To not understand how an authenticator app adds extra security?

[milkandbread]

I've logged into a website account and used an authenticator app for the first time today. AIBU to think that this doesn't actually add an extra layer of security?

You log in with your usual username and password. Then use the authenticator app on your phone to scan a QR code, which generates a verification code.

But surely anyone who had gained access to my username and password could have done the same thing with their mobile phone using any authenticator app?

There is no link between my mobile number and the website account.

Think I must be missing something?

You log in with your usual username and password.

You aren't supposed to have the same username and password for everything.

How did you set up the authenticator app in the first place?

To answer, I do have unique username and password for each account, by 'usual' I meant the usual one for this specific website.

Added the microsoft app onto my iphone

Went to 'Add Account" and 'Other" and this went straight to the QR scan page - scanned the website QR Code, which then added the website account to my authenticator app.

What I don't understand is what is to stop anyone doing the same, so long as they have the username and password, they can access the website account and authenticate.

The website cannot therefore be sure that this is a genuine user and so, how does it add a layer of security?

In other methods a website might send a code to a mobile phone number or an email (both verified when the website account is first set up ).

The app just spits out a QR code, there is no verification that this mobile number is linked to the website account, if you know what I mean?

My authenticator app works on facial recognition and is an extra layer of security.

You set up an account for say your bank with a secure, unique set of login details.

You then link that up to your phone using a different set of credentials.

Now, to login you need to know both your login details and you need to have your phone as well, so even if someone gets hold of your username and password unless they have access to your phone as well - which presumably is set up with decent security - having your digital banking details is useless.

So of course it's more secure.

Your Authenticator is linked to your account. So they wouldn’t be able to add another without removing yours; and they couldn’t remove yours without having access to your actual phone to get the code…

They assume that you are you, when you set up the app in the first place. In future, anyone wishing to access your account will have to steal your mobile phone and bypass phone security, as well as know your user ID & password.
It protects you against hackers but, you are right, it does not prove you are you at the start.

This.

We have to use it for work. We log in and have to enter a code into the app. I don't see how it's that secure as DH could easily log in if he wanted to as he knows the pin to my phone as we have to use our personal phones for this.

Presumably you can trust your dh though. A scammer wouldn't have access to your mobile so of course it's an extra layer of security. Pain in the neck though!

I do, but I wonder if everyone across the company has a pin on their phone? I never used to bother until I started using banking apps.

OP, normally what happens is:
You go to set up an account with say sellmestuff.com
You set up a user name and password and then they get you to scan a QR code with the authenticator app on your phone. The QR code holds a secret value that is unique to your account and that your phone knows. The website doesn't keep a copy of this value once it's passed it to you - it just keeps enough information so that it can confirm you're using the right value.

Then when you go to log in later, you provide your username, password, and the current code that the authenticator app generates from that secret value and the current time to log in.
This means if someone has your username and password they still cannot log in as you; even if they have an authenticator code from your phone from a few minutes ago as well, they still can't log in as you.
They must have username, password, and the current code generated for that account by your phone's authenticator app.
So as long as you keep your phone secure, even if someone has your username and password, they can't log in as you.

I'm not sure from what you posted, but is this a website that doesn't give you that QR code just when you set up the account, but every time you log in it gives you a new QR code?

Anyone with a grain of sense has security set up on their phone. No accounting for idiots who don't.

Well yes, but if the company expects us to use our personal phones for work purposes there may be a risk because it's not down to them to say what security we have.

My old company wanted us to use a phone app authenticator, but I pointed out I'd dropped my phone twice in six months on the way to work and requested a standalone dongle (which I normally kept in my locked work desk) instead.
As there is no guarantee someone has a smartphone, most companies should be able to do this.

Does your dh know your id and password for your work system too?

*Well yes, but if the company expects us to use our personal phones for work purposes there may be a risk because it's not down to them to say what security we have.

If you use your phone for work they can (and should) mandate minimum security measures. Any sensible company will have a BYOD policy with stipulations about passwords etc. If you don't abide by their requirements and you cause a security issue e.g. by losing your unlocked phone, that's a disciplinary matter.

I imagine most people have a PIN but I do wonder if people turn off the notifications so they don't show on the locked homescreen (I did that after the case of the woman whose phone was stolen in the Virgin Active gym last year).

I don't really see how they can mandate that you use your own phone and that you comply with security requirements.

They need to provide a phone that complies with security requirements.

However, it would need to be considered by an employment tribunal.

Your company security policy which you should have signed should state that all devices, including personal ones, and logins used for work purposes should have certain levels of security e.g. password protection.

The last one I had to sign stipulated what length of passwords I was needed to use for my accounts.

The QR code is normally just for first time setup, any future time you log in it will ask you for the code which will only appear on your phone. It shouldn't be offering another QR code unless you have already logged in (using the code on your phone) and are trying to set up another device.

**I don't really see how they can mandate that you use your own phone and that you comply with security requirements.

They need to provide a phone that complies with security requirements.

However, it would need to be considered by an employment tribunal.**

Yes, it's one or the other. If you need a phone you can choose to use your own, abiding by the company's security requirements. Or they can provide one for you. Many companies offer the first option (cheaper for them) and it's popular with employees because they don't need to juggle multiple phones. Abiding by the security requirements are the price you pay for convenience.

Most places I've worked, I haven't had to do anything security-wise that I don't already do on my own phone anyway - who doesn't use a PIN these days? Sharing your password with a friend or family member is absolutely a security risk that a company would ask you not to do. Of course they'd only ever find out if something bad happened as a result of your sharing your password! But in that scenario the blame lies with the employee 100%.

We aren't given the option of a company phone or dongle. I think there was something about using a landline but I can't remember.

My husband and I know each other's pins for our phones. I can't remember if that was part of the IT security requirements but again, if they don't like it they can make alternative arrangements. Obviously he doesn't know my password!

The only reason it isn't secure if because you have shared the pin though, obviously.

Yes first time I have ever set it up or used and first time QR code issued. Understand how it will work better now, thank you everybody.

@MintJulia It's exactly this I was wondering! The first set up, in the absence of any other ID validations other than a username and password, there is no way to know that the user linking the authentication app is genuine.