Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Wando64

macrumors 68020
Original poster
Jul 11, 2013
2,371
3,161
One of the financial companies I deal with suggested I could be using two factor authentication, so i thought OK I have done this before, you get a text with a number, you type the number and... Bingo. Two factors authentication, right?
Well, not in this case. Apparently I need to install an Authenticator App (such as GA or Microsoft or Authy, etc...).
After googling a little I realised I must be the only person on the planet that has never heard of authenticator Apps, let alone used one.

OK, I understand the concept, but why? When most companies offer two factor authentication based on text messages, what is the purpose of an authenticator app?

What am I missing?
 
One of the financial companies I deal with suggested I could be using two factor authentication, so i thought OK I have done this before, you get a text with a number, you type the number and... Bingo. Two factors authentication, right?
Well, not in this case. Apparently I need to install an Authenticator App (such as GA or Microsoft or Authy, etc...).
After googling a little I realised I must be the only person on the planet that has never heard of authenticator Apps, let alone used one.

OK, I understand the concept, but why? When most companies offer two factor authentication based on text messages, what is the purpose of an authenticator app?

What am I missing?

2FA via SMS is horribly insecure and no one in their right mind would consider that a suitable method today.
 
SMS spoofing. Someone uses social engineering to get control of your number and the 2FA codes are sent to them instead of you. Also with an authenticator app you don't need connectivity to get a code.
 
  • Like
Reactions: Peter K.
2FA via SMS is horribly insecure and no one in their right mind would consider that a suitable method today.

SMS spoofing. Someone uses social engineering to get control of your number and the 2FA codes are sent to them instead of you. Also with an authenticator app you don't need connectivity to get a code.

Quite possibly SMS is insecure, but it is not my choice to implement it for two factor authentication.
This choice is made for me by the company I am dealing with.

As I said, I never used this method before, therefore can you please explain how do I chose to use an Authenticator App code if the company I am dealing with uses SMS 2FA? (e.g. Yahoo)

I have installed Microsoft Authenticator just to look at it and now when I try to log into Microsoft (OneDrive) it offers me the option to use Authenticator, but critically the option to use the password is still present. What is the point of that? That is not 2FA. It just gives me the option to use whichever method I prefer, one or the other instead of both together as it ought to be for proper 2FA.
EDIT: I have now resolved this. Even though I can use the passwor, it will still require authentication from the Authenticator App.

As a final comment, in response to not needing connectivity to get a code... frankly if I don’t have connectivity I wouldn’t know what to do with the code... so...
 
Last edited:
As a final comment, in response to not needing connectivity to get a code... frankly if I don’t have connectivity I wouldn’t know what to do with the code... so...

You're using a computer with a wired Internet connection and want to log into your Gmail account. You don't currently have a cellular or WiFi connection. Happened to me on a cruise. I could still log into with 2FA because I was using one time passwords from an authenticator app instead of a text message.
 
I had more time to look at this.
Whilst it is undeniable that it is a very convenient method of authenticating log-ins, I think that on balance this might not be quite right for me, save for some very specific cases (i.e. where nothing else is accepted).

The requirement for storing Recovery Codes else risking losing your access forever seems a step backwards, rather than innovation.

The hassle associated with the real possibility of losing your phone at any time seems huge.
Should you be so unfortunate as to lose both your phone and your Recovery Codes, you'd be truly in trouble.
Finally, it is recommended that Recovery Codes should be printed (!) and stored safely, possibly in a fire proof safe.
On which planet this is a secure method of protecting access to your data?

I don't know, maybe I will change my mind in time, but for now I think I'll stick to SMS messages.

Obviously Banks' own authenticating Apps are a different thing altogether as they are never your only way to gain access to your funds. The ultimate proof of your identity is your Passport or ID card.
 
  • Like
Reactions: eltoslightfoot
I had more time to look at this.
Whilst it is undeniable that it is a very convenient method of authenticating log-ins, I think that on balance this might not be quite right for me, save for some very specific cases (i.e. where nothing else is accepted).

The requirement for storing Recovery Codes else risking losing your access forever seems a step backwards, rather than innovation.

The hassle associated with the real possibility of losing your phone at any time seems huge.
Should you be so unfortunate as to lose both your phone and your Recovery Codes, you'd be truly in trouble.
Finally, it is recommended that Recovery Codes should be printed (!) and stored safely, possibly in a fire proof safe.
On which planet this is a secure method of protecting access to your data?

I don't know, maybe I will change my mind in time, but for now I think I'll stick to SMS messages.

Obviously Banks' own authenticating Apps are a different thing altogether as they are never your only way to gain access to your funds. The ultimate proof of your identity is your Passport or ID card.

A lot of places let you store recovery codes *and* specify a list of trusted phone numbers that can also receive one time passwords. For my Google account I have several loved one's numbers listed and I have saved 10 backup codes. I store my backup codes in 1Password, which is backed up online. If I lost my phone and lost my backup codes and couldn't reach any of my loved ones I could still get to my backup codes from 1Password on my Mac or iPad.
 
  • Like
Reactions: Wando64
A lot of places let you store recovery codes *and* specify a list of trusted phone numbers that can also receive one time passwords. For my Google account I have several loved one's numbers listed and I have saved 10 backup codes. I store my backup codes in 1Password, which is backed up online. If I lost my phone and lost my backup codes and couldn't reach any of my loved ones I could still get to my backup codes from 1Password on my Mac or iPad.
That’s a good point.
I use keychain as my password manager and that is backed up to iCloud and therefore replicated to all of my devices.

mmmm...
 
I use Authy as it syncs between devices and the codes can be backed up in case you need to restore your phone. At the time I switched to it, the standard Google Authenticator didn't do this - it might now.

Most banks in Europe use sms. One day, my phone lost connection and I used a friend's to contact my mobile provider. Apparently my sim card was cancelled because I had declared it lost and ordered a replacement., Nope! Nothing to do with me. So they re-activated my existing one and cancelled the order. I can only assume someone tried to get one under my name after which they'd use it to try and hack various online accounts. Always regard a faulty/disabled sim card as a serious issue.
 
Always regard a faulty/disabled sim card as a serious issue.

I completely agree, however the password is always required as well as the SMS authentication.
The likelihood of someone obtaining both in close sequence is rather small.
 
  • Like
Reactions: adrianlondon
I use Authy as it syncs between devices and the codes can be backed up in case you need to restore your phone. At the time I switched to it, the standard Google Authenticator didn't do this - it might now.

Most banks in Europe use sms. One day, my phone lost connection and I used a friend's to contact my mobile provider. Apparently my sim card was cancelled because I had declared it lost and ordered a replacement., Nope! Nothing to do with me. So they re-activated my existing one and cancelled the order. I can only assume someone tried to get one under my name after which they'd use it to try and hack various online accounts. Always regard a faulty/disabled sim card as a serious issue.
Thank you for the suggestion of Authy. It solves the biggest problem with these freaking programs. WHAT IF YOU LOSE YOUR PHONE? And you have no backup codes?
 
  • Like
Reactions: adrianlondon
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.