Is it safe to put my work authenticator app on my personal phone?

Can you safely add authenticator apps for work accounts to your personal phone. We think you can and here's why.

Background

Protecting your online accounts is more crucial than ever. Authenticator apps are among the most effective tools for boosting security. The UK's National Cyber Security Centre highly recommends their use. Nonetheless, many individuals have reservations about integrating work accounts into authenticator apps on their personal devices. Let’s explore what authenticator apps are, how they function, and address common privacy and security concerns.

• What are authenticator apps?
• How do authenticator apps work?
• Why are authenticator apps safer than getting a text message?
• Privacy concerns
• Best practice when using authenticator apps

If you don't wish to read further, the key point is that they are secure and there's no need for concern. In fact, if you haven't already set one up for your personal accounts, you should consider updating your security settings promptly. Check for MFA or 2FA in your account settings.

What are authenticator apps?

Authenticator apps are simple, self-contained mobile applications that generate time-based one-time passwords (TOTPs) or verification codes used for multi-factor authentication (MFA).

Popular examples include:

• Google Authenticator
• Microsoft Authenticator
• Authy

These apps add an extra layer of security to your online accounts by providing a second form of verification in addition to your password that cyber criminals can't easily get hold of.

How do authenticator apps work?

Authenticator apps generally work on a very simple three stage process. 

Because the app is essentially just a number generator that uses a secret key as a seed to generate codes they aren't actually 'linked' to accounts. They're not really connected to your account, they just store the same key as your account.

Interactive app authentication

Some services have streamlined the process slightly to save you having to manually enter a 6 digit code. 

These service's servers store your authenticator's ID so that it can communicate with it by sending notifications to your phone asking you to take action.

This is why you will sometimes see your authenticator app pop up on your phone asking you to unlock it and enter a code, or select a number from a selection of three options.

In this case, the app is communicating with the server directly but isn't linked to any data in your account or on your phone. The self-contained app sends your response to the server to save you having to type out a 6 digit number. 

Why are authenticator apps safer than other forms of MFA?

Historically MFA (sometimes referred to as two-factor authentication or 2FA) relied on sending either an email or an SMS to you. Both of these forms of communication are interceptable by cyber-criminals and so aren't as secure as an authenticator app.

The app knows the secret key that only the other server knows. there is nothing communicated between them that is interceptable and useable by a criminal.

Additionally, over and above security, apps are also more reliable as they do not rely on mobile phone coverage to receive an SMS. Many of us have experienced the pain of needing to log into a cloud-service but not being able to receive the SMS code before authenticators were created.

Privacy Concerns

One common concern among people is the fear that adding a work account to their personal phone might allow their IT department to access their personal information. Let’s address this concern in detail:

• Separation of Data: Authenticator apps do not have access to your personal data. They only generate verification codes based on the secret key provided during setup. The app itself does not store or transmit any personal information.
• Limited Permissions: When you install an authenticator app, it typically requires minimal permissions. It does not need access to your contacts, messages, or other personal data.
• No IT Access: Adding a work account to your authenticator app does not grant your IT department access to your personal phone. The authenticator app functions independently and does not provide any backdoor into your device.
• Control and Transparency: You have full control over the authenticator app. You can see exactly what accounts are added and can remove them at any time. This transparency ensures that you know exactly what the app is doing.

Best Practices for Using Authenticator Apps

In addition to simply using an authenticator, there's some best practice guidance and advice that we'll share to make sure that you get the most out of using authentication apps.

• Create Backup Codes: When setting up MFA, always save the backup codes provided. These can be used if you lose access to your authenticator app.
• Set App Security: Use a strong password or biometric lock for your phone to prevent unauthorised access to your authenticator app.
• Perform Regular Updates: Keep your authenticator app updated to benefit from the latest security features and improvements.

Conclusion

Authenticator apps are a powerful tool for enhancing the security of your online accounts. They provide an additional layer of protection that is both effective and easy to use. While it’s natural to have concerns about privacy, it’s important to understand that these apps are designed with security and user control in mind. By using an authenticator app, you can significantly reduce the risk of unauthorised access to your accounts without compromising your personal privacy.

Next Steps....

If you would like assistance with setting up authenticator apps, multi-factor authentication or any other cyber security initiatives, get in touch with your team of experts today.

Find out more

Get in touch with us for a chat about how we you could increase your organisation's cyber security.