Group Actions
Engagement
  • Author Author: colporteur
  • Date Created: Date Created
  • Views 554 views
  • Likes 5 likes
  • Comments 5 comments
Related
Recommended

Authenticators share your experience with 2FA

colporteur

I recently needed an authenticator app to gain access to a security website. I looked at the three the website security vendor recommended for my phone. One I could use for free and the other two were free, only after I purchased a subscription that I could cancel.

The free authenticator app generated the numbers but didn’t work on the site. Back to tech support. They confessed to making an error in setting up my account. They corrected the problem and sent me a new link. I tried again to use the free authenticator app following the instructions the vendor provided, still it didn’t work.

image

Instead of going back to tech support, I branched out on my own and found authenticator software for Linux. I loaded Authenticator 3.32. The app generated codes but still failed to provide me with access to the site.

I then changed the provider option in the software to Amazon. I entered the 2FA token provided by the security website. The code generated by the authenticator passed authentication on the security website and it permitted me access.

What changed when I replaced the provider with Amazon? I’m going to assume it is the algorithm used to generate the codes.

I’m going off to do some research, but was hoping someone might have some insight or experience they will share.

  • in reply to colporteur

    Hi Sean,

    I think there's zero need to use a subscription app (it sounds like a scam, I've not heard of such apps requiring subscription, but perhaps I'm mistaken and it is legitimate). I've never used a paid authenticator app, always used the free one that was intended to be used with the service in question (i.e. it can vary; you may end up using more than one authenticator app if you're accessing different sites).

    As you say, often it provides a time-limited code, to prevent people copying codes down (I used to occasionally have to do that before the time-limited thing was popular! Not very secure, but that was before I used a smartphone..) because then there's the risk someone else may find and use the codes. 

  • in reply to shabaz

    My limited understanding is the authentication app (auth_app) is a software algorithm to generate codes given specific input variables. Two variables are time and the unique 2FA entry you enter manually or scan via QR code into the auth_app.

    I recall using token authenticators provided by work. Once fired up, you entered a code and it returned a numerical value (some hexidecimal) that you provided to the access system. I spoke to the tech’s that supported the system when they were first introduced to try to develop an understanding.

    The tech told me they entered the token ID number in the access system when they were activated, along with the value (key) provided to the client who will use them. The client was not supposed to share the key. The token had a crystal oscillator that generated a time value (for a lack of a better word) that was used in an algorithm along with the key to produce a code. A code should match the receiving system's code. The match had a stale date window of time it would work.

    If I transfer this learning to the auth_app it is not much different. I enter the code using QR or type it in and the auth_app every 30 sec’s generates a value. I’m assuming some sort of time is combined with the key value to produce the code.

    I’m not familiar with the Ubuntu Linux Authenticator software application. I discovered that the Provider entry works for a few tries and then doesn’t generate a code that works. If I select another provider value (i.e. Apple, Adobe ID, Amazon We Services ,,,,) it works again for a short while and then doesn’t.

    I have tried to access the security website from several different operating systems, to eliminate maybe browser issues. I have yet to get a code from the phone auth_app that works. The Linux app works for a few tries and then doesn’t.

    This is the first time I have had reason to use an authenticator app. I spoke to some friends that have them on their phones with lists of QR scanned token ID’s. Since they are not technically minded, engaging them in this type of discussion produces only blinking, staring eyes:)

    Maybe I would have better success if I used the subscription auth_app? I am critical of companies that charge me for a service and then force me to use another technology that I have to again pay for in order to access the service. You then get the marketing song and dance, we can change the fact they want to charge you.

    I find it frustrating to hear hey we got a problem. let’s use technology to solve it, without thinking of the total cost of ownership. That includes the user frustration.

    I figured the minds that frequent this site have a common theme of wanted to understand how things work. Thank you for your response.

  • in reply to shabaz

    (can't edit)

    When you selected a different provider (i.e. Amazon in your case), you used a completely different system to authenticate, completely separate servers, so if the other provider had an issue on any of their systems, you managed to completely bypass it when you used Amazon. This is despite you ultimately getting access to the original site you wanted (i.e. the security website that you mention).

  • in reply to shabaz

    (Can't edit). By "Two factor authentication doesn't specify an algorithm" I mean the term "two factor authentication" could use one of any number of different algorithms, so you can't mix-and-match different software to do it always. It can also be called "multi-factor authentication" if you're googling it. It's just an umbrella term, that doesn't specify the details.

  • Hi Sean,

    It's hard to know for sure precisely what happened since you mention it was a mistake in their account setup, but regarding this bit:

    "I then changed the provider option in the software to Amazon"

    That sounds like you're using "delegated authentication" where the site decides to trust you, _provided_ another (usually major) firm trusts you (trust isn't the correct word here, but it will do). You often have a choice of provider (not always, it is dependent on the site). By you selecting Amazon and logging in with them, then the original site you were using will trust you (because they can confirm directly with Amazon that Amazon was OK with you logging in with your Amazon account, presumably).

    Two factor authentication doesn't specify an algorithm, so it can differ, so usually specific software (or from a specific set) would need to be used. 

    Long story short, it's just a set of steps that help to make it less likely that someone who had stolen your credentials could impersonate you, because they would also have had to have stolen multiple credentials, or your mobile phone or whatever is being used for the other factor in 2FA.