One of the primary vehicles used by bad guys to access our systems is stealing log-in credentials in order to impersonate real users. All the security processes and tools in the world are circumvented when someone has your username and password. That’s where two-factor authentication (2FA) comes into play. 2FA works by adding another authentication challenge to the equation. It’s not just about what you know – your password, it’s also about something you have. That’s where the authenticator apps from Microsoft and Google come into play.
2FA isn’t new. I was using it back in the 1990s with a RSA SecureID token. That was before we had smartphones and the system worked well although the complexity involved in setting it up meant only well-resourced organisations could use it. But today, different forms of 2FA are widely available or consumer services as well as corporate systems.
I installed both the Microsoft Authenticator and Google Authenticator to an iPhone 7 Plus running iOS 10.3.2 (the most recent version currently available.
I’m an Office 365 subscriber and have had a Microsoft account since the days when Messenger was cool. That account has been used to set up the various Windows 10 systems I use as well as Skype.
When logging in to Microsoft services, I have an option to either use my password or to use Authenticator (both Google and Microsoft call their app Authenticator – thankfully they have very different icons)
Two different things can happen when I log into services that rely on my Microsoft account. Sometimes a request appears on my iPhone, asking me to approve a log-in by using TouchID. Other times, a two-digit number is displayed on the computer I’m using to access the Microsoft service. The app displays a list of three two-digit numbers and I have to choose the matching number before providing TouchID with a fingerprint.
Interestingly, Microsoft Authenticator also displays an eight-digit number than can be used as the second authentication factor. However, in several weeks of using the app, I’ve never been prompted to provide it.
If you have multiple Microsoft accounts, such as one for personal use and one for work, then you can add multiple accounts to the app.
Google Authenticator takes a more traditional approach to 2FA. It provides a six-digit code that changes every minute. When you log into a Google service using your password – the app supports multiple Google accounts – you are asked to provide the code. It effectively makes my iPhone into a security token.
Adding 2FA to your Google account is straightforward. When you enable it through your account settings, you are provided with a barcode that can be scanned by the Google Authenticator app or a code you can type in that links the device to your Google account. The process is seamless and only takes a few minutes to complete.
The problem of 2FA
One of the obvious issues with 2FA is what to do if you lose your smartphone. Fortunately, there are account recovery processes that you can employ with Microsoft and Google so you can connect to your account.
Using 2FA, if it’s new to you, requires an adjustment. The days of quickly tapping in a password to access an account or service are behind you. I found that Microsoft’s two-step approach, matching the two-digit number and then providing my fingerprint required an adjustment on my part as it made logging in a longer process.
Google’s approach, of simply requesting the code works more easily but I like Microsoft’s approach of using a biometric as a second level of identification.
But, for now, that’s the price of better account security.
2FA is a fact of life
Until we find newer, easier ways to prove identity, systems such as the Google and Microsoft authenticator apps, and Apple’s approach of sending a one-time code to an authorised device, are probably the best way to widely deploy 2FA or multi-step authentication.
Where it’s available, I strongly advise using 2FA. And both of these apps work well.