'm slightly confused about obtaining Google Authenticator backup codes. I can find my Google Account backup codes at: https://myaccount.google.com/signinoptions/two-step-verification But have no idea if those are the ones I should use to restore…
a.s.t.r.o
  • 343
  • 1
  • 2
  • 6
6
votes
6 answers

When should I issue more than one multi-factor device to a user? Is it OK to give several active tokens vs none at all?

Most of the conventional IT.Sec thinking I've seen says that a user can only have one multi factor authentication device. I'd like to challenge that defacto-thinking and ask if there is ever an occasion where: More than one multifactor device…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
6
votes
4 answers

Do all Authenticator Apps use the same algorithm?

I've tried some Authenticator Apps (Google,Microsoft,Authy,Lastpass,...) and all of those apps generate same one time passwords at the same time ? So, these apps are use the same algorithm which is a generic algorithm not an application developer's…
mongkonsrisin
  • 71
  • 1
  • 4
3
votes
2 answers

How do backup codes work in TOTP, like Google Authenticator?

My understanding is that in TOTPs are like HMAC where code is derived from time. However, I am struggling to understand the concept of Backup Codes in Google Authenticator, and how are they calculated as they are not time sensitive and can be used…
blackbox007
  • 81
  • 3
3
votes
1 answer

Having sudo mode in a web application, why use a password instead of one time passwords?

Online services, like GitHub, have Sudo mode. Sudo mode means, that a user performing delicate actions has only to authenticate every couple of minutes, but than again, although they are already logged in. GitHub uses for this reason the user's…
tjati
  • 294
  • 1
  • 3
  • 10
2
votes
1 answer

Is there any security reason to not allow adding authenticators for a certain account?

I have recently added 2FA for my Google account using an authenticator installed on my mobile phone. After doing this, I have realized that it would be nice to also have the authenticator installed in a backup phone. However, it was not possible to…
Alexei
  • 2,183
  • 3
  • 9
  • 23
2
votes
1 answer

Backup Google Authenticator transferring QR code

I understand that saving a screenshot of the QR code during the OTP setup process is enough to back up a single account, however, is this the same for the QR code generated during the Google Authenticator transferring process? Because, if so, could…
lucasresck
  • 23
  • 4
2
votes
1 answer

The Wrong Icon for NordVPN on Authy

I recently turned on the multi-factor authentication on NordVPN and I use Authy for the authenticator. After scanning the QR code on the website, I found that the icon displayed in the Authy app was of "Best Auto Sales, LLC" instead of NordVPN (the…
Gary Hu
  • 23
  • 2
1
vote
0 answers

Is it secure to also make the mobile app client the authenticator app?

Most services that support it seem to have a standalone 2FA authenticator app (Microsoft Authenticator, Google Authenticator) instead of integrated authentication in their mobile apps (admittedly, these services are far larger than one-app products,…
theonlygusti
  • 207
  • 1
  • 2
  • 6
1
vote
0 answers

What is Threat Profile is Microsoft addressing with the MSAL URI format?

Applications built for MSAL 1.0 and MSAL 2.0 have a default application URI of MSAL://GUIDHere/AppName This is in contrast with what other IDP's are doing. Can anyone explain the benefits or drawbacks of this format? (sometimes a "feature" might be…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
vote
1 answer

What point in Authenticator App 2FA when SMS fallback is enabled

I would like to move away from SMS 2FA (because of Should 2FA over SMS be considered insecure in the wake of recent SS7 attacks? for example). But some services that provide Authenticator apps actually provide fallbacks mechanisms that go to SMS.…
Qortex
  • 321
  • 2
  • 9
1
vote
1 answer

How does Google Authenticator interact with apps on an iPhone?

I am clear on how Google Authenticator works when logging on to a website and I am clear on that. However, these days everyone is using apps for everything. The Twitter app, the Facebook app, the Instagram app etc thus not bothering much for the…
Tasos
  • 21
  • 2
1
vote
0 answers

Does producing TOTP tokens weaken the stored secret? How much?

I am using Google Authenticator as a second factor on some sites, (including my Google Account). Every now and then I need to produce a token to log in. If some attacker received those tokens over time, would they become able to guess the internal…
Marcel
  • 3,494
  • 1
  • 18
  • 35
0
votes
1 answer

Two factor verification apps IOS

I have an iPhone XR with the latest updates. I use Microsoft Authenticator for some 2 step verification for work related stuff. Today I enabled the Instagram two factor security option and choose the app authentication. This prompted me to download…
CaptainAhab
  • 101
0
votes
1 answer

How safe is my login system (conceptually)?

I implemented a 2FA authentication for a web app with PHP and Google Authenticator. In order to login to my system there are a few steps: User types in a complex master password in order to access the login page. The request is throttled for only 1…
Asperger
  • 135
  • 3
1
2