Please use Authy for 2 Factor Authentication (2FA)

David MatsoneNOC Technician; Owner at Matson Consulting and Concierge IT Services
CERTIFIED EXPERT
Published:
Some time ago, one of my online accounts got hacked. I could have prevented that, if I had only used 2FA.

Once I got to the point, where I agreed that 2FA is an incredible thing, another hard-learned lesson for me was to use an Authentication App other than Google Authenticator!
Two-factor authentication (2FA) is one of the best ways for a consumer to secure account access on pretty much any platform. Accordingly, if 2FA or MFA (Multi-Factor Authentication) is offered on any platform that you currently use, then I strongly recommend that you take advantage of it.

When logging into any platform, your 1st “factor” is your password for that account. For example, if you’ve set up SMS Authentication, email authentication, or use an Authentication App, then the code/link in your SMS/email/App is the 2nd factor, thus the "two-factor" in 2FA. That single EXTRA piece of information alongside your account password goes a long way in helping to secure your account. Some would argue that SMS and E-mail 2FA are bad because they are more readily bypassed by Hackers. This is a TRUE statement, however, in my book, any type of additional “factor” for authentication is a good thing, so even SMS and E-mail are better than nothing!

You see, 2FA isn’t designed to make your account impenetrable. Instead, it merely presents an extra obstacle for a Hacker or Social Engineer to deal with or bypass in order to successfully "pull off" their hack, so in truth, it really just makes it harder for a Hacker to work. Hopefully hard enough so that they give up and move on to something else, that is a more cost-effective or productive use of their time, because “time is money”. That is especially true for a Hacker. So in the end, it's just another layer of complexity to prevent unauthorized account access.

How does it work?
For each platform account (for example Facebook) that you would like to "secure" with 2FA, you would create a corresponding 2FA "profile" in an Authenticator App. When you needed access to that platform account, you'd go to their online login site, as usual, enter your username and password (1st “factor”). And then you'd be asked to input your second “factor” via SMS/E-mail or the Authenticator App. You would then access your SMS/E-mail or Authenticator App, obtain the token code (the 2nd “factor”), and input it into the website.

When Google Authenticator utterly fails you.
How (and why) would a 2FA system like Google Authenticator (GA), that is meant to make your life so much more secure (and therefore better), really just make your life miserable instead?

Simple – when you lose your ability to generate your 2FA codes. How can this happen? Well, if any of the following scenarios occur to you, your GA world will come crashing down around you:

  • Your phone crashes and it needs to be reset to Factory.
  • You lose your phone.
  • You accidentally delete the wrong account from the app.

If any of the above happens, let’s consider the logical progression here: If you are effectively locked out of your Authenticator account, you won’t be able to generate the token-codes that the Authenticator App would have produced. Since your Accounts now REQUIRE a 2FA Token code in order to access that account, you are now also blocked from accessing those now thoroughly secured accounts!

You see, GA itself does not allow for the backing-up of your codes for each token account AFTER you lose access to your Primary device, or offer you multi-device access using only your Primary Device (you may use multi-device if you carry the second device with you and physically add that QR code with both devices). Worse, GA does not provide additional layers of security for accessing your GA account, so in the case of a stolen Mobile Phone, the thief would now be possibly in control of your various accounts if they could find a way to bypass your 1st factor (password).

My recommendation
I'm going to recommend another App that is far more feature-rich than Google Authenticator called Authy. They were bought-out by TWILIO back in February of 2015, but the app works the same as it did before.

Just like GA, you log into your FB account, go to settings, and instead of using the QR code in Google Authenticator, you use Authy to snap that QR code and presto, you've got a new Authy "account". Authy claims that all of the QR codes meant for GA will work 100% in Authy. Your FB account should now ask you to input the 6-digit code (Note: you can also request 7 and 8 digit codes for more security) offered by Authy. This will confirm for the website that you have correctly set up 2FA on the authenticator side.

How is Authy better than Google Authenticator?
So how is Authy better than GA? If only GA offered the following options, you might still be able to still use it if you had lost your phone!

