App Review: Authy – the best way to manage Two-Factor Authentication

Security is becoming more and more of an issue in this day and age.  We trust more and more of our work, personal lives, and data to services and companies.  However, no system is perfect and information leaks, including your passwords, are an unfortunate reality.  A good, long, difficult to guess password is the best first step, but after that you should use Two-Factor Authentication.  Authy is the app to help with that.

What is Two Factor Authentication?  On most sites, you enter your username and password, then you’re into your profile.  But that also means that if that password gets compromised, someone else can have access to your account.  While this may not matter for some sites, a bad guy getting access to sites like PayPal or your bank now has instant access to your money, or if they get your email may be able to reset your passwords and get access to every website you use with that email.  Two-Factor Authentication helps with this by prompting you to type in a special code the company or service sends you after typing in your password.  This usually gets sent to some device you own, such as your phone. Since a bad guy won’t have access to this device, they can’t get into your account, meaning you’re still safe (you should still change your password though if this happens).  Authy new device

Some services will send text messages, which is better than nothing but less secure due to the nature of text messages.  Instead, you can and should setup an authenticator app that hold the keys for you.  Each site works a little different, but almost all of them will work in Authy.  Authy is a free app available for iPhone, iPad, and Android on mobile, as well as Mac and PC.  You can also download an extension in the Google Play Store and as an app on your Apple Watch.

To get started, when you decide to setup Two-Factor on your service, say on your email account, the site will typically give you a code to type in or a QR code to scan.  Using the Authy mobile app with camera access, you can scan that QR code, which will give you a code to type back into the website to confirm it’s setup.  If you can’t use the camera, the site doesn’t support QR codes, or you are particularly worried about privacy, you can opt to not give the app camera access and instead type in the text equivalent of the QR code instead.  Authy will then generate a six-digit code that you’ll type into the website to finish setting it up.  From then on, any time you log into that service from a new browser or device, you’ll be prompted to type in your password and a randomly generated six-digit code in Authy.

The interface for Authy is very straightforward, easy on the eyes, and fairly user friendly.  Authy lists the service on your phone as little squares with the symbol of the service, and the name you give it.  This is listed as the service name and your username, but you can change this to be just your username, or even some other string of text.

An image of Authy's iOS interface
Authy’s Interface Image Source: Authy

I think it would be nice to have it be blank for some services, but at least I can set the short handle to be the service name for a little extra layer of privacy.  When you need that code, just select the service square, and the code appears at the top with a timer in the corner showing how much time you have until the code changes again.  It even has a copy button so you can quickly copy that code over to another app or site on your phone.

Authy also keeps security front facing in its mind.  You have settings for enabling a separate PIN for Authy so that even if someone gets your phone they have to know that code to even get access.  If you use TouchID of FaceID, you have also have the app to grant you access with one of those services.  An even nicer touch is that the app can be set to request this every time you open the app if you really want to protect yourself.  The one caveat is the PIN can only be 4 digits long.  I’d like there to be more secure options, such as a 6 digit, or even a normal password if I wanted, but having the option is better than nothing.

By default, Authy only allows access to the codes on a single device.  If you want you can enable multi-device support so you can access these codes on other devices you trust; you just have to create a free account with them using your email address, a password, and a phone number.  From a security perspective, this is less secure because it means you have more places where these could be compromised.  That said, some people need that convenience, and it is a service that I appreciate being offered.

Authy Multidevice
Authy Multidevice on iPhone

Authy also recognizes the trade-off and does certain things to help mitigate the risk.  As mentioned before, you have to enable multi-device access and set it up, it isn’t turned on by default.  If you do enable it Authy allows you to see all the devices where the app is being used and allows you to rename them or revoke their access at any time.  You can even disable access back to just your phone if you so need.  Authy will also ask you to regularly type in your password to make sure you haven’t forgotten it.  This bubble can be annoying, but it seems to be a trade off the developers are willing to make so you don’t lose access to your codes if you want them backed up.

Authy’s security also goes into the very technical side of things too. According to Authy, the codes are all encrypted are on device before they are sent to Authy.  The encryption system and methods they use are pretty well known, vetted, and standard in the industry.  If you want a deeper dive, you can check out their blog post on how their cloud backups work.  That said, it’s very reliable and seems to take the most precautions if you want to take advantage of their cloud services.

These syncing services are great for using them in the desktop app.  If you’re on your desktop, you can certainly type in the codes that you see on your phone or Apple Watch (more on that later), but it’s certainly nicer to have the convenience of using them on the desktop, particularly for copying the code and pasting into the site you want to log into.

Authy Desktop
Authy’s Mac App

To set it up download the app on your second device, type in the phone number associated with the account, and they’ll confirm it’s you by sending a notice to the Authy app on another authenticated device, a text message, or a voice call.

Once you’ve given it approval, a list of your services will appear on your device, which you can click to then get the code for that respective service. The desktop app is otherwise not particularly more complex than the mobile one, though you can to create a separate Master Password that you type in whenever you open the app as an extra layer of security.  But the fact it looks almost identical to the mobile app means there’s almost no learning curve. You do have to have a mobile device and an account created already to use the desktop app.

Lastly, if you use the app on your iPhone, you’ll also be able to use the accompanying Apple Watch app.  The app is fairly light and quick to open and launch, even on an Apple Watch Series 2.  That said, likely due to the memory constraints, the Watch app seems to only load the first 10 services as they are ordered on your phone.  Sometimes it shows me more, but the first 10 are most consistent.  In the Apple Watch app you’ll see the list of services, and just by tapping on the service, it will load the code in nice big numbers front and center with the service icon up top and the name you’ve given it below that code.  There’s also a small timer bar that shows you how much time is left on the screen before the code changes.  It’s a very simple but fantastic use of the limited space of the Watch screen.

So why use Authy over their chief rival Google Authenticator?  There are 3 big reasons.  One is Google’s app doesn’t offer cross device syncing of your codes, meaning if you lose your phone you lose the codes.  As mentioned before, cross-device syncing is potentially a security risk, but Authy seems to be on top of it when managing their security.

A second issue Google has is just it’s lack of updates.  As of the time of this writing Google Authenticator hasn’t updated in over a year, and 3 years before that.  One might say that means Google has programmed it well enough that it doesn’t have to update it as frequently, but the dearth of updates can make one nervous, especially given Google’s habit of killing apps and services after letting them languish.  By contrast Authy puts out patches seemingly every 2 weeks.

One last concern is that, while Google Authenticator is separate from your Google Account, it may be good to not have all your security eggs in one basket.  Google has a fairly solid record on security, but even with that some things require extra precaution.

Authy is absolutely free to download for Mac and Windows from Authy’s website, as well as for iPhone, iPad, Android, and Apple Watch.  You can also install the Chrome extension.

Feel free to comment.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.