We don’t usually review android apps, but this one is worth a mention, especially if you have to deploy second-factor-authentication (2FA) in your IT systems (as we do). The Google Authenticator 2FA app is perhaps the most common app, and it was one we used for providing 2FA login for our key accounts…until now.
We have always had an issue with Google’s 2FA on the android devices. Modern android phones are unlocked via bio-metric settings, which sounds really cool, but we think they are really weak. Fingerprints, faces and even voices can be all used to “conveniently” unlock android devices. Breaking into an android phone is thus easy for the determined hacker who has physical possession of an android device (e.g. phone). This makes all the apps on an android device susceptible to “easier” hacking, because once you bypass the weak bio-metric login, the entire device is at your disposal. Add to that, the major security weakness caused by the “convenience” of having passwords auto-entered for logging into regularly visited web sites by your browser (like e.g. Google’s Chrome password-manager) then it’s relatively EASY to find that secure sites are actually less secure on a lost/stolen, unlocked android phone: the second factor might be the ONLY factor preventing unauthorised account access And if you have 2FA deployed, even that’s no good if your 2FA code generation app is on the lost/stolen phone. The codes are on available by simply opening the app. In our opinion, this contributes to our view that android phones are a WEAK POINT for security.
Enter ‘Protectimus Smart OTP‘ – a relatively new android app that is another implementation of the Google App. It too can be used to scan QR codes and produce 2FA login credentials. BUT, this app has a separate PIN that you can optionally configure to open the app…so it can’t be opened with the standard android device login credentials (like a fingerprint), as shown in the screenshot below:
The app is built well: even if you try to use the task-switcher (built-into most android devices), the app cleverly hides the 2FA codes. We know: we checked! You have to UNLOCK the app to use it, as shown below:
Very nice! By comparison, Google’s 2FA app is MUCH less secure and offers no protection to a lost/stolen, unlocked android device.
We think this is app represents a BETTER 2FA implementation for android devices and thus represents a small improvement to our data and device protection. So, we are using the ‘Protectimus Smart OTP’ app on our android devices. We also know that this is just an IMPROVEMENT, it’s not an excuse to not further improve account/data security, but we think this is a step in the right direction. Our thanks to the folks at Protectimus!
The app is FREE. More information can be found at the Protectimus site – https://www.protectimus.com/
UPDATE 9-Sep-18: the app got broken by an Android P update, but the folks at Protectimus have been informed and are field-testing their fixed app now, so hopefully it will be back with us soon. The issue only seems to affect Android P devices (i.e. our Pixel 2 XL devices).
Happy 2FA’ing.