Authentication with one-time codes: pros and cons

We explain how two-factor authentication with one-time codes works, what the benefits and risks are, and what else you can do to better protect your accounts.

How secure are authenticator apps?

Information security experts have long agreed that the most reliable form of two-factor authentication with a one-time code is an authenticator app. Most services offer this method as a second level of account protection, while in some cases, two-factor authentication using a code from an app is the only available option.

But the reasons why one-time codes are considered so safe is rarely discussed, so legit questions arise as to whether it’s really a good option, how reliable it is, what dangers are worth considering, and what you need to keep in mind when using this two-factor authentication method. The main purpose of this post is to answer those questions.

How authenticator apps work

Generally, such apps operate as follows: the service in which you’re authenticating and the authenticator itself share a number — a secret key (it is contained in a QR code that you use to enable authentication for this service in the app). The authenticator and the service simultaneously use the same algorithm to generate a code based on this key and the current time.

When you enter the code that your app has generated, the service compares it with what it generated itself. If the codes match, everything is fine, and you can access the account (and if not, you can’t). Also, when you connect the authenticator app via a QR code, a lot of information is transferred in addition to the secret key. This includes the one-time code’s expiration period (usually 30 seconds).

The most important information — the secret key — is transmitted just once, when the service pairs with the authenticator, and then both parties remember it. That is, with each new login to the account, no information is transmitted from the service to your authenticator at all, so there’s nothing to intercept. In fact, authenticator apps don’t even need internet access to perform their main function. All that a hacker can theoretically get is the actual one-time code that the system generates for you to enter. And this code is valid for just half a minute or so.

We’ve already discussed in more detail how authenticator apps work in a separate post. Read it if you want to know about authentication standards, the information contained in QR codes to connect those apps, and about services that are incompatible with the most common authenticators.

How secure is 2FA with a one-time code?

Let’s summarize the main advantages of one-time code authentication from an app:

  • Good protection against leaks: a password alone isn’t enough to gain access to an account — you also need a one-time code.
  • Decent protection against interception of this one-time code. Since the code is valid for just 30 seconds, hackers don’t have much time to use it.
  • It’s impossible to recover a secret key from a one-time code, so even if the code is intercepted, attackers won’t be able to clone the authenticator.
  • No internet connection is required on the device generating one-time codes. It can be kept completely isolated from it.

As you can see, the system is well thought out. Its developers have done everything in their power to make it as secure as possible. But no solution is completely safe. So even when using authentication by code from an app, there are some risks to consider and precautions to take. That’s what we’ll talk about next.

Leaks, e-mail hacking and workarounds

I mentioned above that authenticating with one-time codes from an app is great protection against password leaks. And in a perfect world, it would be. Unfortunately, we don’t leave there, There’s a crucial nuance, which stems from the fact that services usually don’t want to lose their users because of such a small annoying detail like losing the authenticator (which can happen to anyone); therefore, they usually provide an alternative way to log into accounts: sending a one-time code or confirmation link to an associated e-mail address.

This means that if a leak has occurred and attackers know both the password and the e-mail address it’s linked to, they can try to use this alternative method to log in to the account. And if your e-mail is poorly protected (especially if you use the same password for it and don’t enable two-factor authentication) it’s very likely that hackers would be able to bypass entering a one-time code from an app.

What’s worth doing about it:

  • Keep an eye out for data leaks, and promptly change passwords for affected services.
  • Don’t use the same password for different services. This is especially important for e-mail to which other accounts are linked.
  • Some services allow you to disable alternative methods of logging in. For especially valuable accounts, it may be worth doing this (but don’t forget to back up the authenticator — there’s more on this below).

Physical access and people looking over your shoulder

Someone might look over your shoulder when you’re using an authenticator app and see the one-time code. And not only one code, as authenticators often display several codes in a row. So the intruder could log in to any of those accounts if they saw the code. Of course, hackers would not have much time to take advantage of what they caught sight of. But it’s better not to take any chances — 30 seconds might be enough time for a nimble-fingered cybercrook…

The situation is more dangerous if someone manages to get their hands on an unlocked smartphone with an authenticator. In this case, that someone could well take the opportunity to log into your accounts without much haste or trouble.

