This article originally appeared in TidBITS on 2014-11-06 at 6:49 a.m.
The permanent URL for this article is:
Include images: Off

Authy Protects Your Two-Factor Authentication Tokens

by Josh Centers

Digital security has been a hot topic this year. Between the theft of private celebrity photos (see “iCloud Flaw Not Source of Celebrity Photo Theft [1],” 2 September 2014) and multiple credit card leaks, it’s hard not to feel a little paranoid.

One of the best ways to improve your online security game is two-factor authentication. In short, two-factor authentication adds an extra layer of security to your password (something you know) in the form of a number that’s regenerated every few seconds, either by a dedicated device or a mobile app (something you have).

The free Google Authenticator [2] has become the de facto industry standard in two-factor authentication. You can use it with your Google account, but it’s also compatible with Dropbox, Evernote, Facebook, Tumblr, and many other online services.

While Google Authenticator gets the job done, it has a number of potentially significant limitations. It offers no backup or sync, so if you lose the device it’s installed on, or wipe the data off that device, you’re in for a world of hurt (for an example, see “Dancing the Two-Step: Coping with the Loss of a Second Factor [3],” 28 August 2013). One Google Authenticator update accidentally wiped everyone’s two-factor tokens [4], preventing users from logging into their accounts.

Thankfully, there’s an alternative: Authy [5], which is free for iPhone and iPad [6] in the App Store.

Authy has numerous features that Google Authenticator lacks. Authy can back up your two-factor tokens to the cloud, so if you wipe your phone or get a new one, you can restore those tokens and not be locked out of your accounts. Authy can also use the cloud to sync to your other devices, and the app is universal, so it works equally well on your iPhone or iPad. And if you own a newer Mac with Bluetooth 4.0 LE (I sadly don’t), you can take advantage of the complementary Authy Bluetooth [7] app to insert your two-factor tokens on the Mac automatically, with no additional typing required.

Authy’s Tradeoffs -- Hearing that Authy uploads your two-factor tokens into the cloud might make you nervous. But keep two things in mind. First, cloud-based backups [8] are entirely optional and are off by default. Second, Authy encrypts your backups on your device before uploading them.

Regardless, as with all security decisions, Authy’s cloud features come with a tradeoff. Whenever you store sensitive information on someone else’s server, you increase the risk that it will be stolen, even if only infinitesimally. But also consider the benefits. With Google Authenticator, if you lose your iPhone, you lose access to your accounts, at least temporarily. Which scenario is more likely and/or more frightening: a single account being hacked, or losing access to all accounts due to a software glitch or a broken phone?

Authy also adds a critical security feature that Google Authenticator lacks: the option to lock the app with a PIN or Touch ID, so a thief who got past the device’s overall passcode can’t view your tokens.

Even if Authy were found to be vulnerable, online accounts protected by two-factor authentication would still be more secure than those that rely solely on a password. In addition to cracking the account password, an attacker would also have to crack your Authy password. Conversely, even if an attacker were to infiltrate your Authy account, the tokens would be useless without account passwords. Such accounts are still twice as hard to hack as those that have only a password.

For me, the decision to use Authy is simple. It lets me protect my accounts with two-factor authentication, and it reduces the likelihood of the problems from which Google Authenticator suffers.

Using Authy -- Authy is pretty easy to use, as two-factor authentication goes. First, you need to set up an account token. Tap Add Account at the bottom of the screen, and then either scan the QR code provided by the online service, or enter a provided code. The specifics of how you obtain either will be different with each service.

Once you’ve added one or more accounts, they appear at the bottom of the screen. If you have more than four, the row of buttons at the bottom of the screen turns into a drawer that you can expand to see additional accounts and the Add Account button. To display the necessary time-limited token that you need to enter to log in to a two-factor-protected site, simply tap an account. Be mindful of the timer — a token typically lasts only 30 seconds before it expires. If there are only a few seconds left in a token’s life, it’s easier to wait for the next one. If you’re logging in from the iOS device itself, you can also tap the blue copy button next to the token to put it on the clipboard.

[image link] [9]

If you want to manage accounts or set up additional security protections, tap Settings in the upper right. In the Settings screen, the My Account pane lets you set what phone number and email address are tied to your Authy account. These are important: when you move to a new iPhone, Authy will ask you to use one of these contact methods to prove your identity. You can also set a Protection PIN and/or Fingerprint Protection here, which I recommend. If your device supports Touch ID, I think it’s silly not to enable Fingerprint Protection, because it adds that much more security with little hassle.

[image link] [10]

The Accounts pane lets you manage your tokens and set better names, but perhaps more important to new users, it’s also where you set up cloud backups and change your backup password.

The Bluetooth pane merely lets you allow Authy to use Bluetooth to talk to the Authy Bluetooth app, if that option is available to you.

Finally, the Devices pane lets you set up and manage multi-device support. Activating other devices works by what Authy calls Inherited Trust [11]. In other words, when you try to use the same Authy account on another device, you must approve it from an already authorized device. In practice, this seems like a good balance between security and convenience.

Boarding Up the Windows -- These days, digital security is kind of like a zombie apocalypse movie. You can stock up on supplies and board up the windows, but sooner or later, probably through simple human error, a zombie will break in.

But just because your efforts may be futile in the end doesn’t mean you stop nailing boards. At the same time, you don’t want to put up so many that you can’t get out when you need food.

That’s roughly how I see Authy. While, by the developers’ own admission, its cloud features can potentially make you less secure, they also make it harder to lock yourself out of your digital house.

Also keep in mind that Authy does only one thing — it’s not a silver bullet for online security. It won’t prevent your credit card number from being stolen from a retailer, nor, thanks to Apple’s weird two-factor authentication implementation, could it have prevented Jennifer Lawrence’s pictures from being stolen.

Authy is just another tool in your security kit, but a useful one that makes two-factor authentication less intimidating.