Does It Matter Which MFA App I Use?

Though most sites and services that offer Multi-factor authentication (MFA, or 2FA) will recommend using a particular app, in most cases it probably does not matter. MFA apps work in a couple of different ways, and that is they key to answering this question.

Approve/Deny Buttons

Web sites and services that integrate directly with the app can send, or "push," a prompt to the phone allowing you to either Approve or Deny the login. This type of connection is easier to use but the site being used needs to communicate with the MFA service provider. So, if this is supported by the site you should use the app the site suggests. While convenient, this is less common because it's less friendly to require multiple apps. So while a given company may standardize on one app for internal use, most web sites will have you use a series of numbers.

Numbers! Lots Of Numbers...

Other times the site/service only supports a temporary code, known as a Time-based One-Time Passcode (TOTP). A TOTP code uses an algorithm to calculate the number based on the current time. Each code is then valid for about 30 seconds. While the time on your phone needs to match the server, most devices sync time automatically (if your codes ever don't work, check the time is correct).

Most sites will recommend a specific app like Google Authenticator but in reality it does not matter which app is used. When they offer a QR code you can scan it with Duo or Microsoft Authenticator or any other MFA app.

Back Up!

Regardless of what app you use, we highly suggest enabling its internal backup function. Many apps do, and that makes it easy to transfer accounts to a new phone. Usually the app will use either your iCloud storage (free from Apple) or assume you have Google Drive or some other storage (Android). Then the app usually requires a personal account/password in order to verify it's actually you restoring accounts to the new phone. Notably Microsoft's Authenticator app stores this data with Microsoft for Android devices, to eliminate the storage requirement.

If your MFA accounts are not backed up, then your only recourse is to either use the recovery code(s) provided when you activated each new MFA account, or have someone with access reset your account so you can set up MFA again. If there isn't anyone else and you need to contact the company, for security reasons, they will probably not do that easily. Since a manual recovery has to be done for each account individually, this gets more time consuming the more MFA accounts are in use.

May 2022

Send this article to a friend!
Subscribe to The ITS Connection

Related articles