As we have discussed many times on the Panda Security blog, traditional passwords remain a serious risk to online security. To help better protect yourself, we strongly recommend the use of multi-factor authentication (MFA).

Often MFA relies on a one-time code that is sent via SMS to your cellphone. The idea is that no one else will have your username, password and mobile phone, so no one can impersonate you. But cybercriminals continue to get smarter and have found a way to hijack these SMS authentication codes.

And this is where authentication apps like Google Authenticator can help.

How google autheticator works

How to get started with Google Authenticator

To get started with Google Authenticator:

  • Download the app from your app store (it is available for iOS and Android devices)
  • Open the app and click Get Started
  • You can now choose to log in with your Google account which will allow you to sync your passwords between your devices.

How to use Google Authenticator

The next task is to configure your online accounts to use MFA logons. Many popular services like Twitter, Google, Amazon, Dropbox and TikTok offer support for MFA.

Let’s take Amazon as an example:

  • Log into your Amazon account using a web browser (this works best on your laptop or desktop computer.
  • Go to your Account page
  • Select the menu option for Login & security
  • Click the option to Turn on two-factor authentication and then click Get started
  • By default Amazon sends authentication codes via SMS. Select the Authenticator app option instead.
  • The page will now display a QR code – scan it with the Google Authenticator app to link your device to your account.

And that’s it. Next time you attempt to log into your Amazon account you will be prompted for your username and password as normal. However, you will then be prompted to scan another QR code with the Google Authenticator app before you gain access to your account.

Why use an authenticator app?

When you register your authenticator app with an online service, it automatically generates a very long, very secure secret key based on the QR code that you scanned. This secret key is then encrypted, making it virtually impossible to steal, hijack or guess.

The service or website uses the same algorithm to generate a code based on the current time and the secret key, and compares it to the code submitted by your authenticator app. If everything matches, you are granted access to your account.

The clever part is that the website code changes every second (or sometimes even faster). So even if a hacker did manage to crack the code, they would only have a fraction of a second to use it. Which makes authenticator apps like Google Authenticator incredibly secure – and why you should choose to use one if you can.