by Charles Miller

Over the last couple of weeks I have recounted the trials and tribulations of John Doe as he tried to access his bank account online. Online authentication is commonly accomplished by using something you know and/or something you have. John Doe encountered difficulties using the something-you-know approach to authentication because his bank tightened up security by not letting him authenticate using Personally Identifiable Information (PII) that, because of the many data breaches taking place might also be known to hackers. John also had issues with the something-you-have approach to authentication because he did not own a new-enough smart phone and did not have an acceptable cell phone number. Fortunately for John, his bank used an Authenticator App that eliminated the need for him to have a U.S. cell phone number

What is an Authenticator App? Installed on a smart phone, an authenticator app generates a TOTP (Time-based, One-Time Password). This is usually four to six numbers or letters. You can use each code only once and it is usually good for only 30 to 60 seconds. (Rather than having to type in that code, some authenticator apps offer the convenience of using your smart phone camera to snap a picture of a QR code that appears on your computer screen.) Popular authenticator apps are the Google Authenticator and the Microsoft Authenticator while some financial institutions have created their own apps.

An authenticator app has many advantages over a passcode received by phone call or text message. The codes of an authenticator app are generated locally on your phone where they cannot be hacked; in fact an authenticator app can work completely offline, even in airplane mode or without having an active cell phone number. And codes that are only active for a few seconds make it very unlikely hackers would have enough time to intercept them.

It is absolutely essential to follow the backup and recovery instructions for your authenticator app. If you lose your phone or upgrade to a new one you cannot install the authenticator app on any other phone without the backup.

If your bank offers the service of permitting you to use an authenticator app while logging in this can be a much better alternative to using a cell phone number, especially in Mexico. If shopping for a new bank, the ability to use an authenticator app should be high on your list of must-have banking features.

Over the course of the last few columns here I have stated there are two popular online authentication methods: something you know (username, password, PIN) and something you have (cell phone). There is actually a third less-popular method: something you are (biometrics such as fingerprint, voice or facial recognition). As an authentication method, “something you are” is less popular simply because of the undeniable fact that your biometrics are subject to being leaked onto the dark web and made available to cybercrooks if the company holding your data is hacked.

In the wake of the Biostar2 hack, stealing a dataset of more than a million fingerprints, a joke was going around the tech newsgroups that the company was recommending that since they lost your fingerprint data you should see your doctor about getting a new set of fingers.

**************

Charles Miller is a freelance computer consultant with decades of IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted at 415-101-8528 or email FAQ8 (at) SMAguru.com.

Discover Lokkal:
Watch the two-minute video below.
Then, just below that, scroll down SMA's Community Wall.
Mission

Visit SMA's Social Network

Contact / Contactar