What is an authenticator app
Learn what an authenticator app is and how it protects your accounts. Includes a detailed explanation of how it works and a step-by-step example guide to use an authenticator app.
Developer
What is an authenticator app
An authenticator app is a security tool that generates time-based verification codes using cryptographic algorithms (like TOTP or HOTP) to add an extra layer of protection to your accounts.
Password leaks happen all the time, and relying on passwords alone is no longer safe. That's why major websites and apps now offer Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). Authenticator apps are a popular 2FA tool that generates dynamic verification codes to protect your accounts alongside your passwords.
How does an authenticator app work?
An authenticator app works by sharing a unique secret key with the server where your account is hosted. When you first set up 2FA, the service generates this secret key and displays it as a QR code. Once you scan this code with your authenticator app, both your app and the service now possess the same secret - and only they know it.
Using this shared secret along with the current time, both sides can independently generate the same 6-digit verification code through standardized algorithms (typically TOTP - Time-based One-Time Password). When you try to log in, the service compares the code you enter from your authenticator app with the code it generated - if they match, you're granted access.
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape rect%2c%23mermaid-0 .image-shape rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointEnd'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 0 L 10 5 L 0 10 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='4.5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointStart'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 5 L 10 10 L 10 0 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='11' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleEnd'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='-1' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleStart'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='12' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossEnd'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='-1' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossStart'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath style='' class='edge-thickness-invisible edge-pattern-solid' id='L_s1_Space_4' d='M326.969%2c201.5L331.135%2c201.5C335.302%2c201.5%2c343.635%2c201.5%2c351.969%2c201.5C360.302%2c201.5%2c368.635%2c201.5%2c372.802%2c201.5L376.969%2c201.5'/%3e%3cpath style='' class='edge-thickness-invisible edge-pattern-solid' id='L_Space_s2_5' d='M436.969%2c201.5L441.135%2c201.5C445.302%2c201.5%2c453.635%2c201.5%2c461.969%2c201.5C470.302%2c201.5%2c478.635%2c201.5%2c482.802%2c201.5L486.969%2c201.5'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(478.96875%2c 0)' class='root'%3e%3cg class='clusters'%3e%3cg data-look='classic' id='s2' class='cluster'%3e%3crect height='387' width='318.96875' y='8' x='8' style=''/%3e%3cg transform='translate(140.8046875%2c 8)' class='cluster-label'%3e%3cforeignObject height='24' width='53.359375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eService%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_D_E_2' d='M167.484%2c99.5L167.484%2c105.75C167.484%2c112%2c167.484%2c124.5%2c167.484%2c136.333C167.484%2c148.167%2c167.484%2c159.333%2c167.484%2c164.917L167.484%2c170.5'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_E_F_3' d='M167.484%2c228.5L167.484%2c234.75C167.484%2c241%2c167.484%2c253.5%2c167.484%2c265.333C167.484%2c277.167%2c167.484%2c288.333%2c167.484%2c293.917L167.484%2c299.5'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(167.484375%2c 72.5)' id='flowchart-D-6' class='node default'%3e%3crect height='54' width='248.96875' y='-27' x='-124.484375' style='' class='basic label-container'/%3e%3cg transform='translate(-94.484375%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='188.96875'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eSecret Key %2b Current Time%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(167.484375%2c 201.5)' id='flowchart-E-7' class='node default'%3e%3crect height='54' width='173.234375' y='-27' x='-86.6171875' style='' class='basic label-container'/%3e%3cg transform='translate(-56.6171875%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='113.234375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eTOTP Algorithm%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(167.484375%2c 330.5)' id='flowchart-F-8' class='node default'%3e%3crect height='54' width='160.53125' y='-27' x='-80.265625' style='' class='basic label-container'/%3e%3cg transform='translate(-50.265625%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='100.53125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eCode: 284913%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg transform='translate(0%2c 0)' class='root'%3e%3cg class='clusters'%3e%3cg data-look='classic' id='s1' class='cluster'%3e%3crect height='387' width='318.96875' y='8' x='8' style=''/%3e%3cg transform='translate(143.03125%2c 8)' class='cluster-label'%3e%3cforeignObject height='24' width='48.90625'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eDevice%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_A_B_0' d='M167.484%2c99.5L167.484%2c105.75C167.484%2c112%2c167.484%2c124.5%2c167.484%2c136.333C167.484%2c148.167%2c167.484%2c159.333%2c167.484%2c164.917L167.484%2c170.5'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_B_C_1' d='M167.484%2c228.5L167.484%2c234.75C167.484%2c241%2c167.484%2c253.5%2c167.484%2c265.333C167.484%2c277.167%2c167.484%2c288.333%2c167.484%2c293.917L167.484%2c299.5'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg transform='translate(0%2c 0)' class='label'%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(167.484375%2c 72.5)' id='flowchart-A-0' class='node default'%3e%3crect height='54' width='248.96875' y='-27' x='-124.484375' style='' class='basic label-container'/%3e%3cg transform='translate(-94.484375%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='188.96875'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eSecret Key %2b Current Time%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(167.484375%2c 201.5)' id='flowchart-B-1' class='node default'%3e%3crect height='54' width='173.234375' y='-27' x='-86.6171875' style='' class='basic label-container'/%3e%3cg transform='translate(-56.6171875%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='113.234375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eTOTP Algorithm%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(167.484375%2c 330.5)' id='flowchart-C-2' class='node default'%3e%3crect height='54' width='160.53125' y='-27' x='-80.265625' style='' class='basic label-container'/%3e%3cg transform='translate(-50.265625%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='100.53125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eCode: 284913%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg transform='translate(406.96875%2c 201.5)' id='flowchart-Space-12' class='node default'%3e%3crect height='30' width='60' y='-15' x='-30' style='opacity:0 !important' class='basic label-container'/%3e%3cg transform='translate(0%2c 0)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='0' width='0'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
The setup process is straightforward:
- The service generates a unique secret key
- You scan the QR code containing this secret with your authenticator app
- The app stores the secret securely on your device
- From then on, both sides can generate matching verification codes when needed
Why are authenticator apps secure?
