Security Analysis of Google Authenticator, Microsoft Authenticator, and Authy

Aleck Nash, Hudan Studiawan, George Grispos, Kim Kwang Raymond Choo*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


As the use of authenticator applications for two-factor authentication (2FA) has become increasingly common, there is a growing need to assess the security of these applications. In this paper, we present a security analysis of authenticator applications that are widely used on various platforms, such as Google Authenticator, Microsoft Authenticator, and Authy. Our analysis includes an examination of the security features of these applications (e.g., level of protection) as well as the communication protocols used between the applications and the servers. Our results show that these applications have significant vulnerabilities that could compromise the security of the authentication process. Specifically, we found that some authenticator applications store sensitive data, such as secret keys, in plain text, making them vulnerable to attacks. Overall, our findings indicate that there is a need for better security practices in the design and implementation of authenticator applications. We recommend that developers follow best practices for secure coding and use well-established cryptographic algorithms to generate one-time codes.

Original languageEnglish
Title of host publicationDigital Forensics and Cyber Crime - 14th EAI International Conference, ICDF2C 2023, Proceedings
EditorsSanjay Goel, Paulo Roberto Nunes de Souza
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages10
ISBN (Print)9783031565823
Publication statusPublished - 2024
Event14th EAI International Conference on Digital Forensics and Cyber Crime, ICDF2C 2023 - New York, United States
Duration: 30 Nov 202330 Nov 2023

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume571 LNICST
ISSN (Print)1867-8211
ISSN (Electronic)1867-822X


Conference14th EAI International Conference on Digital Forensics and Cyber Crime, ICDF2C 2023
Country/TerritoryUnited States
CityNew York


  • Authentication protocols
  • Authenticator applications
  • Man-in-the-middle (MITM) attack
  • Security analysis


Dive into the research topics of 'Security Analysis of Google Authenticator, Microsoft Authenticator, and Authy'. Together they form a unique fingerprint.

Cite this