Multi-Factor Authentication Apps
How do authenticator apps work?
Authenticator apps create time-based, one-time passcodes (TOTP or OTP) that can be used for multi-factor authentication. They function by storing a secret key provided by the service they wish to access and utilising it to generate a six- to eight-digit code that varies every 30-60 seconds.
Identity utilises the same process to build a code based on the current time and secret key, which it then compares to the code from your app. If the codes match, you will be granted access.
As the code is produced using the current time and a shared secret key, it is unique and only valid once, making it more secure than typical static passwords. This improves the security and convenience of logging in to an application.
What authenticator app should I use?
You can use any authenticator app you choose. Your organisation might have a preferred one so check with them first. These are some popular options.
Encryption | Platforms | Cloud backup | Offline support | Benefits | |
2FAS | All your data is safely stored offline on your device. If you're using cloud sync, the communication between your phone and your cloud backup or browser is end-to-end encrypted by default. | Android, iOS, and browser extension | Yes | Yes | + Simple and easy to use + Encrypted cloud backups to iCloud or Google drive |
Authy by Twilio | Stores an encrypted copy of your accounts in the cloud. The account is encrypted/decrypted inside your phone so neither Authy or anyone affiliated with Authy have access to your accounts. | Android, iOS, Windows, macOS, Linux | Yes | Yes | + The encrypted cloud backup means only you can ever access your information - Requires you to enter your phone number so it's not as independent as the other app options |
Google Authenticator | Not end-to-end encrypted when connected to your Google account. You can use offline for more secure encryption. | Android, iOS, Chrome | Yes | Yes | + Connects to your existing Google account + Can use alongside Google Password Manager |
Microsoft Authenticator | Passwords in the cloud are encrypted and decrypted only when they reach your device. | Android, iOS | Yes | Yes | + Connects to your Microsoft account + Includes a lot of extras, including password management, verified IDs, addresses and payment card information + Backs up in the cloud if you turn on account recovery |
What happens if I change or lose my phone?
This depends on which authenticator app you're using. Some apps have cloud backups allowing you to recover your MFA accounts. Some will only let you transfer MFA accounts if you have access to your old phone and new phone together.
If you need to change your MFA settings to setup up a new authenticator app, please contact your Identity administrator who can reset this for you. The next time you login, you will be taken through the steps for 'Logging in for the first time' after MFA is turned on again.
By the way, if you use an authenticator app with cloud backup on an iPhone, you won't be able to transfer your MFA accounts to an Android phone.
What happens if the code from the app doesn't work?
If you're setting up MFA for the first time, you might have accidentally entered an incorrect code. Delete the account in your authenticator app, re-scan the QR code to create a new account in the app, then enter the new code.
If you have used MFA to login before, wait for a new code to be generated and try again. Authenticator apps create a new code every 30 or 60 seconds.
