Picture by Harald Groven under creative commons license
It seems password theft is in the news every week and even average computer users are starting to learn about the benefits of 2 factor authentication. 2 factor authentication increasing your account security because it add to your password (something you know) with a second factor (something you have).
The something you have is usually either an SMS message with a one-time authentication code to your primary phone on file or a special software that generates the same kind of code. The SMS option seems convenient but is less attractive when you consider the site would have to send your secure log in code encrypted through a 3rd party carrier (which is never a good idea in my opinion). Using a software one-time code generator is a much more attractive proposition in my book.
Which major sites use 2 factor authentication?
Almost every major site uses 2 factor authentication... Some (small list) examples are:
- Google+
- Tumblr
- WordPress.com
What is Authy?
Since most people have heard of Google Authenticator, let me take a minute and introduce Authy before I jump into the comparison. Like the Google product, Authy is a Time-based One-time Password Algorithm and adheres to RFC 6238 (link) described by the Internet Engineering Task Force.
In addition to being a slick well designed app, Authy allows you to manage all of your TOTP 2 factor authentication tokens with it (including Google Authenticator tokens).
And with the Bluetooth agent on Apple computers, you don't even need to touch your phone when logging into websites. The entire process is slick and beautiful.
Authy also trives for 99.9995% uptime and has built their infrastructure accordingly. You can read a great techical article on Leanstack.io (link) about this.
Authy versus Google Authenticator
There are 2 types of Authy implementations:
- A site can use Authy as their 2-factor authentication system (front and back end)
- A site can use the Google Authenticator back end and the customer can choose to use Authy as the token generation client app
Let's take scenario number 1 first.
Let's say you are using Google Authenticator and you lose you phone, the only course of action you have is to find your backup 2-factor codes (that you hopefully printed when you set the entire thing up) and deactivate your tokens app by app (or site by site).
If the sites use Authy as the back/front end, you can revoke a apps token very easily from their site.
The other major issue with Google Authenticator touches world travelers. There are some countries where you won't have connectivity on your mobile device for extended periods of time which could lead to a drift between your phone's time and that on the Google servers. If the drift becomes too wide, you won't be able to login anymore because the entire TOPT process uses time in the calculation algorithm. The Authy team has accounted for this possibility and has built in more refined time drift smoothing algorithms to reduce the likelihood of this occurring.
Google Authenticator is built to run on only 1 device but more tech savvy users know that you can use your authenticator seed on multiple devices. The problem is that all your devices use the same seen which means if any device is compromised ot stolen, you have to cancel and regenerate all of your tokens. Even when used in multi-device mode, Authy create unique seeds for each device (when used with sites that have implemented the Authy backend not the Google authenticator backend). Which means you can revoke the rights to one device without having to reset everything.
Let's take scenario 2 now
One thing I hate with Google authenticator is that I have to redo the entire token creation process for every 2-factor enabled site everytime I change my phone. I could save a screenshot of my seed and use that in the future (instead of going through the entire process again) but that is a HUUUUUUUGGGEEE security risk. You really don't want to store your seed unencrypted.
Authy has a account synchronnization feature that allows you to move your entire token vault to a new phone or to a second device. Security analysts know that the goal is to minimize the attack surface and therefore sometimes you may chose to only allow 2-factor authentication code generation on one device. Authy actually sets its default configuration to only work on one device to ensure multi-device support is a conscious decision by the user.
To enable Multi-Device synchronization of your tokens, they have created a model of inherited trust which means a new device can only be authorized from an already trusted device.
This means that if you buy a new device (to replace your existing one or a tablet), you can easily transfer your authentication tokens over.
The other benefit is that everytime you start the app, you get a fresh authentication code valid for 20 seconds which means you're not waiting 1 minute for the app to refresh with a new code.
Overall the app is much nicer than Google's. It is a clean touch friendly interface that is a joy to use. I have now migrated all my Google tokens to Authy and it is the only 2-factor authentication app on my devices: smartphones and tablets.