How to minimize such risks:

  • Use an authenticator app that doesn’t display the codes on screen by default (there are quite a lot of them).
  • Set a strong password to unlock the smartphone on which the authenticator app is installed and turn on auto screen locking after a short period of inactivity.
  • Use an app where you can additionally set a login password (such apps exist, too).

Phishing sites

Most phishing sites designed for mass attacks are quite primitive. Their creators are usually satisfied with stealing logins and passwords, followed by selling them dirt cheap wholesale somewhere on the dark web. Of course, two-factor authentication is perfect protection against such hackers: even if someone gets your login credentials, they’re completely useless without a one-time code from an app.

However, on more carefully and plausibly crafted phishing sites, particularly those designed for targeted attacks, phishers can also imitate the two-factor authentication verification mechanism. In this case, they’ll not only intercept the login and password, but also the one-time code. After that, the attackers will quickly log into the victim’s real account, while the phishing site may issue an error message and suggest retrying.

Unfortunately, despite its apparent simplicity, phishing remains an extremely effective trick for criminals, and it can be difficult to protect yourself against sophisticated versions of scams. The general advice here is as follows:

Stealing malware

To put it mildly, people don’t really like going through the full authentication process. Therefore, services try not to bother their users unnecessarily. In fact, in most cases, you only have to be fully authenticated with a password and confirmation code when you log in to your account on each device for the first time. Or maybe a further time — if you’ve accidently cleared the cookies from your browser.

After successfully logging in, the service saves a small cookie on your computer, which contains a long and very secret number. This file is what your browser will present to the service for authentication from now on. So if someone manages to steal this file, it can be used to sign into your account. No password or one-time code will be needed for this at all.

Such files (along with a bunch of other information like browser-saved passwords, cryptocurrency wallet keys and other similar goodies) can be stolen by Trojan stealers. If you’re unfortunate enough to get a stealer on your computer, there’s a very good chance that your accounts will be hijacked, even with all the other precautions.

To prevent this from happening:

  • Don’t install programs from dubious sources.
  • Be sure to use reliable protection all your devices.

The lack of authenticator backups

Access to your accounts can also be lost due to protection being too strong. Like if after you’ve prohibited getting into your accounts without a code from an app, you somehow lose the authenticator. In this case, you might permanently lose your accounts and information in them. Or at least you’re assured of a few fun days of tearful correspondence with support for access restoration.

There are in fact quite a few circumstances where you might lose your authenticator:

  • A smartphone can break in a way that you can’t get any information out of it.
  • You might lose it.
  • And of course, it could be stolen.

All these are unpredictable events, so it’s better to prepare for them in advance to avoid any unpleasant consequences:

  • Be sure to back up the authenticator data. Many apps allow backup to the cloud; some can also save it as a local file.
  • It may be wise to install the authenticator on two different devices or even use several different apps. This protects you from being locked out from your backup if the cloud infrastructure of a single authenticator is unavailable at the most inopportune moment.

How to stay safe

Let’s summarize. Two-factor authentication itself seriously reduces the risk of your accounts being hijacked, but it doesn’t guarantee complete security. It’s therefore worth taking extra precautions:

  • Be sure to set a password to log in to the device where the authenticator is installed.
  • Use an authenticator app that knows how to hide one-time codes from unwanted eyes and allows you to set a password to log in to the app itself.
  • Don’t forget to back up the authenticator.
  • Don’t use simple passwords and don’t use the same passwords for different accounts. A password manager will help you generate and remember unique and secure character sequences.
  • Watch out for leaks, and promptly change passwords from affected services, especially if it’s the e-mail to which other accounts are linked. Incidentally, Kaspersky Password Manager tracks password leaks and warns you about them.
  • To protect yourself from phishing and stealing malware, install a reliable security solution on all of your devices.
  • Watch out for login attempts to your accounts and respond quickly to suspicious activity. By the way, we have a tutorial that tells you what to do if your account is hacked.