Is Authenticator App Safe?
Laura Martisiute
Reading time: 7 minutes
Table of Contents
If you use or plan to use authenticator apps, you need to know: Are authenticator apps safe?
Below, we explain whether authenticator apps are:
- Safe to use.
- Good for privacy.
We also look at some steps you can take to improve both your safety and privacy when using these apps.
What Is An Authenticator App?
An authenticator app is a mobile application that generates time-based one-time passwords (TOTP) or codes used to verify your identity when logging into online accounts.
This is part of a process called two-factor authentication (2FA), which adds an extra layer of security beyond just your username and password.
After entering your username and password for a 2FA-protected account, you’ll be prompted to enter the code from the authenticator app. Each code is unique and only valid for a short time, making it difficult for anyone else to guess or use.
Without this code, even someone with your password can’t access your account.
Authenticator apps are considered more secure than receiving codes via SMS because they are less vulnerable to interception or SIM-swapping attacks.
Some popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy.
Are Authenticator Apps Safe?
Authenticator apps are generally considered safe to use.
Unlike SMS-based 2FA, which can be vulnerable to SIM-swapping attacks or interception, authenticator apps don’t rely on mobile networks. This makes them more secure, as attackers can’t simply hijack your phone number to gain access.
Authenticator apps generate time-based one-time passwords (TOTP), which are usually short-lived. Even if someone were to intercept a code, it would likely expire before they could use it.
Since the codes are tied to your specific device, an attacker would need physical access to your phone to retrieve the codes. This adds another layer of security, especially when combined with a strong password.
Authenticator apps work offline, so even if your device is not connected to the internet, you can still generate and use the codes. This reduces the risk of your codes being exposed to network-based attacks.
However, authenticator apps are not foolproof.
Criminals can use social engineering techniques to bypass authenticator apps by exploiting human behavior and trust rather than trying to break through technical security measures.
In one case, attackers impersonated the help desk and requested users to provide the code displayed on their authenticator app. If users provided the requested MFA code, the attackers gained access to their accounts.
Like any software, authenticator apps can have security vulnerabilities.
There have also been cases of malicious authenticator apps being distributed on app stores. These apps mimic legitimate ones but are designed to steal user data.
And of course, if your device is lost or stolen and the authenticator app is not protected by a PIN, password, or biometric lock, the new possessor of the device could access the 2FA codes.
Companies that operate authenticator apps can be breached, too. In July 2024, 33 million user cell phone numbers were stolen from the two-factor authentication app Authy.
Are authenticator apps safe, according to Reddit?
The general consensus is that authenticator apps are safer than SMS two-factor authentication. However, Redditors recommend using universal second-factor (U2F) keys, like Yubikey, for maximum security.
Are authenticator apps safe for iPhone?
Yes, authenticator apps are typically considered safe to use on iPhones. However, to know for sure, we’d need to know what authenticator app you’re considering.
Regardless of what authenticator app you use, they are not foolproof. Like any other app or service, authenticator apps can be exploited through security vulnerabilities and bypassed social engineering techniques.
It’s also not impossible for authenticator app companies to be breached.
Are authenticator apps safe for Android?
Yes, authenticator apps are generally considered safe for Android.
That said, the safety and privacy features will depend on each authenticator app, so make sure to check the app’s privacy policy.
Also, keep in mind that though authenticator apps are secure, they are by no means foolproof. They can have security vulnerabilities that attackers can exploit. Criminals can also socially engineer authenticator app users. Companies behind authenticator apps can also be breached.
Are Authenticator Apps Private?
Depends on what authenticator app you use.
Many authenticator apps don’t require you to provide personal information to use them. Authenticator apps usually only need access to your camera (for scanning QR codes) and basic device storage.
However, some authenticator apps might collect more data than they strictly need. For example, according to the privacy label on the App Store, Microsoft Authenticator may collect and link to your identity data, such as your location, user content, usage data, contact info, identifiers, and diagnostics.
Authenticator apps from major tech companies (e.g., Google, Microsoft) may be integrated with other services provided by the same company. This integration could potentially lead to data sharing between services, which may impact your privacy.
If an authenticator app offers cloud backup for your 2FA data, and this data is stored on servers that are not fully secured or encrypted, it poses a privacy risk. Additionally, if the backup is linked to your personal account (e.g., Google or iCloud), it could be accessible by the service provider.
For example, Google introduced cloud backup for Google Authenticator in 2023, allowing users to sync their 2FA tokens with their Google account, making them accessible across multiple devices.
However, security researchers discovered that these backups are not end-to-end encrypted, meaning Google could potentially access the stored 2FA secrets. This lack of encryption poses a risk if Google’s servers are breached or an unauthorized user gains access to a Google account.
In response to these concerns, Google has announced plans to add optional end-to-end encryption to Google Authenticator in the future.
How to Improve Your Safety and Privacy On Authenticator Apps
Follow the steps below for a more private and secure experience while using authenticator apps.
- Select a reputable app. Go for well-known apps. If privacy is a top priority, consider open-source options that allow you to inspect the code and verify its privacy standards.
- Avoid apps with unnecessary permissions. Be cautious of apps that request access to more than just the basics (like the camera for scanning QR codes). Check app permissions and turn off any that seem unnecessary.
- Use strong passwords and biometrics. Protect your device with a strong password or biometric authentication (like fingerprint or facial recognition). This adds an extra layer of security in case your device is lost or stolen.
- Avoid insecure backups. Be cautious when backing up your authenticator codes. Avoid taking screenshots or writing down codes in insecure places. Store codes in a secure, offline location, like a password manager with strong encryption.
- Audit connected accounts. Periodically review which accounts are linked to your authenticator app and remove any that you no longer use or need.
- Use different methods for high-risk accounts. For accounts that hold sensitive information, consider using additional security measures, like hardware security keys (e.g., YubiKey).
- Keep the app updated. Ensure that your authenticator app is always updated to the latest version, as updates often include security patches that fix potential vulnerabilities.
- Verify websites. Always double-check the website you’re logging into before entering your authentication code. Phishing sites may try to trick you into entering your code on a fake website.
Our privacy advisors:
- Continuously find and remove your sensitive data online
- Stop companies from selling your data – all year long
- Have removed 35M+ records
of personal data from the web
Save 10% on any individual and
family privacy plan
with code: BLOG10
news?
Don’t have the time?
DeleteMe is our premium privacy service that removes you from more than 750 data brokers like Whitepages, Spokeo, BeenVerified, plus many more.
Save 10% on DeleteMe when you use the code BLOG10.