www.tomsguide.com Open in urlscan Pro
199.232.194.114  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.tomsguide.com/search

<form class="search-box" action="https://www.tomsguide.com/search" method="GET" data-component-tracked="19">
  <label for="search-input" class="sr-only">Search Tom's Guide</label>
  <input tabindex="0" type="search" name="searchTerm" placeholder="Search Tom's Guide" class="search-input" id="search-input">
  <button type="submit" class="search-submit" aria-label="Search">
    <span class="search-icon">
      <svg class="icon-svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000">
        <path d="M720 124a422 422 0 1 0-73 654l221 222 132-131-222-222a422 422 0 0 0-58-523zm-92 504a291 291 0 1 1-412-412 291 291 0 0 1 412 411z"></path>
      </svg> </span>
  </button>
</form>

POST https://newsletter-subscribe.futureplc.com/v2/submission/submit

<form data-hydrate="true" class="newsletter-form__form newsletter-form__form--inbodyContent" method="POST" action="https://newsletter-subscribe.futureplc.com/v2/submission/submit"><input type="hidden" data-hydrate="true"
    class="form__hidden-input form_input form__hidden-input form__hidden-input--inbodyContent" name="NAME"><input type="email" data-hydrate="true" class="form__email-input form_input form__email-input form__email-input--inbodyContent" name="MAIL"
    required="" placeholder="Your Email Address"><input type="hidden" data-hydrate="true" class="form__hidden-input form_input form__hidden-input form__hidden-input--inbodyContent" value="XTG-D" name="NEWSLETTER_CODE"><input type="hidden"
    data-hydrate="true" class="form__hidden-input form_input form__hidden-input form__hidden-input--inbodyContent" value="EN" name="LANG"><input type="hidden" data-hydrate="true"
    class="form__hidden-input form_input form__hidden-input form__hidden-input--inbodyContent" value="60" name="SOURCE"><label class="form__checkbox-label"><input type="checkbox" data-hydrate="true"
      class="form__checkbox-input form_input form__checkbox-input form__checkbox-input--inbodyContent" name="CONTACT_OTHER_BRANDS">Contact me with news and offers from other Future brands</label><label class="form__checkbox-label"><input
      type="checkbox" data-hydrate="true" class="form__checkbox-input form_input form__checkbox-input form__checkbox-input--inbodyContent" name="CONTACT_PARTNERS">Receive email from us on behalf of our trusted partners or sponsors</label><input
    type="submit" data-hydrate="true" class="form__submit-input form_input form__submit-input form__submit-input--inbodyContent" value="Sign me up" required=""></form>

Text Content

Skip to main content
Open menu Close menu
Tom's Guide Tom's Guide
Search
Search Tom's Guide
Subscribe
RSS
(opens in new tab) (opens in new tab) (opens in new tab) (opens in new tab)
(opens in new tab) (opens in new tab)
US Edition



Australia


UK


US


Canada

Technology Magazines
Why subscribe?
 * The best tech tutorials and in-depth reviews
 * Try a single issue or save on a subscription
 * Issues delivered straight to your door or device

From€8
View
 * 
 * Best Picks
 * News
 * Reviews
 * How Tos
 * Phones
 * Streaming
 * Deals
 * More
   * Antivirus
   * Audio
   * Coupons
   * Fitness
   * Gaming
   * Home
   * Laptops
   * Mattresses
   * Personal Finance
   * Security
   * Smart Home
   * TV
   * VPNs
   * Wearables
   * What To Watch
   * All Topics

Forums (opens in new tab)


Trending
 * iPhone 15
 * ChatGPT
 * Galaxy S23 Ultra Review
 * Galaxy S23 Review
 * Best Laptops
 * Best TVs



When you purchase through links on our site, we may earn an affiliate
commission. Here’s how it works.


 1. Home
 2. News
 3. Security


DON'T RUN YOUR 2FA AUTHENTICATOR APP ON THESE SMARTPHONES

By Paul Wagenseil
last updated July 23, 2020

Apps like Google Authenticator are only as safe as the devices they run on

 * (opens in new tab)
 * (opens in new tab)
 * 
 * (opens in new tab)
 * (opens in new tab)
 * (opens in new tab)
 * 

Comments (8)

(Image credit: Morrowind/Shutterstock)


SAN FRANCISCO -- Don't use a mobile authenticator app on an old smartphone,
because the app is only as secure as the operating system in which it's running,
two security researchers said at the RSA Conference here earlier this week.



Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such
as Authy or Google Authenticator, in two-factor authentication was better than
using SMS-based 2FA. But, they said, an authenticator app is useless for
security if the underlying mobile OS is out-of-date or the mobile device is
otherwise insecure.

 * Best Android antivirus: Protect your smartphone 
 * The best phones you can buy
 * Just In: Google Home having big Bluetooth issues: What you need to know



"You don't want the risk associated with 32-bit iOS," said Turner, adding that
you should use only iPhones that can run iOS 13. "In Android, use only the Pixel
class of devices. Go to Android One if you can't get Pixel devices. I've had
good experiences with Motorola and Nokia Android One devices."




Turner, who is the president and chief security officer of enterprise-security
provider HighSide, warned the audience to stay away from one well-known Android
brand.

RECOMMENDED VIDEOS FOR YOU... Tom's Guide



"[German phone hacker] Karsten Nohl showed that Samsung was faking device
updates last year," Turner said. "Stop buying their stuff."



To be fair, Samsung was far from the worst offender among phone makers in the
study Turner cited, and the study authors later said "they got it wrong" (opens
in new tab) regarding Samsung's issues, without going into further detail.
(Slides for Turner and Weidman's presentation (opens in new tab) are available
on the RSA website.)

The problem is that if an attacker or a piece of mobile malware can get into the
kernel of iOS or Android, then it can do anything it wants, including presenting
fake authenticator-app screens. 

"One of my clients had an iPhone 4 and was using Microsoft Authenticator,"
Turner said, indicating another authenticator app. "All an attacker would need
to do is to get an iPhone 4 exploit. My client was traveling in a high-risk
country, his phone was cloned and then after he left the country, all sorts of
interesting things happened to his accounts."


SOME ANDROID PHONES ARE SAFER THAN IPHONES

And don't think iOS devices are safer than Android ones -- they're not. There
are just as many known exploits for either one, and Weidman extracted the
encryption keys from an older iPhone in a matter of seconds onstage.

The iPhone's Secure Enclave offers "some additional security, but the
authenticator apps aren't using those elements," said Weidman, founder and chief
technology officer of Washington-area mobile security provider Shevirah, Inc.
"iOS is still good, but Android's [security-enhanced] SELinux is the bane of my
existence as someone who's building exploits."

"We charge three times as much for an Android pentest than we charge for an iOS
one," Turner said, referring to an exercise in which hackers are paid by a
company to try to penetrate the company's security. "Fully patched Android is
more difficult to go after."

 * More: Stay secure on the go with the best mobile VPN apps


ATTACKING FROM UNDERNEATH

Authenticator apps beat SMS texted codes as 2FA second factors because app codes
can't be intercepted over the air, aren't tied to a phone number and never leave
the device. But authenticator app codes can be stolen in phishing attacks, and
as we saw yesterday, by Android malware in screen-overlay attacks.

However, even the best training against phishing attacks and the best Android
antivirus apps won't stop attacks that come from the kernel, the underlying part
of the mobile operating system to which the user doesn't have access.

"What could possibly go wrong when installing a user-mode application with
sensitive cryptographic key materials on a platform with kernel
vulnerabilities?" Turner asked rhetorically.

Kernel vulnerabilities also can be used to hack two-factor push notifications,
which Google uses for its own accounts and which can't be phished. 

In short, "we need to move away from usernames and passwords," Turner said.


FINGERPRINTS AREN'T THE ANSWER, BUT THIS MIGHT BE

Asked about biometric authentication such as fingerprint readers and facial
recognition, Weidman said that it's "better than nothing when used in addition
to passwords."

Turner wasn't so sure.

"I am fundamentally opposed to using biometrics because it's non-revocable," he
said, citing a famous case from Malaysia in which a man's index finger was cut
off (opens in new tab) by a gang to steal the man's fingerprint-protected
Mercedes. "Fingerprint readers are biometric toys."

The only form of two-factor authentication without security problems right now,
Turner said, is a hardware security key such as a Yubikey or Google Titan key.

"I've got two Yubikeys on me right now," Turner said. "Hardware separation is
your friend."

Today's best Google Pixel 3a deals
€275
View
We check over 250 million products every day for the best prices



BE IN THE KNOW

Get instant access to breaking news, the hottest reviews, great deals and
helpful tips.

Contact me with news and offers from other Future brandsReceive email from us on
behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions (opens in new
tab) and Privacy Policy (opens in new tab) and are aged 16 or over.
Paul Wagenseil
Social Links Navigation

Paul Wagenseil is a senior editor at Tom's Guide focused on security and
privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey
and video editor. He's been rooting around in the information-security space for
more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's
Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker
conferences, shown up in random TV news spots and even moderated a panel
discussion at the CEDIA home-technology conference. You can follow his rants on
Twitter at @snd_wagenseil.






