Software. Marketing. Training. Running your business.
Authenticator Apps
Post a reply

29-Jan-2021 4:49pm

Since January now appears to be Scammer & Hacker Month in our profession, I'm wondering how many of you use authenticator apps and, if you use them, have you made them mandatory everywhere possible in your data security policy?

What do you use?

I'm a late adopter, but have started using the Authy app on my phone.

For websites that store client and third party SSNs, like the 1099 efile websites, I consider an authenticator app absolutely necessary now-a-days. It's just to easy to comprise a username and password.

30-Jan-2021 6:49am

TR Authenticator for Thomson Reuters = daily. Microsoft Authenticator for Microsoft = occasional.

Have also use Duo and Google authenticators. All work fine.

30-Jan-2021 9:42am

I stopped using Google Authenticator when I had the primary device fail, and I lost access to the app. It took forever to gain access to linked accounts. Others have allowed me to set up secondary devices if the primary becomes unavailable, but could not do that with Google.

I use the IRS Authenticator, one for Zoho (my password manager), and Microsoft's. I also use the TR Authenticator if I need to do work on a 2015-2018 tax return. I have not widely adopted them in other places because they are still not available outside of Google Authenticator, which I refuse to use again. I do need to set up TFA via text wherever possible, though, at minimum, even though it is not nearly as secure as an authenticator app. I have TFA via text set up for my remote software and various other accounts, but I have so many accounts I will need to create a list and go one-by-one to identify if TFA is enabled and which method.

30-Jan-2021 9:47am

I use TR Authenticator app but every other website with 2 factor authentication does not use a regular app. How do you use an authenticator app when it's not native to the website?

30-Jan-2021 9:57am

missingdonut wrote:I use TR Authenticator app but every other website with 2 factor authentication does not use a regular app. How do you use an authenticator app when it's not native to the website?


Some offer Google or Microsoft Authenticator, but it is not as widespread as it should be. Typically, the TFA I see made available is e-mail code or SMS code. I know those methods are not as secure, but at least "I" am not at risk of getting locked out of my own services if a device fails, or I happen to not be carrying a particular device that has the authentication app but can still receive e-mails/texts.

30-Jan-2021 9:59am

Cornerstone -- Google Authenticator does present a problem if your phone stops working, is lost or stolen. Recovery isn't easy. I started out using Google Authenticator but stopped because I saw the writing on the wall if I ever was in one of those situations. It would be a nightmare if that occurred during tax season.

Authy is better in that you can backup everything with a password and recover all accounts if needed. You can also set it up on multiple devices. Authy also works everywhere that Google Authenticator works.

missingdonut wrote:How do you use an authenticator app when it's not native to the website?


What do you mean? Do you mean that the website requires that you use an authenticator app? Or that the website uses 2FA via text message?

If the former, you download a 2FA on your phone or tablet, such as Google Authenticator, Authy, whatever (there's about a dozen out there), you go through the process of setting 2FA up on the website and with the app, which usually involves scanning a QR code generated by the website with your authenticator app.

After it's setup, the authenticator app generates a 6 digit number every 30 seconds based on the original QR code given by the website (that only the website and the authenticator app know) and algorithm. When you login, you're prompted to enter whatever 6 digit number is currently appearing for that account in your authenticator app.

30-Jan-2021 10:09am

All of my 2FA (except for Thompson Reuters) is by e-mail or SMS. I agree that it is not ideal, although better than nothing, and I increasingly use a password manager to generate and save more secure passwords.

My question is if it is possible to implement 2FA on a website of which doesn't have it. Like the TaxProTalk forums. Is it possible to use one of those apps so that someone can't hack into my account here and post dumber things than I normally post?

30-Jan-2021 10:16am

missingdonut wrote:My question is if it is possible to implement 2FA on a website of which doesn't have it. Like the TaxProTalk forums.


No. It takes two to tango.

An authenticator app works as I described above. If the website isn't setup to provide 2FA via an authenticator app, it's not possible to use one with that website.

30-Jan-2021 10:31am

Much appreciated. In that case I hope a better solution is found because a lot of people will have little interest on putting a bunch of different authentication apps on their phone, and the consolidated ones (like Google) seem problematic.

30-Jan-2021 10:37am

Google Authenticator is problematic. But Google Authenticator is not the only consolidated authenticator app out there. And not all consolidated authenticator apps have the limitations of Google Authenticator.

I've already mentioned a competitor to Google Authenticator that IMO is superior.

30-Jan-2021 10:57am

Point taken.
Post a reply