What Is Google Authenticator and How Does It Work to Secure Your Accounts?

Google Authenticator

We've talked time and again about how important it is to secure your accounts with strong, unique passwords. Nowadays, cybercriminals have access to automated tools that can make millions of guesses, and if your password isn't random and long enough, they will be able to break into your account in a matter of seconds. Unfortunately, having strong passwords isn't enough sometimes.

The problem lies with the fact that in some cases, the hackers don't need to guess the password. Sometimes, they can just steal it from a database that hasn't been secured properly, or they can phish it out of you. Fortunately, we have a system that gives you another layer of protection in case something like this happens. It's called Two-Factor Authentication (often abbreviated as 2FA).

How does Two-Factor Authentication work?

The idea of Two-Factor Authentication is that the combination of a username and a password isn't sufficient to give you (or an attacker) access to your account. In most cases, the system requires an additional code, especially when the login attempt is coming from an unrecognized device. This isn't just a code that you memorize, though. If it's stored somewhere, be it in your brain or in a database, it would be susceptible to brute-force and phishing attacks, and that would defeat its purpose. The code used during the 2FA process is temporary and works for a limited period of time.

The delivery mechanisms for temporary 2FA codes

When the concept of 2FA made its way to the online world back in the early 2000's, it was initially employed by financial institutions only, and it relied on hardware devices with an LED display which gave users their temporary codes. Although they exist to this day, hardware tokens still aren't widely adopted, and you can probably see why. First of all, it's one more thing you need to carry around and be careful not to lose, which, in itself, is a bit of a nuisance. And while there has been some standardization, in the beginning, every single institution supported its own device which meant that early adopters had quite a few tokens to put on their keychains.

Fortunately, a few years later, smartphones caught on, and vendors quickly found a way of integrating them into their 2FA systems. Apps like Google Authenticator appeared which significantly improved the user experience.

How does Google Authenticator work?

The main advantage is that Google Authenticator resides on your phone, and you always have your phone on or near you. Available for Android and iOS, the app can be downloaded and installed in minutes, and once set up, it doesn't need an Internet connection to work. The second plus is that Google worked hard to make it easy for developers to implement the Authenticator app into their systems, which means that more and more services are adopting it. Last but definitely not least, it's also easy to set it up as a 2FA token.

Needless to say, the steps differ from service to service, but it's fair to say that the process is relatively simple. In most cases, after turning on Two-Factor Authentication, the service will ask you whether you'd like to receive your temporary code via text message, email, or whether you want to use Google Authenticator to generate it. When you choose the Google Authenticator option, you'll likely need to scan a QR code, and the app will generate its first code to ensure that everything's working. When the code is confirmed, Google Authenticator is configured and ready to go.

When you need to use the app, you just open it, and you see 2FA codes for all the services you've connected to it. These codes change every thirty seconds, and there's an indicator telling you when the current ones are about to expire.

Should you use Google Authenticator

In a word, yes. You should use any sort of Two-Factor Authentication system that's available to you. Google Authenticator is one of the options, and it's arguably the most convenient one.

Don't be fooled into thinking that it's infallible. Security researchers have been looking for (and finding) ways of defeating Two-Factor Authentication systems. The truth is, however, it's the best form of additional protection we have at the moment, and leaving it disabled is just plain wrong.

May 25, 2018