  • OPTIONAL Multi-Device Functionality: If you have a tablet and a PC, you can run Authy on both in addition to your Mobile Phone and sync all of your 2FA Accounts across all Devices. And if one of the devices is lost or stolen, you can still access your Authy accounts on your remaining devices, and you can then de-activate the lost/stolen device to prevent unauthorized access
  • Also, Authy runs on more than just the two major mobile device OS's; it supports Apple Watch, and Microsoft Windows PC in addition to the obvious Android and iOS.
  • OPTIONAL Encrypted Cloud Recovery Backups. Authy lets you use Encrypted Backups in the cloud.
  • OPTIONAL use of three additional password protection types: Backup Passwords, Master Passwords, and PIN protection.
 
Migrating from GA to Authy
Now, converting from Google Authenticator is perhaps the hardest sell at this point, but I would be happy to share that it only took me about an hour of work to migrate over all of my 20+ tokens. The process must obviously be done while you still have access to GA, so no better time to migrate than the present. To start, make sure you have your Authy already installed on your mobile device, and have already created an Authy Account.

  1. Sign in to each of your 2FA protected accounts using what-ever current 2FA solution you are using.
  2. Once you are signed-in, disable 2FA protection on that account.
  3. Now, go ahead and re-enable 2FA protection for that account, and this time, use your new Authy App on your mobile device to snap that QR code. Authy is 100% compatible with GA QR Codes.
  4. As part of the configuration of that account for Authy 2FA, please expect that each site will ask you to input your Authy code to confirm the change (migration). Input the code.
  5. Your account should confirm that 2FA is now enabled once more.


Once you are done migrating, please revalidate each of your 2FA Accounts.
Once you are done migrating to Authy, please take the additional time to recheck each account on the new Authy Authenticator. It took me less than 10min to recheck all 20 sites, but now I can rest easy knowing that each account is not only protected by 2FA, but I won’t ever be locked out of those accounts due to using Authy instead of Google Authenticator. If I was still using GA, I could lose it all if I lost or had to hard-reset my phone.

Now, for added security, I have added a tablet and a Desktop PC to my Authy Account. Some might argue that this action actually reduces the security of the accounts, and I can totally accept and agree with that point of view. However, I would point out that it is far more likely that I will break or lose my device than someone could sneak into my house and make off with any of my devices. So this way, if any of my devices break or are lost, I am not locked out of my 20 2FA Accounts simply because I can now access from multiple devices. Since I do have access to at least two other devices linked to my Authy Account, this ensures that I’m able to dis-associate a linked device in case it should happen to be lost or stolen.

I hope this helps you understand these two points going forward:

  • 2FA (or MFA) is a good thing in and of itself, so use it if you can!
  • Avoid using Google Authenticator if you can, use Authy instead!

Any regular Authentication App can be both a good and a scary proposition, and so I recommend that you please use one that you can trust. Based on the above, I hope you will agree that Google Authenticator is not that app, and hopefully Authy sounds like a better offering compared to any other Authentication App. But don't just take my word for it. Try out Authy and any other App you'd care to try. Do your own research. But please be aware of the gotchas that are waiting for you, if you choose Google Authenticator.

This Article was original published on my Blog "In My Mobile World" back on Feb 6th 2021.
2
50 Views
David MatsoneNOC Technician; Owner at Matson Consulting and Concierge IT Services
CERTIFIED EXPERT

Comments (2)

AlanConsultant
CERTIFIED EXPERT
Hi David,

Great article.  I have been using both Google Authenticator and Microsoft's Authenticator for a while now - I haven't tried Authy so far, but will do now having read your article.

With respect to the possibility of getting locked out of GA, I have copied the ten (?) backup codes that Google offers to get into my Google Account to what I regard as being as close to a 100% secure location as can be achieved (completely outside of Google), which means that I (hopefully) cannot get locked out of my Google account (at least by losing my phone), and could therefore re-install GA on a new device if / when I ever need to (say, my phone dies suddenly).

Am I correct in thinking I have that nuclear risk covered, or have I missed something?

Having said that, I will still be evaluating Authy as an alternative.

Thanks,

Alan.
David MatsoneNOC Technician; Owner at Matson Consulting and Concierge IT Services
CERTIFIED EXPERT

Author

Commented:
You are correct Alan, securely backing-up your Google Recovery Codes *should* allow you to escape the Nuclear Option.  A lot of folks simply didn't take that step seriously and suffered the consequences.

However, one of the two people I interviewed who thought that they had saved their codes correctly found that the codes did not work for them (the other found that they didn't actually save the codes or misplaced them).  There's obviously room for human error in this scenario, and he admitted to me that he could have simply had codes for something other than Google Authenticator, which would certainly answer the question of why they did not work for him.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community