I want to talk to you about two-factor authentication and why you should use Authy to generate codes on your phone.
Oh, come on! Don’t give me that look. I know you don’t want to think about this stuff. It’s roughly like having an insurance salesperson look you in the eye and ask you if you’ve thought about what will happen to your family after you’re gone. But stick with me for a few paragraphs, at least until I get to the geeky details at the end.
Two-factor authentication (2FA) adds an extra step to the process of logging into an account – LastPass or your Google account, for example. The extra thing might be a code sent as a text message to your phone or a number generated by an app on your phone.
The combination of 2FA and a password is far more secure than having just a password, even if the password is complex. This is the important part. From a security perspective, it’s like night and day.
Using an app on your phone is more secure and more convenient than waiting for a code to arrive as a text message.
Authy is the best way to set up 2FA. It’s a free app for iOS and Android. It’s similar to Google Authenticator (and fully compatible with all sites that can be set up with Google Authenticator), but it has some significant advantages: Authy can be secured on the phone; it can be securely backed up and transferred seamlessly to a new phone; and it can be used on a computer.
The basics of two-factor authentication
When two-factor authentication is turned on for one of your accounts – Google, LastPass, your bank – you have to enter your password, PLUS you have to supply a code sent by SMS or a number generated by an app.
When you set up two-factor authentication, your account is still secure even if the password is hacked. If an account is secured by 2FA, then the bad guys can’t get into the account even if they get the password. They’ll be asked for the other thing – the text message code or the number from the app on your phone – and they won’t have any way to supply it.
Some services (including LastPass and Google) allow you to check a box for the service to trust the device that you’re using at that moment – perhaps permanently, perhaps for two weeks or a month. When you use that service, you won’t be asked for the code because you trust your own phone or your laptop. The effect is that the inconvenience is minimized day to day, but you still get increased protection, because the extra step will still be required if anyone tries to sign in to your account from another device.
Use an authenticator app instead of text messages
Text messages are the most common way to handle two-factor authentication. Your account is set up so it cannot be opened until a six-digit code is typed in. The code is sent by text message to the phone number that you have on file.
For security, this is far, far better than nothing. Seriously, if there is any way to turn on 2FA for a sensitive account, you should use it, even if an SMS code is the only option.
Authenticator apps are easier to use and more secure than text messages, because bad guys can hijack SMS codes. From Wired:
“Unfortunately, it isn’t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number—either with a phone call to customer support or walking into a phone store,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.
Not all services support all authenticator apps. Google Authenticator is the most widely supported; almost every site that supports 2FA works with Google Authenticator. Down below, I’ll tell you other reasons I recommend Authy, but an important one is that it is fully compatible with Google Authenticator.
After you install the authenticator app on your phone, setting it up for one of your accounts is usually easy. Log into your LastPass Vault, for example. In Settings / Account Settings / Multifactor Options, choose two-factor authentication with Google Authenticator. In the next window, you’ll see a barcode. On your phone, you’ll open Google Authenticator or Authy and hold it up so the camera can see the barcode. That’s all there is to it. In a second or two, the authenticator app begins generating codes for LastPass.
Why Authy is the best authenticator app
Tech articles frequently tout apps that have the most “features,” without considering whether the extra functions actually matter to real people.
Authy has unique extra features that are important for everyone. I wouldn’t recommend it otherwise.
Let’s compare Google Authenticator and Authy.
Ease of use
Google Authenticator is swell. It’s simple and easy to use and free. It is the most widely supported authenticator app.
Authy is also swell, also simple, also easy to use, also free. It has one significant advantage over, say, the authenticator apps from Microsoft and LastPass: Authy can be used at any site that supports Google Authenticator.
It’s a tie so far.
If your phone is logged in, Google Authenticator starts right up when you click the icon. Authy can be set up so that a PIN or fingerprint is required before the Authy app starts up. That’s a pretty small risk, but it counts. Advantage Authy.
Lost or stolen phone
Remember, each account is set up separately to work with an authenticator app. If you set up 2FA for your Google account, for LastPass, for your bank, and for one or two other accounts, and then your phone is lost or stolen – well, it’s a pain to get access to those accounts. The whole idea of 2FA is to make it difficult or impossible to access those accounts from a different device. If it were easy – if you could reset 2FA with nothing more than typing in your mother’s maiden name – well, then, 2FA wouldn’t be much extra security, would it?
Security digression: The weakest link for security today is frequently the process of resetting a password, rather than the password itself. That’s why the bad guys try so hard to get the password for your mail account. Once they’re in your mailbox, they can reset all the other passwords that require only a click on a link in an email message.
Google Authenticator doesn’t help you with resetting 2FA for a lost or stolen phone. For each account, you’ll have to go through phone calls or a lengthy sequence online to establish your identity and authorize a new phone.
Authy can back up your 2FA information in a secure way online, so it can be restored on a new phone and have you up and running immediately.
This is Authy’s most important advantage. Authy uses the same technique that LastPass uses to keep your information secure: your 2FA account information is encrypted on the phone and secured with a backups password. Authy gets only an encrypted blob. There would be zero risk even if bad guys hacked Authy’s servers and stole everything. When you get a new phone and install Authy, your new phone downloads the blob and decrypts it with the backups password. You’re connected to your 2FA accounts automatically and instantly. Here is Authy’s explanation of the security that protects your online backups.
Do not forget the Authy backups password
It’s just like LastPass. If you forget the Authy backups password, you’re locked out. You will take out your anger on your pets and nearby loved ones.
The best place to record the Authy backups password is in LastPass.
Geeky details about setting up Authy for maximum security
- In the Authy settings for App Protection, set it to require a PIN or fingerprint to unlock the app.
- In the Authy settings for Accounts, turn on Backups and assign a backups password. Write it down or record it in LastPass.
- In the Authy settings for Devices, turn on Allow multi-device. On your desktop PC or laptop, log into the Authy website and add your computer as an additional authorized device. The computer copy of Authy will have a separate master password, different from the backups password. Here is Authy’s explanation of its different passwords. Write it down or record it in LastPass.
- Once that’s done, go back to the app and turn off multi-device. Here is Authy’s explanation of why that is the final step to prevent anyone from hacking into your account and adding a rogue device.