What is an authenticator app and how does it work?

The authenticator app generates a special login code that you can use to verify your identity online. Wondering why you need these codes when you have a password? We'll explain this and more below.

An authenticator app is a desktop or mobile application that uses six- to eight-digit, time-based one-time passwords (TOTP) to protect accounts, applications, financial transactions, and more. Each code can only be used once. It expires after a set time (usually 30 seconds), after which a new code is displayed.

In most cases, people use authenticator apps for multi-factor authentication. Here, the app provides an optional second layer of protection for digital accounts. With such an app, logging in is only possible using your username/password or fingerprint and verification code.

Password-protected accounts are only secure if the password is not compromised, but this is not guaranteed, especially given the prevalence of cyber threats. That's why we recommend using a combination of the following authentication methods:

  • Something you know (password, PIN, or pattern recognition)
  • Something you have (physical security key, authenticator app, or text message)
  • Who you are (biometric, usually using your voice or fingerprint)

Since your smartphone is with you most of the time, it makes sense to use it as a second authentication method. This is where authentication apps come in: it allows you to generate backup codes for various online accounts. So even if your password is stolen, the hacker can't access your account (and neither can you) without the accompanying login code.

You're not limited to using the mobile app for authentication, but we don't recommend using desktop authenticator apps. Use mobile apps from trusted developers.

We've shown you how to set up and use Google Authenticator. We also covered instructions for Microsoft Authenticator.

Whatever the relevant authenticator app is, to set it up, install it from the relevant app store and create an account when prompted.

The steps for generating code for third-party accounts vary from application to application, but generally follow the same pattern:

  1. Open your online account's settings and follow the prompts to enable two-factor or multi-factor authentication (if supported).

  2. Make sure you can see the alphanumeric keys and/or QR code on the screen.

  3. Sign in to the Authenticator app on your device and tap the option to add a new account.

  4. Copy and paste the key from your online account or scan the QR code.

  5. Enter the code generated by the authenticator application into the relevant field in your online account.

  6. Follow the prompts to complete the setup.

  7. Back up the recovery code provided with your online account. If you lose access to the Authenticator app, you can enter one of these codes to regain access to your account.

The backup and recovery instructions outlined for the authenticator application must be followed. It will come in handy if you lose your device, accidentally uninstall an app, or want to move to a new device.

When you set up TOTP-based authentication for your account, a secret algorithm embedded in the QR code (and key) uses the current time to generate a special code; the same information is used by the server for the account you log in to derive the same code. Only the application and server "know" these credentials.

When you log into the relevant account and enter the code at the relevant prompt, the account server compares what you enter with what it generates. If they match, you're in. If there is no match, you will be denied access.

You can also generate a verification code via text message by linking your mobile phone to your online account. However, we recommend generating the code via the application for a few reasons. Validator application:

  • Enhance security with your device PIN or biometric lock
  • Store code locally. SMS is not encrypted and is vulnerable to attack.
  • Code is regenerated every few seconds. SMS OTPs are active for a few minutes, giving hackers plenty of time to intercept them.
  • Not affected by SIM swapping
  • Works completely offline (even in airplane mode!), unlike text messages which require a mobile network connection.

Of course, SMS verification is always better than no multi-factor authentication. Additionally, if you take a screenshot of the QR code provided during setup and save the image somewhere where anyone can access it, the authenticator app may be as insecure as text messages. The same applies if your device or recovery code is not protected.

Regardless, if you decide to add a layer of security, an authenticator app (or even a physical key) is a safer option than text messaging. Some apps and websites have even eliminated SMS verification entirely.

We recommend enabling multi-factor authentication for popular online accounts and elsewhere where the feature is available. Install the same authenticator app on all your devices for quick access to codes.

If your password manager has a TOTP generation feature, you can use it to generate the code instead of installing a standalone authenticator application.