TY - GEN
T1 - Security Analysis of Google Authenticator, Microsoft Authenticator, and Authy
AU - Nash, Aleck
AU - Studiawan, Hudan
AU - Grispos, George
AU - Choo, Kim Kwang Raymond
N1 - Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2024.
PY - 2024
Y1 - 2024
N2 - As the use of authenticator applications for two-factor authentication (2FA) has become increasingly common, there is a growing need to assess the security of these applications. In this paper, we present a security analysis of authenticator applications that are widely used on various platforms, such as Google Authenticator, Microsoft Authenticator, and Authy. Our analysis includes an examination of the security features of these applications (e.g., level of protection) as well as the communication protocols used between the applications and the servers. Our results show that these applications have significant vulnerabilities that could compromise the security of the authentication process. Specifically, we found that some authenticator applications store sensitive data, such as secret keys, in plain text, making them vulnerable to attacks. Overall, our findings indicate that there is a need for better security practices in the design and implementation of authenticator applications. We recommend that developers follow best practices for secure coding and use well-established cryptographic algorithms to generate one-time codes.
AB - As the use of authenticator applications for two-factor authentication (2FA) has become increasingly common, there is a growing need to assess the security of these applications. In this paper, we present a security analysis of authenticator applications that are widely used on various platforms, such as Google Authenticator, Microsoft Authenticator, and Authy. Our analysis includes an examination of the security features of these applications (e.g., level of protection) as well as the communication protocols used between the applications and the servers. Our results show that these applications have significant vulnerabilities that could compromise the security of the authentication process. Specifically, we found that some authenticator applications store sensitive data, such as secret keys, in plain text, making them vulnerable to attacks. Overall, our findings indicate that there is a need for better security practices in the design and implementation of authenticator applications. We recommend that developers follow best practices for secure coding and use well-established cryptographic algorithms to generate one-time codes.
KW - Authentication protocols
KW - Authenticator applications
KW - Man-in-the-middle (MITM) attack
KW - Security analysis
UR - http://www.scopus.com/inward/record.url?scp=85190686947&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-56583-0_13
DO - 10.1007/978-3-031-56583-0_13
M3 - Conference contribution
AN - SCOPUS:85190686947
SN - 9783031565823
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 197
EP - 206
BT - Digital Forensics and Cyber Crime - 14th EAI International Conference, ICDF2C 2023, Proceedings
A2 - Goel, Sanjay
A2 - Nunes de Souza, Paulo Roberto
PB - Springer Science and Business Media Deutschland GmbH
T2 - 14th EAI International Conference on Digital Forensics and Cyber Crime, ICDF2C 2023
Y2 - 30 November 2023 through 30 November 2023
ER -