Advertisement

How to never worry about passwords again with app-based two-factor authentication

SMS two-factor authentication is a thing of the past; the latest best-in-class security comes from apps like Authy

two-factor_Authentication

Written by Heather Hamilton, contributing writer

As the need for security increases, a strong password may not be enough. Two-factor authentication is your best bet for security, requiring both the password to the account and an additional authentication code locally generated on your phone. Pairing the two together guarantees that your account remains inaccessible should someone gain access to your password.

Standard practice dictates that two-factor authentication relies on codes sent via SMS, but recent cybersecurity research has found that thieves can and do spoof mobile phones, allowing them to divert SMS from your number to a duplicate phone. According to an article in Wired, doing so requires some of your personal information and a bit of social engineering, but it is doable. So instead of relying on SMS-based authentication, you’re much better off using one-time tokens or smartphone apps as these are far more reliable and not as easily hacked.

These apps work by constantly generating codes, valid for approximately 30 seconds each. When you log into an account and are asked for a code, you simply open the app and copy and paste the most recent code into your login screen.

Authy is one such app that works with all sites that use Google Authenticator, though it has the advantage in power and convenience. Unlike Google Authenticator, Authy doesn’t require you to set up all of your accounts again if you get a new device. Authy allows you to back up your codes to the cloud, where they are encrypted with a password of your choosing. This allows you to restore to a new device. If a site asks you to scan a QR code to set up two-factor authentication for Google Authenticator, you can scan it with Authy for faster results.

Where to get Authy
Authy can be downloaded from Google Play or the Apple Store, and then you simply enter your mobile phone number and email address. Then you get a PIN, which will be confirmed via the phone number you supplied. And that’s it! Authy is enabled.

Setup
Next, you’ll need to visit the setup page on the account service you choose using a QR code in the same way as you would set up Google Authenticator. Click Add, scan the code, and your account is added. When you need a code to authenticate, open the app and tap the account you’re after a code for. Type the code in, copying if you want, and paste it in your device.

How to back up and sync codes
Authy is capable of creating encrypted backups, which are stored on their servers using a password you provide. For users who choose not to store things in the cloud, this feature is optional, though doing so prevents losing your information if you lose your phone. It offers safe, secure protection for users should something happen to their phone. To enable it, go to Settings and then Accounts, and then make sure that Authenticator Backups is clicked on.

If you’d like to sync codes across a number of devices, you can do that via the Authy Chrome app (more apps coming soon to Authy’s downloads page). To add a device, go to Settings and Devices, clicking enable for the Allow Multi-device switch.

Should you attempt to sign in with another device, you’ll enter your phone number and then authenticate with a text message, phone call, or via a prompt in the Authy app on the device you’re signed in on already. Once you authenticate, your device will have access to your accounts. If you have a backup password to encrypt your codes in the cloud, there will be a lock next to your Authy codes.

Enter your backup password to get to the codes. This password applies to Google Authenticator-style accounts — for those using Authy’s two-factor authentication scheme, they will be available upon sign-in, regardless of your knowledge of the backup password. Once you have synced all of the devices you want to, disable the Allow Multi-device option, which will not affect your device syncing, but will disallow other devices from connecting.

If you have Authy on one device and lose access to that device, you can’t access your codes. Use Authy’s recovery form and expect to wait around 24 hours. This action will wipe all devices from your account and you can start over — unless you’ve backed up your data, in which case you’ll be able to save yourself some hassle.

Sources: How to Geek, Wired, Authy, Google Authenticator
Image Source:
Wikimedia

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply