Hands On With Google And Microsoft Authenticator Apps

One of the primary vehicles used by bad guys to access our systems is stealing log-in credentials in order to impersonate real users. All the security processes and tools in the world are circumvented when someone has your username and password. That's where two-factor authentication (2FA) comes into play. 2FA works by adding another authentication challenge to the equation. It's not just about what you know - your password, it's also about something you have. That's where the authenticator apps from Microsoft and Google come into play.

2FA isn't new. I was using it back in the 1990s with a RSA SecureID token. That was before we had smartphones and the system worked well although the complexity involved in setting it up meant only well-resourced organisations could use it. But today, different forms of 2FA are widely available or consumer services as well as corporate systems.

I installed both the Microsoft Authenticator and Google Authenticator to an iPhone 7 Plus running iOS 10.3.2 (the most recent version currently available.

Microsoft Authenticator

I'm an Office 365 subscriber and have had a Microsoft account since the days when Messenger was cool. That account has been used to set up the various Windows 10 systems I use as well as Skype.

When logging in to Microsoft services, I have an option to either use my password or to use Authenticator (both Google and Microsoft call their app Authenticator - thankfully they have very different icons)

Two different things can happen when I log into services that rely on my Microsoft account. Sometimes a request appears on my iPhone, asking me to approve a log-in by using TouchID. Other times, a two-digit number is displayed on the computer I'm using to access the Microsoft service. The app displays a list of three two-digit numbers and I have to choose the matching number before providing TouchID with a fingerprint.

Interestingly, Microsoft Authenticator also displays an eight-digit number than can be used as the second authentication factor. However, in several weeks of using the app, I've never been prompted to provide it.

If you have multiple Microsoft accounts, such as one for personal use and one for work, then you can add multiple accounts to the app.

Google Authenticator

Google Authenticator takes a more traditional approach to 2FA. It provides a six-digit code that changes every minute. When you log into a Google service using your password - the app supports multiple Google accounts - you are asked to provide the code. It effectively makes my iPhone into a security token.

Adding 2FA to your Google account is straightforward. When you enable it through your account settings, you are provided with a barcode that can be scanned by the Google Authenticator app or a code you can type in that links the device to your Google account. The process is seamless and only takes a few minutes to complete.

The problem of 2FA

One of the obvious issues with 2FA is what to do if you lose your smartphone. Fortunately, there are account recovery processes that you can employ with Microsoft and Google so you can connect to your account.

Using 2FA, if it's new to you, requires an adjustment. The days of quickly tapping in a password to access an account or service are behind you. I found that Microsoft's two-step approach, matching the two-digit number and then providing my fingerprint required an adjustment on my part as it made logging in a longer process.

Google's approach, of simply requesting the code works more easily but I like Microsoft's approach of using a biometric as a second level of identification.

But, for now, that's the price of better account security.

2FA is a fact of life

Until we find newer, easier ways to prove identity, systems such as the Google and Microsoft authenticator apps, and Apple's approach of sending a one-time code to an authorised device, are probably the best way to widely deploy 2FA or multi-step authentication.

Where it's available, I strongly advise using 2FA. And both of these apps work well.


Comments

    2FA had saved my accounts on multiple occasions. Primarily Google and Authy.

    Google has a quick access authentication for google services as well where you get a prompt on your phone to allow access (rather than using the six digit number).

    You also didn't mention if the 2FA can be used for other services (ie not just Microsoft or Google). I use google 2FA for Dropbox, Amazon etc as well.

    After destroying a phone and being unable to use or recover my Google Authenticator, I've switched over to Authy because of its secure cloud backups.

    I have a few 2-factor things going on depending on which account I am using. I have a Google, Microsoft and LastPass all set to provide me codes in the Authenticator app (although I use Authy rather than the Google Authenticator). I rarely use it though.

    - My personal Google account is set up to prompt me through my android phone and I just have to click 'YES'.
    - My work Google account sends me an SMS with the authentication code which I type in to the browser. I actually find this more convenient, as the SMS gets shown on my smartwatch (and my PC through Pushbullet if I'm on a PC with that set up), so I don't even have to take out my phone to see the code to type in.
    - My Microsoft account also sends me an SMS, though I have to confirm the last four digits of my phone number every time, and Microsoft shows me the last two digits, which I find weird.
    - My LastPass account is set up through work, so the 2FA method is fixed as having to use the code from Authy. I find this least convenient as I have to dig me phone out, find the Authy app, select the account and then type in the code.
    - My Steam account sends me a notification in the Steam app with the 2FA code. Again, super convenient because it appears on my smartwatch/Pushbullet, but it does mean I have to have the Steam app installed on my phone
    - Commonwealth Bank sends me codes to confirm when I try to send money to a new account for example. They are sent as a notification through the Commbank app, or SMS if that hasn't been set up. Again, super convenient.
    - I also have the occasional account that will send 2FA codes via email, and I dislike how I have to then switch to an email client and/or wait some time for the email to come through (it's usually quick, but rarely as instant as a push notification or SMS)

    In conclusion, my preference is towards notifications of 2FA codes at the moment, because I have things set up to easily see notifications from my phone on my smartwatch or on a PC through Pushbullet. I prefer SMS so I don't have to install apps like Steam for example just to get the codes, though in the case of things like Commbank I would have the app installed anyway.
    I've also noticed when using the my Microsoft or Google account on my phone, often it can automatically pass the 2FA step for me when the SMS with the code is received.

    The only way I could see 2FA as being any more convenient would be being able to do something like Google's just press yes thing on my smartwatch (I have a Pebble, so I doubt that will happen unless there's an actionable notification. Maybe on Android Wear though?), or if the phone was paired with the device I was authenticating on and passed the information along automatically.
    Sometimes I also wish I could use the 2FA methods as a single factor, avoiding the use of a password altogether.

Join the discussion!