Two factor authentication tries to stop thieves who have your password from accessing your account by asking you to authorize the access using a registered token device such as your phone. Two factor authentication relies on a simple premise: it asks the user to prove that the user “knows” something (password), and it asks the user to prove that the user “has” something (access to their phone).

This method works well when an adversary is trying to remotely gain access to your accounts. However, given that almost 70 million phones are stolen/lost each year [2], it is natural to wonder if 2FA authentication holds up well when the registered token device falls in the wrong hands. If an adversary is able to break the password using a stolen phone, the second factor becomes meaningless—the adversary already “has” the registered device and can simply approve the second factor notification immediately.

Our suggestion for authenticator apps like Duo [3], Authy [4], Google Authenticator [5], is to lock the phone and show the lock-screen, forcing the user to unlock before displaying the authentication code or allowing approval. Thus someone trying to access an account on a phone device, would now have to prove that (1) they “know” the password, (2) “have” the mobile phone, and (3) “know” the mobile phone unlock pin/pattern. It thus becomes harder to misuse a stolen unlocked phone. Interestingly, this method would apply to both, time-hashed one time passwords (TOTPs), and push-notification based- approaches of 2FA in practice. An attacker would need to unlock the phone using the phone’s strong authentication (PIN, pattern, or password) to access the app’s authentication code or assert approval.