Multi Factor Authentication App Backup and Usage Strategies
I’ve been using Microsoft’s Authenticator App because not only does it support Azure Authentication (Office 365) but because it supports my Microsoft Account, Google account, and anyplace else that supports the OTP standard. Any site or service that supports RFC6238 is supported by MS Authenticator and I can scan a QR code (and in some cases enter a Secret Key instead of a QR code) to “provision” an account.
As my list of 2FA/multi factor authentication enabled assets grows, I had been thinking a lot about what would happen if I upgraded my iPhone or had a hardware failure and needed to replace it. Even restoring a new phone from an iPhone backup does not restore the accounts to MS Authenticator (and the same is true of other 2FA apps, although several offer their own export/import or backup/restore functions). And, while I do get push notifications to approve or deny access on my Apple Watch from MS Authenticator for my Office 365 account and my Microsoft Account, for other sites and services, since Microsoft does not (yet) offer a full fledged Apple Watch App, I need my phone when prompted to enter a code.
This is a big thing for me and I can’t count the times when I’m in my third floor home office and my phone is on the kitchen counter (oops) and I need to log in somewhere. Exercise and cardio health aside, running up and down the stairs is not my preferred option.
I started thinking about what I’d need to do if I upgraded my iPhone or needed to have it replaced. I knew that I could log in to all the accounts where 2FA was turned on and turn off 2FA and set up again. (If I only had a single consumer Microsoft account, it would be easy to just turn off and on again, but with 15 accounts, that becomes almost a full days work.)
The key to setting up multiple authentication apps for testing was to have the original QR Code saved/printed out or the original secret key. Microsoft non Azure based accounts allow set up of more than one authenticator app (when you log in to https://account.live.com/proofs you can set up more than one identification app). Google based accounts will let you “change phones”; and then there are the 2FA implementations for WordPress, domain hosting companies, Facebook, etc.
I wanted to be sure I wouldn’t lose 2FA within the Microsoft Authenticator App and thus wanted to verify I could use the initial QR Codes or Secret Keys to setup additional apps. I knew that this would not work for my Office 365 account that relies on Azure but proceeded to try out a Microsoft Account, a Google Account, Facebook, and a few other properties like a plugin that enables 2FA for WordPress, the control panel for my web hosting company, etc. At the same time I set out to research what my options were in the for a Watch OS app that displayed generated codes and found that only a few iOS Apps offered Apple Watch support (Authy, Duo Mobile, SAASPASS, 2STP and a few others).
I tried Authy first but it didn’t work on my Apple Watch. No matter how many times I installed/uninstalled, hard rebooted my iPhone and Apple Watch, it would spin and spin and then display “no accounts yet”. Authy support has been dismal. It took them two weeks to respond after I opened a support case and then they asked what version WatchOS and have not responded to me since I replied with the WatchOS version. Then, three weeks later (5/26/2017) an app update appeared and the app now works on the Apple Watch (but they have not communicated with me to advise me that they implemented a fix). It requires an extra tap to get to the codes. Authy has a setting to allow multiple devices. This certainly would appear to be helpful in case of disaster or when switching phones (except for Azure based accounts), as well as the ability to password protect encrypted backups store on the Authy servers. The poor support turned me off on this one.
Duo Mobile works, but requires and extra tap to get to the actual code in both the iOS iPhone App and on the Apple Watch. Some people might consider this extra security, but since the codes change every 30 seconds, my vote is for convenience. SAASPASS sports a UI that I think is a nightmare.
There are a few other apps whose description stated Apple Watch Support, and I decided to try 2STP next.
The 2STP app seemed to offer everything I wanted including a scrollable list showing codes on the Apple Watch App, the ability to export/import accounts and even use on multiple devices, plus some nice ways to customize the interface. What I liked best was, like MS Authenticator, the codes were clearly visible without having to drill down.
I’ve been using the dark app mode in Windows 10, so 2STP was the most aesthetically pleasing to me out of all the alternative 2FA apps I tried. ALL of these apps work and handle the standards based RFC6238 key generation. For me it was (again) convenience and aesthetics.
I easily scanned my original QR Codes (or entered Security Keys) and was up and running. I exported my accounts/settings after configuring all my accounts and have saved them in several places.
So basically, both of my mission objectives have been accomplished:
- I get a Push Notification to Approve/Deny 2FA enabled Microsoft personal and Microsoft Office 365 Azure based accounts via my Apple Watch and for my non Microsoft Accounts, I have quick and easy access to one time codes on my watch.
- I have a backup strategy that covers everything except my Office 365 Azure based account. For Microsoft personal accounts, I can add another authenticator app any time I want. If I need to setup a replacement phone, I should be able to scan my saved QR Codes (or enter my saved secret key), and for Google accounts, I can change phones in the Google security portal OR scan the original QR Codes/enter the saved secret key. For all my other 2FA enabled accounts, I can scan the original QR Code or enter the secret key.
There is a lot to think about when you enable MFA/2FA to protect yourself, and I think many people don’t think about what might happen if they need to replace a cell phone. I’ve found a solution that works for me, plus gives me more 2FA functionality on my Apple Watch. Let me know on Twitter @barbbowman if this helps you!