How Do Apps Like Google and Microsoft Authenticator Work?

How Do Apps Like Google and Microsoft Authenticator Work?

Written by Joe Cannata

Posted on May 20, 2021

How Do Apps Like Google and Microsoft Authenticator Work?

As you become increasingly dependent on the internet to execute your day-to-day functions, you also become increasingly concerned about the security of your data, devices, and systems. This is especially so since there are increased reports of cybercrime incidences targeting businesses and individuals as well.

Fortunately, cybersecurity solutions are also being developed to match the increasing cyberattack threats. Different authentication factors (FAs) have been developed to keep users and online resources safe from cyberattacks. Some of them include Google and Microsoft Authentication Apps.

Keep reading to learn how these Apps work. First, let us look at different authentication factors.

What Are Authentication Factors?

Authentication factors refer to the processes used to keep users’ credentials safe and secure online resources from unauthorized access. Some platforms require a single-factor authentication (SFA) in which the user provides a passcode or PIN.

Some may require two-factor authentication (2FA) that combines your Pin with another factor like a biometric factor, such as voice recognition, fingerprints, or face recognition. On some platforms, you need multiple-factor authentication (MFA), meaning you require a combination of two or more factors to access a system or online resources.

Common Authentication Factors

Here are the authentication factors most platforms use:

• Knowledge factor: It refers to some authentication information known to the users. The information may be a password, passcode, or a personal identification number (PIN). It may also be a kind of shared secret known by the user and the platform administrators. The knowledge factor is safe as long as the information is not revealed to unauthorized people. Most firms are phasing out knowledge factors to improve user experience (UX) on their systems. With the number of platforms a user signs into in a day, it becomes cumbersome to remember PINs and passwords for each of them. By allowing passwordless authentication, companies are offering a better UX while still securing the users’ information and the company systems with other authentication factors that provide more advanced cybersecurity.
• Possession factor: This refers to authentication items that a user has. They may be identification documents or devices like a smartphone App, cellphone, tablet, or a security token. The user’s identity is authenticated when these items are recognized and matched to the user. This factor is commonly used in Push Notifications. This is where a system sends a prompt to a user’s device or App requesting the user to authenticate access.   By allowing access, the system interprets that the device identified with a user is in their possession at that moment, and they have used it to authenticate the access request. This is significant in reducing social engineering, phishing, or man-in-the-middle (MitM) attacks.
• Inherent factor: It refers to some physical attribute of the user. They are also referred to as biometric factors and may include fingerprints, retinal scanning, voice pattern, or gait recognition.
• Location factor: It constitutes location information picked when authentication is launched. The information may come from the device Internet Protocol (IP) or geolocation information like the one provided by Global Positioning System (GPS), which identifies the location of your device to match it to your credentials before allowing access. Time factor: A time factor creates a time window within which a user is granted access. Any attempt to access a resource or platform outside the set time is denied.

A single-factor authentication can use any of these factors. 2FA usually combines any two of the first three factors, while MFA can combine any of these factors to create several layers of protection.

How 2FAs Work

2FAs may be divided into hardware and software-based 2FAs. Hardware-based 2FAs include smartcards or key fobs. On the other hand, software-based 2FAs exist in the form of desktop or mobile Apps. The Apps generate a one-time password (OTP) they link to a specific device, account, or user.

The OTP is shared with the user, who may input it any time they require access or authorize the system to save it and remember it anytime the user wants to log in. An example of an OTP-based system is your Gmail account.

However, the OTP is not the only factor the system uses. The software-based Apps also generate a code that they save in their platform. This combines the user’s OTP, device identity, and security issued during the account registration. When you request access, the system inspects the security key, the initiating device, and the OTP.

If they match, access is given. If one of the sets of information fails to match, the system sends you a notification. You have probably seen this if you ever tried to access your Gmail account from a new device. This authentication is not secure since the OTP may be intercepted and used to access your account without your authorization.

Some 2FAs Apps go a step further to secure your data by generating a Time-Based One-Time Password (TOTP). The system generates unique passwords at regular intervals, and the passwords are not shared with the user.

Hackers cannot access the passwords since the platform uses them only as internal authentication factors. The TOTP combines your password, location data, device and account information, and the time when the code is generated to determine if you are authorized to access and continue using a platform or online resource.

How Do Authentication Apps Work?

When you sign-up on an authentication app, it notes and stores your credentials. Every time you request access, the system a TOTP. If the TOTP on the originating device and the system match, you are granted access.

Remember, the TOTP is shared between the server and the authenticator, eliminating chances of the information being intercepted by the MitM for unauthorized or malicious use. This tells you that platforms using TOTP, like Microsoft and Google authenticator Apps, are more secure from cyberattacks.

How have you secured your business from Cyberattacks? Contact Techsperts and schedule a no-obligation and detailed IT assessment. It is better when experts give you a clean bill of health on your cybersecurity tools than to discover you have not secured your systems adequately after an attack.

At Techsperts, we offer timely IT expert advice, strategic IT, and fully managed IT services and computer, data, and IT network security solutions. Our services are cost-effective, and we use state-of-the-art technology. We guarantee you 100% satisfaction or your money back.