Authenticator apps offer impressive security. According to Google's research, they block 99.9% of automated attacks - that's 50% more effective than SMS verification. Let's explore why they're so secure:
Mathematical security
Imagine the challenge of breaking in:
- SMS codes: Like guessing a 6-digit number (1 million possibilities)
- Authenticator key: Like guessing an 80-bit number (more combinations than atoms in the universe)
Time-based protection
Code validity comparison:
- SMS codes typically remain valid for 5-10 minutes, creating a significant security risk
- Authenticator app codes refresh every 30 seconds, making them practically impossible to exploit
Offline generation benefits of authenticator apps
- No network transmission needed
- No SMS interception risk
- Immune to SIM card cloning attacks
Why can't hackers crack authenticator apps?
Think of it as a vault with an ever-changing combination:
- Changes every 30 seconds
- Requires both "secret key" and "exact time"
- Even if one code is stolen, the next remains secure
What you know (password) + What you have (authenticator app) + Time-based math = Nearly unbreakable protection
How to use an authenticator app: A step-by-step guide
Let's learn how to use an authenticator app through a practical example.
We'll demonstrate the process using Logto's authentication service.
Step 1: Download and set up your authenticator app from trusted sources
- Download a trusted authenticator app:
- Google Authenticator
- Microsoft Authenticator
- Install the app on your phone
- Complete the initial setup (create account if required) according to the app's instructions.
Step 2: Enable authenticator app support for Logto demo app
-
Sign in or sign up to Logto Cloud, and create your first tenant according the the onboarding guide.
-
Go to Console > Multi-factor Authentication, and turn on Authenticator app OTP and Backup code authentication factors and choose "Users are always required to use MFA at sign-in" as the 2-step verification policy, then click Save changes.
- Go to Console > Sign-in Experience > Sign-up and sign-in page, select Username as the sign-up identifier, and remove Email address from the sign-in identifier, then click Save changes,
Step 3: Scan QR code to link the authenticator app to your account in the demo app
-
Still in the Logto Console's Sign-in Experience page, click "Live preview" button in the top right of the Sign-in Preview"** section. Then you will be redirect to the demo app's sign-in page.
-
Click create an account button in the sign-in page, and enter your username and password to create an account, and then you will see a screen showing a QR code.
-
Open your authenticator app, and scan the QR code. Then you will see a screen showing a 6-digit code.
-
Enter the 6-digit code to confirm the binding, and then you will be redirected to a backup code page. Remember to save the backup code in a secure place.
-
Click Continue button, and you're successfully signed in to the demo app.
Step 4: Try to sign in to the demo app with authenticator app
-
When you've successfully signed in to the demo app, click Sign out the live preview button to sign out the demo app and return to the demo app's sign-in page.
-
Try to sign in to the demo app with your username and password, and you'll find that you need to enter a 6-digit code to sign in.
-
Open your authenticator app, enter the shown 6-digit code related to logto.app, and you're successfully signed in to the demo app!
How to safely use authenticator apps?
Authenticator apps are secure, but you need to use them correctly to get the best protection:
Download from trusted sources
- Get your authenticator app only from official app stores (Google Play Store, Apple App Store)
- Use popular apps from trusted companies like Google, Microsoft.
- Watch out for fake apps - they could steal your accounts
Keep your backup codes safe
- Save your backup codes somewhere safe offline or in a password manager
- Don't keep backup codes on the same device as your authenticator app
- It's smart to store backup codes in more than one secure place
- Check occasionally that you can still access your backup codes
Be careful during setup
When adding accounts to your authenticator app:
- Scan QR codes when no one else is around
- Never take screenshots of QR codes or secret keys
- Don't share secret keys through messages or email
- If you copy a secret key, clear your clipboard afterward
Other safety tips
- Use fingerprint or face unlock in your authenticator app if you can
- Back up your authenticator app regularly
- Keep your phone and authenticator app updated
- For important accounts, you might want to use a separate authenticator app
What if I lose my authenticator app?
Don't worry if you lose your authenticator app. When setting up 2FA, services provide backup codes - these are one-time emergency codes that you should store securely offline or in a password manager.
Popular authenticator apps offer backup features:
- Google Authenticator: Cloud backup to Google Account
- Microsoft Authenticator: Cloud backup and recovery
If all else fails, you can contact customer support for help.