How do authenticator apps work?

With 83% of organizations now requiring multi-factor authentication (MFA), according to JumpCloud’s 2024 IT Trends Report, more employees are pushed to use Microsoft Authenticator or similar tools to secure their work accounts. So it’s only natural to ask, “How do authenticator apps work?”—whether you’re curious or privacy-conscious.

In this guide, we’ll discuss authenticator apps and how they work, plus how they outclass other MFA options like SMS and email. We’ll also cover their disadvantages and some best practices for authenticators before wrapping up with a list of the best apps and some frequently asked questions (FAQs).

What are authenticator apps, and how do they work?

Authenticator apps are free mobile applications that generate temporary codes to log into accounts secured with multi-factor authentication (MFA). Basically, they provide an extra layer of protection in case an attacker obtains your password.

But how do authenticator apps work? Here’s a quick rundown of the process:

1. First, you turn on MFA on your chosen account. The site shows a QR code that holds a secret key.
2. You open your authenticator app and scan the QR code. The app will use the key to create time-based one-time passwords (TOTPs) later.
3. Now, the service and your app have the same key, which is stored in an encrypted format on your device and the authentication server. This prevents anyone, including hackers or rogue employees, from reading it and accessing your account.
4. Your app’s algorithm makes a new 6-digit code every 30-60 seconds using the saved key and the current time.
5. Once you log in as usual, you’ll be asked to enter the code from the app.
6. The site makes its own code the same way and checks if it matches yours. If it does, you’re in. If not, you’re blocked.

Some services make MFA easier by sending a push notification to your authenticator app instead of asking you to type a code.

To do this, the server stores your app’s ID and uses it to reach your phone during login. When the notification appears, you unlock the app and enter a code or tap a matching number. The app then sends your response back to the server to finish the login process.

Now that you know how authenticator apps work, let’s look at why they’re considered more secure than other two-factor authentication (2FA) options.

How secure are authenticator apps?

The biggest advantage of authenticator apps over SMS or email-based 2FA is that no data is transmitted between you and the authentication server. Once you scan the initial QR code, the secret key remains encrypted on your device and the server.

Meanwhile, SMS and email 2FA are vulnerable to:

• Phishing attacks: Attackers may trick you into entering your code on a fake login page. Once you type it in, they use it immediately to access your account.
• SIM swapping: Someone convinces your mobile carrier to transfer your number to their SIM card. They then receive your 2FA codes by text, allowing them to break into your accounts.
• Man-in-the-middle (MITM) attacks: An attacker intercepts the connection between you and the website, stealing your password and the code you enter during login.

Moreover, authenticator codes reset in 30-60 seconds, making them nearly impossible to capture or reuse. Even better, authenticator apps like Authy or Auth0 include biometric checks (e.g., fingerprint, Touch ID, Face ID). That way, your accounts aren’t exposed if someone gains access to your phone.

Security aside, they’re a more reliable option as you get the codes straight from the app, no network needed. You know how frustrating SMS can be if you’ve been stuck trying to log in somewhere with no signal or slow delivery. Authenticator apps avoid all that.

How to use authenticator apps safely

Here are some tips to keep in mind to avoid losing access to your MFA-secured accounts:

• Store your backup codes securely: When you enable multi-factor authentication (MFA), most services will provide backup codes in case your device is stolen or lost. We recommend encrypting the backup codes with a strong password. Keeping them in a plain .txt file on your system defeats the purpose of using an authenticator.
• Lock down your phone: Choose a long, unique password or use fingerprint or face unlock to keep out intruders. Some authenticator apps also offer biometric security.
• Keep things up to date: To keep your authenticator app working properly, install updates as they become available. These help the app stay in sync, run smoothly, and patch security issues. The same goes for smartphone system updates.

What are the disadvantages of an authenticator app?

The main downside of an authenticator app is losing access to your logins. You may get locked out if you lose or switch phones or delete the app without backing it up. Some apps don’t support cloud backup or syncing, and not all services offer backup login options.

Then there’s the added time during login. You have to open the app, find the correct account, and enter the code before it expires. It’s a short delay, but still extra effort, especially if you’re logging in often or juggling multiple accounts.

Enterprise-focused authenticator apps can get expensive for organizations. Some charge monthly fees per user, especially for business features like admin tools or device management. Setting them up, training staff on how authenticator apps work (especially more complex systems), and handling lost access also take time and effort.

Of course, these issues are minor compared to the damage caused by a security breach. Resetting dozens of passwords, losing access to important accounts, or dealing with business disruptions can be far more annoying and costly than the effort required to use an authenticator app.

What’s the best authenticator app?

We’ve previously covered the best authenticator apps, so you should check out that guide for the full details. If you’re short on time, here are the highlights:

1. ManageEngine ADSelfService Plus: Runs on Windows Server. Recommended for larger organizations. It comes with single sign-on (SSO) and MFA, along with letting users reset passwords and handle account tasks themselves.
2. LastPass: Offers a cloud service that lets users securely share passwords across multiple devices. It works well for teams who need an easy and secure way to share credentials.
3. Auth0: Focuses on managing SSO for cloud apps, giving developers a way to protect access at the application level. It’s cloud-based and fits well with apps that need flexible identity management.
4. OneLogin: Provides authentication services from the cloud that combine VPN-like security with application rights management. It lets you control which users can see and use specific apps, helping reduce unauthorized access.
5. Authy: Stores backup codes securely in the cloud while making MFA simple on mobile devices. It offers extra features like device syncing to avoid losing access when switching phones.
6. RSA SecurID: Supports multi-factor authentication with an option for a physical token that generates access codes. It’s a solid choice for organizations that need hardware-based security.
7. Okta: A cloud-based login tool for businesses with SSO and MFA support. It handles logins, extra verification steps, and keeps user accounts updated when people join or leave. Works with lots of apps and blocks suspicious login attempts.
8. Google Authenticator: A free, straightforward authenticator for Android and iOS that’s great for individual users and small businesses alike. That said, it’s a bit more limited in scope than other options.

Frequently asked questions