For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more
Home / Identity and Access Management 101 / What is an authenticator app?

What is an authenticator app?

An authenticator app is a security application that generates time-based one-time passwords (TOTPs), HMAC-based one-time passwords (HOTPs) or push notifications to help verify the identity of a user. These apps are often used in two-factor authentication or multi-factor authentication (MFA) processes to add an extra layer of security beyond just user credentials.

The widespread adoption of authenticator apps stems from the increasing need for secure authentication mechanisms in today’s cyber-vulnerable world. Data breaches, credential stuffing and phishing are unfortunately commonplace, and traditional passwords alone are no longer sufficient to guarantee secure access.

Authenticator apps address this concern by requiring users to provide a unique one-time code, in addition to their password, at the time of login. This way, even if a user’s password gets compromised, their account remains protected from unauthorized access.

How does an authenticator app work?

Authenticator apps rely on a combination of technologies and protocols to provide robust authentication. Let’s explore them:

Time-based one-time passwords (TOTPs)
TOTPs are unique, temporary codes generated by the app at regular intervals, typically every 30 or 60 seconds. The code is based on the current time and a secret key shared between the app and the online service that you are trying to access. When logging in, the user enters the current code, which the service verifies by generating the same code and comparing the two.

HMAC-based one-time passwords (HOTPs)
HOTPs are similar to TOTPs but are generated based on a counter instead of time. Each time a verification code is used, the counter increments, creating a new unique code for the next login. This method is less common than TOTPs but is still used in some systems.

QR codes for easy setup
To set up an authenticator app on their mobile device, users typically scan a QR code available on the service portal or MFA setup screen. This QR code contains the secret key and other necessary information to configure the app.

Time-syncing
Typically, authenticator apps don't need an internet connection to generate codes. The devices the apps are installed on synchronize their clocks with public time servers. This ensures that the app and the server generate matching codes at the same time, allowing these apps to work even if your phone is offline at the time of login.

How to use an authenticator app?

In this section, we'll share a step-by-step guide for using an authenticator app. We'll use OneLogin Protect, a trusted app from OneLogin, as our example. While the exact steps may vary slightly across different apps, the overall process remains largely the same.

  1. Start by enabling 2FA or MFA from the security settings of the relevant online service. Then, navigate to the screen that contains the QR code you will use to set up the authenticator app. For example, for GitHub you can make your way to the QR code by following these steps:
    1. Click your profile photo and select Settings.
    2. Choose Password and authentication from the sidebar.
    3. Scroll below and click Enable two-factor authentication.
    4. You will be taken to the Setup authenticator app screen where the QR code will be displayed.
  2. Download and install an authenticator app like OneLogin Protect from the app store.
  3. Tap the + icon on the top right to configure a new account.
  4. If you are prompted to grant the app permissions to use your camera, click Ok.
  5. Use your device’s camera to scan the QR code. As the camera captures the code, a bright green box and a checkmark will appear to indicate a successful pairing.
  6. You'll now be redirected to the app's home screen, where you'll see the newly added account and a unique OTP that refreshes periodically.

Common authenticator apps

Some of the most common authenticator apps that you can use to secure your online presence are:

Google Authenticator
Another popular choice from a trusted brand, Google Authenticator generates time-based OTPs for secure login and transaction verification. It supports multiple accounts, Android and IOS platforms, and easy transfer of configured data between devices.

Microsoft Authenticator
Microsoft authenticator can be used for securing access to Microsoft services like Outbox and Microsoft 365, and external services, like Google and Facebook. The app is available for both Android and IOS and offers features like passwordless login and auto-fill.

OneLogin Protect
OneLogin Protect seamlessly integrates with thousands of cloud applications, including Gmail, Office 365 and Salesforce. It is available for Android, Android Wear, iPhone and watchOS platforms.

The OTP solution is based on RFC 6238, which specifies HMAC-based generation of time-sensitive passwords for secure authentication between endpoints with synchronized clocks. This algorithm allows the app to function even if the user’s mobile device isn’t connected to the internet.

Conclusion

Authenticator apps provide an additional layer of security to protect online accounts and sensitive information. By generating time-sensitive OTPs, these apps ensure that even a stolen password doesn’t lead to unauthorized access. Whether you want to safeguard access to your corporate VPN or protect your personal email account, authenticator apps have got you covered.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days
Try it now