Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to

Aurich & Hannah Lawson

reader comments

74 with 63 posters participating

Last year, Sergio Caltagirone found himself in a tough spot. While traveling, his phone broke and stopped working completely. With no access to his Google and Microsoft authenticator apps, he lost access to two-factor authentication when he needed it most—when he was logging in from IP addresses not recognized by the 30 to 40 sites he had enrolled.

“I had a whole bunch of sites [that] I had to go through a massively long account restoration process because I lost my 2FA,” said Caltagirone, who is senior VP of threat intelligence at security firm Dragos. “Every time, I had to contact customer service. I had different levels of requirements I had to go through for them to effectively disable 2FA on my account. Some required address verification. [For others,] I had to send a last bill. The number of those I went through was just insane.”

Thin blades

The experience shows the double-edged sword of multi-factor authentication. Requiring users to enter a password that’s pseudorandomly generated every 30 seconds makes account takeovers significantly harder, even when an attacker has phished or otherwise obtained the password. But in the event that second factor (in this case, the “something you have,” that is, the phone) isn’t available, that same protection can block legitimate users from logging in for unacceptably long periods of time.

When Caltagirone relayed his experience last September, a quick survey of the available consumer and small-business authenticators left much to be desired. Only a few of them made it possible to

Continue reading – Article source