What is an Authenticator App?

An Authenticator App is a software application designed to enhance account security by generating time-sensitive passcodes used alongside traditional passwords. It's commonly used for two-factor authentication (2FA), adding an extra layer of security by requiring two forms of verification to access an account, e.g. something you know (your password) and something you have (a code generated by the app).

---

Authenticator apps operate by creating one-time passcodes (OTPs) based on a secret key and the current time. These passcodes refresh frequently (e.g. every 30 seconds), providing a dynamic security measure that is hard to intercept or replicate. Here’s a deeper exploration:

• Setup: The user scans a QR code provided by the online service, linking the app with the account.
• Operation: Each time a user logs in, the app generates a new one-time passcode that must be entered in conjunction with the user's regular login credentials.
• Security: The passcode is only valid for a short window, enhancing security and reducing the risk of unauthorized access.

• Enhanced Security: By requiring a passcode in addition to a password, authenticator apps make it much harder for attackers to gain unauthorized access.
• Convenience: Passcodes can be generated with smartphones, allowing for flexibility in authentication.
• Versatility: Many services support authenticator apps, making them a universal tool for securing various online accounts.
• Cheap: Unlike other MFA methods, such as SMS OTP, authenticator apps and the TOTPs they produce do not rely on services like operators where you have to pay transactional fees e.g. for SMS.

---

• Authenticator apps are considered highly secure as they generate passcodes that expire quickly and are only valid for single use, reducing the risk of theft or reuse.

• Losing your device can be mitigated by backup options such as recovery codes or the ability to transfer the authentication service to a new device, usually by re-authenticating the services.

• Alternatives include SMS-based verification, email verification, passkeys or hardware tokens like YubiKeys, each with its own security considerations.

• Most authenticator apps allow you to transfer your credentials to a new device by re-scanning the QR codes from your online accounts into the app on your new phone.