Christian Heilmann

So, you want to safely authenticate with 2FA? App stores are still not the solution – “why the web is dead” revisiTED

Monday, February 20th, 2023 at 1:14 pm

Eight years ago I spoke at a TEDx conference where I vented my frustration at the app and app store model. I specifically called out that Apps are to me the biggest step back in software and content distribution we could do. Instead of an on-demand platform like the web where we could get the weather by typing “weather berlin” or even talk to our phone, we got asked to download, install and most likely sign up for an app instead. It doesn’t scale, it puts the publisher before the user and it isn’t technically necessary with the web platform having evolved immensely in the last years.

Fast forward to now. Twitter just announced that it will turn off SMS two factor authentication for its users, and people should use an authentication app instead. This is an extra hassle, but authentication apps are safer than text messages. And as only a small percentage of free Twitter users have 2FA enabled anyways, this makes sense for Twitter financially.

So I went to the Google App store to get the Microsoft Authenticator App. I have this one on my company phone before and I am used to it. Going to the store and searching for “Microsoft Authenticator App” without any typos does not give me the official app as the first result. Instead I get the “Authenticator App 2FA” by Pixster Studio.

Search result in the Google App Store for Microsoft Authenticator App showing me a different app as the first result. The listing of the Pixster owned app showing that this authenticator would have ads and in-app payments.

I discovered this and didn’t install the wrong app. But most users would probably go for it despite the tiny “sponsored” above the listing. I’m not judging the quality of the app, but looking at the portfolio of the company on the app store you get the feeling that they are very quick in offering similar apps to currently hot topics. There’s a ChatGPT clone, a Wordle clone and my favourite “hashtags for insta”…

I don’t know – maybe the app is amazing and bullet proof secure. But I for one am not too happy about an authenticator app with ads or asking for in-app payments. Security should never be something I have to pay extra for.

This is exactly what App stores were advertised as to prevent. The web was a wild, untamed and terribly unsafe place full of software you can’t trust. App stores, instead, are curated and safe havens of only tested and tried, genuine software. Until someone pays enough to get their app listed with the right keywords. I’d even wager to guess that listing a web site as “Authenticator App 2FA – Secure Microsoft Authenticator” as it is in the App store would get you a call from Microsoft’s lawyers as there is no affiliation. But in the store, that’s just good marketing. Or is it?

I have quite a few more things to say. Maybe it is time to revisit this talk and give it somewhere else?

Share on Mastodon (needs instance)

Share on Twitter

My other work: