23
Jul
thumb

Account security is a tough issue for a lot of people. It's a constant balancing act between having a stronger system to keep out would-be invaders while also making it convenient enough that users won't reject it. After Google began offering its own 2-step verification system, several other services adopted the same mechanism and opt-in model for people that wanted more than a single password protecting their personal data. This generally left users with Google's Authenticator app, which got the job done, but it lacked features and languished on an early Holo dark design. If you're looking for something a little more modern and functional, it's time to check out Authy.

2014-07-21 18.13.022014-07-22 01.31.122014-07-22 01.33.43

At the most basic level, Authy is a more attractive version of Google Authenticator; it can scan a QR code or accept a secret key, from which it will generate a fresh 6-digit PIN every 30 seconds. Authy's killer feature is cloud-based backup and syncing between devices. If your phone is lost, stolen, or wiped, it's as simple as installing Authy and signing back in to restore all of your tokens. With built-in support for syncing across multiple devices, you can also conveniently reach for a tablet or some other device to generate codes while your phone is on the charger.

2014-07-22 01.28.312014-07-22 04.12.572014-07-22 04.13.43

Authy also takes security very seriously, which is pretty important for an app that helps to keep other people out of your accounts. All of your tokens are encrypted by a password locally before syncing to Authy's servers, so it's going to be a lot harder for hackers to do anything if they successfully break into the servers or intercept your transmission. Another great security feature is a simple PIN-lock on the app, which resolves one of the biggest complaints about Google Authenticator: anybody with access to an unlocked phone could open the app without any barrier. Once you've set a 4-digit PIN on your phone, it should be enough to keep all but the most devious person from breaking in and generating their own codes.

Finally, signing a device into the service has been given a bit of extra security. Before you can even enter a password to decrypt the tokens, Authy requires that the device holder is authenticated by entering a PIN received either from a phone call or text message to your phone number, or by giving it the thumbs-up from a device that has already been authorized. Of course, none of these measures are impossible to work around, but they should add up to enough of a defense to deter all but the most skilled attacker.

2014-07-23 19.31.592014-07-23 19.33.10

Naturally, Authy implements some of the convenient features we expect from an app like this, like one-tap copy to clipboard and a countdown timer until the next code is generated. One other great addition is a resizable launcher widget, which is also equipped with a copy-to-clipboard button. Don't worry about your codes sitting in the open, if you've set a device-level PIN, you'll be asked to enter it before a code is generated, and access will remain open for 60 seconds after you've stopped using the widget. One thing to be aware of with the widget is that it doesn't show a countdown timer, so it's possible to produce a code with very little time left on the clock.

Authy has been around for quite a while (since 2011-ish), but we felt it deserved some attention since the subject of account security has been popping up again lately. The company behind the app -which is also named Authy- is focused on making money by providing enterprise-grade implementations of 2-factor authentication, so the app is available to users free of charge and without any IAPs. Quite a few platforms are covered, including: Android, iOS, and all desktop operating systems (Windows, Linux, and Mac) via a Chrome app. If you've been shying away from securing several of your accounts due to the mediocre Google Authenticator app, now might be a good time to give it another thought.

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • BoFiS

    I don't really have any issue with the design or look of Google Authenticator...I actually prefer a darker theme in general.

    • Brian Lippman

      I like darker themes too (especially since most of my phones have been AMOLED) but Holo Dark is pretty bad. Pure black themes are much better. Holo Dark is just this weird dark grey to dark blue gradient and just doesn't look that great.

    • th3m4ri0

      No way to back private keys up..

      • David Thoren

        No non-rooted way you mean. Titanium backup will backup and restore the authenticators.

        • pani

          does it? man, this has never worked for me, whenever I install a new ROM I had to re-enable 2-step in ALL my accounts, which in the end made me choose Authy.

          • David Thoren

            I've done a couple of backup and restores with the Google Authenticator, seems to come back with flying colors.
            I do have WinAuth setup with most of the accounts I have on my android as well just in case I run into real troubles though.

  • HappyJoyJoy

    Doesn't the ability to store your tokens in the "cloud" negate the extra security? If a hacker got all my information, they'd just as easily be able to get into this as any of my other sites.

    • didibus

      It doesn't negate it, but it does create new paths for being hacked. A hacker would still need to work harder, hacking both your account to the service in question, and your Authy account. Having the tokens encrypted locally means he'd also need to decrypt the tokens if he got into Authy's server and at your tokens.

      I think it's a good idea to go with this instead of no 2 factor. This is for sure a lot more secure. In a way. the pin on the app could make this even more secure than google auth, but the cloud feature does indeed reduce the security a bit. I wonder if it's optional.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      If you want, you can disable cloud backup and sync. Authy is still usable as a local-only app. At that point, it's basically Authenticator with the ability to set a PIN to access the app.

  • sssgadget

    What if Authy servers are hacked?

    • Trenton Seagoe

      "Authy also takes security very seriously, which is pretty important for
      an app that helps to keep other people out of your accounts. All of your
      tokens are encrypted by a password locally before syncing to Authy's
      servers, so it's going to be a lot harder for hackers to do anything if
      they successfully break into the servers or intercept your transmission."

    • Trent

      Google "define reading comprehension", come back, implement what you learn and try again.

      • sssgadget

        I just did. The results read ' Trent is a jack*** '.

        Anyways, storing tokens in the cloud seems like a bad idea.

        • AOSPrevails

          Then turn off the cloud backup and sync and use it as a local app. For people that use it, it trade convenience for a little bit of security much like a cloud based password manager.

    • mcaff

      Not if, but when. It -will- be hacked, just like any other server out there, even google was.
      The real question is, how good your preparation when it's hacked.

  • Abdelrhman Walid

    I have been using it for a while and I really like it.
    didn't know they have a chrome app, that'll better than using my phone every time I need to sign into a website using 2 factor authentication.

    • Frank Wisper

      Are you kidding me. Disable 2 factor authentication then, or use 2 factor authentication. Which essentially means you must have 2 factors. If you need your password and Pin for the app you are still not using 2 factors. That's two times the same factor.
      If you need to _have_ your phone AND _know_ the password, that's 2 factor authentication right there.

      Or did I miss something?

      • Abdelrhman Walid

        the app itself isn't protected with 2FA, just a pin code on phone and password on chrome.
        For 2FA you need the password and the code, dose it matter if the code is on your phone, computer or smartwatch ?

        • Frank Wisper

          Yes, of course it matters. That's all that matters. The point is if someone is at your PC (physically or remote) and does not have your phone or smartwatch he can't log in. That's what 2 factor auth is for. For the same reason 2 factor delivered by mail doesn't make sense.
          SMS so much more, because that uses a different channel and is tied to your phone/sim card.

          What are you, and with you I mean you all, trying to achieve with 2FA?

          • Abdelrhman Walid

            it's the same if you are singing into a website using 2FA on your phone.

            what if someone got access to your phone ?
            if someone got access to my computer he'll have to know the computer password, the authy app password and whatever account password to be able log in.

          • Frank Wisper

            Someone would need access to my phone AND know the password.
            In your case I would just need to plant a trojan on your PC.
            In my case you would have to infect my phone AND my PC.

            And yes, you are right. If I sign into some account on my phone AND receive the pin code also on my phone I will loose two factor.
            That's the reason why PayPal and some bank account block using the mobile app when you are receiving the pin by sms.

          • Abdelrhman Walid

            Infecting the pc isn't necessary since most (all?) people sign into accounts on their phones unless you are using a phone with no internet access for 2FA.

            I need an easy way to access my accounts on my devices while requiring an extra security step on other devices, this way may not be 100% secure - nothing is - but it gets the job done for me, it's about your use anyway.

          • http://www.radioshak.co.uk Shakil Shaikh

            >What are you, and with you I mean you all, trying to achieve with 2FA?

