Phenquestions
When it comes to iOS, open-source apps are something of a rarity but that doesn't mean they don't exist.
If you're looking for an alternative for Google Authenticator, Microsoft Authenticator, LastPass Authenticator, or Authy, you may want to give Authenticator a chance.
Authenticator for iOS
Why? Do you really want to hand over the two-factor authentication process to these big companies or proprietary software?
This is a TOTP (time-based one-time password) app and does not require an Internet connection because of that. The app is probably one of the simplest that you will come across in the niche; it just has the option to add/remove accounts and that is about it.
Well, the only other option that is available is the "Digit Grouping". You can either choose to display the codes in 3 x 2-digit pair groups, or 2 x 3-digit groups. Once you have installed Authenticator on your iPhone or iPad, you will see a nearly blank screen with a few buttons on start.
Adding an account to Authenticator
Authenticator supports adding accounts using QR codes and manually adding accounts.
Refer to your email/social network account's website to set up 2-step verification. Once you get to the page where you are asked to scan a "QR code", run Authenticator and tap on the + button to add an account. Point the camera to the QR code on the computer's screen.
The app should add the account, and display the 6-digit code for it on the screen. Now, most websites which you're setting up 2-step authentication for will require you to enter the TOTP to confirm that it has been configured correctly.
Manually setting up 2FA tokens:
Tap on the plus button, and then on the edit button (note and pencil icon) on the top and you will see a screen which asks for the following:
- Issuer (website's name)
- Account name ([email protected])
- Secret Key
You can obtain the secret key for your account from its associated website. You can set TOTP or Counter based tokens, and set it to 6, 7 or 8 digits, SHA-1, SHA-256 or SHA-512.
Where it lacks and shines
Personally, I would have liked it if the app asked me for a PIN code or password to unlock the 2FA database. An extra layer of security is always a good idea even if it would rely on TouchID or the device's PIN.
You may reduce the issue by setting the screen timeout to the minimum and not the 2-minute default on iOS.
On the bright side, it does not store your 2FA tokens in the cloud in any form. There is no way to backup (or export) your tokens on the other hand. And the fact that Authenticator is open source, unlike nearly every iOS 2-factor authentication app out there, makes it priceless in my opinion.
A 2-step verification enabled account is nearly hacker-proof, read Martin's article for more information.
Here's some advice regarding 2FA apps.
- Use an open source app whenever possible.
- Do not use SMS based 2-factor verification systems (I think Yahoo still uses this) as the text message protocol is not secure.
- Use an app which works completely offline if possible; this is not only better as it will work in regions with bad Internet reception or if the mobile provider has issues, it is also better for security as you eliminate transfers and don't risk losing access to accounts if you lose your phone or device.
- It is not a good idea to use the password manager for 2FA as well if the manager supports it as you would put all eggs in a basket. At the very least, make sure you're using separate databases for your 2FAs and passwords. But I'd use separate apps for 2FA and passwords. In case of cloud-based password managers that also support 2FA, think about it. If the password database or service is breached, so is your 2FA.
- Always have backup or recovery codes at hand in case something goes terribly wrong. Most services support these during creation.
Now You: Do you use two-factor authentication apps?