Topics
Android Apps
iPhone
Privacy
Security
Smartphones
See all comments (8)


8 Comments Comment from the forums
 * BrodaFett
   As far as I'm concerned the Pixel is not an option with the pathetic amount
   of internal storage, no SD card slot, and the cheapened Google drive storage
   with significantly less free space that came with the 3, and the lesser
   quality photos are stored in. Google has all of the opportunity in the world
   to be the king...
   Read More Reply
 * ShottleBop
   The article linked to the claim that Samsung was caught faking updates says
   that, along with Google and Sony, Samsung was among the best at not skipping
   updates.
   
   And according to SnoopSnitch, my Galaxy S8 has every patch it's supposed to
   have.
   Reply
 * Triggered dude
   Good points on security above, but privacy wasn’t addressed - in which case
   Apple destroys Google. Google tracks everything you do for monetization.
   Another thing worth mentioning is that the play store, while much improved,
   is still ripe with malware as opposed to the Apple AppStore, which does
   contain malicious items, but in much smaller numbers. The security
   researcher...
   Read More Reply
 * tsongming.ts
   This article seems a little biased, there are plenty of good, inexpensive
   phones that release security updates on track with Pixel and Apple. Is it
   possible that this article seems geared to please advertisers such as Google
   and Apple?
   
   "Among the top 10 smartphone makers, nearly 96% of Nokia smartphones, sold
   cumulatively since Q3 2018, is already running...
   Read More Reply
 * Triggered dude
   > tsongming.ts said:
   > This article seems a little biased, there are plenty of good, inexpensive
   > phones that release security updates on track with Pixel and Apple. Is it
   > possible that this article seems geared to please advertisers such as
   > Google and Apple?
   > 
   > "Among the top 10 smartphone makers, nearly 96% of Nokia smartphones, sold
   > cumulatively since Q3 2018, is...
   
   Read More Reply
 * f_d
   Mr. Hunter owes Samsung an apology.. One should always check sources before
   shouting out such a sensationalistic headline at a venue like RSA, and the
   same goes for Tom's Guide author Wagensell, especially since he covered the
   original 2018 paper and should have been aware of the response to it..
   
   Yes, the original Hack-in-the-Box paper claimed that Samsung...
   Read More Reply
 * Triggered dude
   > f_d said:
   > Mr. Hunter owes Samsung an apology.. One should always check sources before
   > shouting out such a sensationalistic headline at a venue like RSA, and the
   > same goes for Tom's Guide author Wagensell, especially since he covered the
   > original 2018 paper and should have been aware of the response to it..
   > 
   > Yes, the original Hack-in-the-Box paper claimed...
   
   Read More Reply
 * f_d
   Try Karsen Nohl's own site: https://srlabs.de/bites/android_patch_gap/
   Also read the updated slide deck .pdf where the following statement of
   apology was added "The initial version of this talk also showed a Samsung J3
   device as having multiple patch gaps. These gaps were measurement errors that
   have since been corrected for. Sorry, Samsung! "
   
   RSA is definitely NOT supposed to...
   Read More Reply
 * View All 8 Comments

Show more comments


MOST READMOST SHARED
 1. 1
    The Apple Watch just saved a man's life — here's how
 2. 2
    Spring sales 2023 — 50+ best deals to shop this weekend
 3. 3
    My 5 favorite new to HBO Max movies that you should watch this month
 4. 4
    5 clever ways to build muscle without lifting heavy
 5. 5
    Saatva Foam Mattress Topper review 2023

 1. 1
    The Apple Watch just saved a man's life — here's how
 2. 2
    Spring sales 2023 — 50+ best deals to shop this weekend
 3. 3
    My 5 favorite new to HBO Max movies that you should watch this month
 4. 4
    5 clever ways to build muscle without lifting heavy
 5. 5
    Saatva Foam Mattress Topper review 2023




Tom's Guide is part of Future US Inc, an international media group and leading
digital publisher. Visit our corporate site (opens in new tab).

 * Terms and conditions (opens in new tab)
 * Privacy policy (opens in new tab)
 * Cookies policy (opens in new tab)
 * Accessibility Statement (opens in new tab)
 * Advertise with us (opens in new tab)
 * About us (opens in new tab)
 * Archives (opens in new tab)
 * Careers (opens in new tab)
 * Do not sell or share my personal information

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.