Google authenticator is pretty standard.

Do you remember those key fob things that some systems used to have, where you had to carry around a key fob with a little LCD screen that had a six digit number on it that would change every 30 seconds or a minute?

Authenticator apps are the same thing, just a software implementation in a device you already carry around.

The only thing they do is to follow an algorithm that produces a pseudo random number at regular intervals. The algorithm is seeded with a value that produces a sequence of numbers that can only be predicted by a machine running the same algorithm with the same random number.

The way you synch up is that the secure system generates the seed and you provide the seed to your device (usually through a QR code) so that your device and the secure system know the seed.

Then, from that point on, the secure system can verify that you are the holder of the device by asking you to provide the current number produced by your device running that sequence.

The only thing the app does is to (a) check what time it is, and (b) produce the pseudo random number based on the time and the seed.

On edit:

https://en.wikipedia.org/wiki/Multi-factor_authentication#Use_of_mobile_phones

In truth, I don't understand half of what you said, but appreciate the info just the same. (For the record, I'm an old lady who still uses a typewriter now and then.) It was easy when the process worked on my cell phone, don't know why it quit working. I'm just more than a little leery of downloading something unfamiliar to the computer that I so heavily rely on.

Is that people should enable multi factor authentication whenever they can.

Basically you enter your password on some device and then you get a text message with the code you have to enter to get access to your account.

This almost sounds like it could be using the code instead of a password plus a code? That wouldn’t be as good.

I'm just unclear on how screwed I am if something goes wrong with my phone.

Or a key fob thing? Or some other device?

As some kind of Luddite, even with a few leftover skeleton keys to the kingdom, I'm screwed.

Totally legit, just a way to get teh same kind of auth code you'd get on your phone.

Getting it set up can be a little confusing due to some arcane nomenclature, just make sure you have good instructions, and hopefully phone support

It's the "getting it set up" that has me worried. It's easy for younger folks who seem to have been born with the necessary chip implanted, but I don't understand much of the vocabulary or process. Sadly, I've grown accustomed to the eyeroll that usually accompanies my requests for tech explanations. Not being terribly excited at the prospect of screwing up my laptop by not understanding some "arcane nomenclature", I might decide to wait until one of those younger friends is available to assist.

.

You shouldn't have to know the nuts & bolts to make it work and, truth be told, it is often easier if you don't.

I can't tell you how many things I overthink and overcomplicate because I have a tech background that leads me to make assumptions that aren't valid in relation to some piece of consumer technology.

Once it is set up, it is exactly like getting the text message, but without getting the text message. You open the app, and the number is just there.

it's just one of the buttons to the right of the url bar.

the people at the organization should have instructions for you on how to initially set up authy. basically they usually give you a code or two you have to put in during setup (this tells authy your authorized to visit their site), and then you're done. You just have to make sure you put the right things in the right places.

To use, I go to the site I log in to, put in my user/pwd info (which is saved in my browser, so nothing to do there), then click the authy button, type my authy pswd in there, and get a code and click 'copy'. the login screen has an 'authy code' location, and I paste the code in (it's like a 2nd password), then click 'login'.

.

Contrary to the touted position, freeware is the most insecure software, as many of the application groups have been taken over by hackers, and nation state actors to inject code into the builds. Freeware proponents claim that their code is reviewed by multiple people, when in reality the only ones doing it are university academia, hackers and nation security teams. The latter do not reveal holes in the code, and since the code is in open source, they don't have to figure out how to disassemble it, since good firms use their own compilers and assemblers to generate unique object decks.

Many of these apps just borrow functions from open-source sites, to perform specialized functions. Most of the people generating the code cannot read the a dump of their own code, without using some form of interactive development tool.

RSA SecurID along with a cell phone or laptop VPN provides an acceptable level of security. Now, this is just to connect to the network of the site you are going to, then an external security manager userid/password structure controls further access.

.

infernal internet iBox.

All this just so I can log in to the AOL.