            The ability to tell people in the pub/on Facebook how awesome you are for having something you're told is awesome-cutting-edge-secure-cos-I-saw-it-on-lifehacker-innit.... but isn't.

            Oh well. At least they'll attract hackers away from the rest of us.

          • https://plus.google.com/+MichaelBond codemonkey85

            The fact that 2FA is enabled at all is more secure, because your password could be compromised by someone across the globe, but they wouldn't be able to log in to your account. The likelihood that someone is going to get access to my computer is far lower than someone dumping a bunch of passwords from, say, Facebook. Hell, even the likelihood that someone manages to grab any of my other devices is low enough, but even if they do, that's what device pins and passwords are for... and it sounds like Authy is encrypting your tokens locally with a password on top of it.

            I get your point, but I think the people claiming this makes 2FA useless are overreacting.

  • DanSan

    very interesting. obviously using the google app, never had any problems with it or need to change it though. might look into this more, see if its worth a switch.

  • Deeco

    Finally ffs!

  • Matt

    For reference, here are all the sites that support 2-factor authentication. Only the "software implementation" ones work with Authenticator, but it's still a good idea to set it up with banks, etc. if you can.

    http://twofactorauth.org/

    • Booyabobby

      Thanks for the website!

  • http://www.mikestenger.com/ Mike Stenger

    And it's easy to integrate with WordPress so you can make your site more secure.

    • reader

      isn't wordpress just got backdoor exploit? I read on arstechnica

  • Fadakar

    I emailed them about 2 days ago asking if they had any plans to make a Wear app for this, I had one on my Pebble and it was awesome. Still haven't gotten a response.

  • AOSPrevails

    Thanks for highlighting this app, just installed and I really like it. Only compliant: for a app designed to be used on multiple device it is inexcusable to not have Landsacpe mode for tablets.

  • rolo143

    That logo looks just like shazam's logo, but red and backwards. :p

    • dmcomp

      shazam + pinterest = authy logo

  • Michael

    So sounds like everyone has reached the similar conclusion that cloud based storage of the tokens isn't the best idea. Acceptable for some based on the trade off of convenience but debatably less secure than not storing in the cloud.

    On the second "selling point" of device syncing, Google Authenticator already does this reasonably well also, and i have had no issues setting it up between my phone and tablet. Simply scan the QR code or enter the key on each device at the same time when you add the account and both timestamps and codes will work from either device.

    TL;DR: It's pretty, and thats all she wrote.

    • Tim Davis

      Or, you can save the barcode PNG images to a locally encrypted store while setting up Google Authenticator, like a truecrypt USB key, and store that as a cold backup. That's what I do.

  • bethcwhitehorn

    Start working at home with Google! It's by-far the best job I've had. Last Wednesday I got a brand new BMW since getting a check for $6474 this - 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, go to tech tab for work detail

    ✒✒✒✒✒✒ jobs700.com

    ==================================

  • jens_kristian

    I'm giving this app a try after seeing it mentioned various places over the last few months. The cross device synchronization is the killer feature since I won't have to deactivate two-factor for my Google account if I reset my phone.

  • http://www.radioshak.co.uk Shakil Shaikh

    This app makes me so angry: "Two factor auth is too hard you say? Well let's just reduce it to just the one. Yay.".

    Replacing "what you have" with "what you have in multiple places, and in the cloud" is so irritating I feel like punching myself in the face.

    I blame Apple etc.

  • Mick Collingwood

    Looks okay, like others have said it does negate extra security for convenience. Problem is I have about ten accounts stored in authenticator so even if I wanted to use it I couldn't be bothered setting up all the accounts again.

  • naduh

    wish i known about this app a couple of days ago before having to resetup all my 2FA on google authenticar on my new phone.

  • Lance Pelosi

    cool, already locked out to my original dropbox and facebook accounts, so now i keep physical copies of the keys stored somewhere. But i'll check this one too