Authy: A Better Replacement for Google Authenticator

Related articles

3 Responses

  1. Oli says:

    Dear Akhil and Gtricks Team,

    Thanks for sharing this post. However, to you and the venerable readers of Gtricks, please note, from what you have shared, it seems actually a dangerous proposition and the readers should be aware of one critical aspect before ditching Google Authenticator in favor of Authy.

    You say Authy can be used from multiple devices as its keys are stored in cloud and anyone with the “master password” can access it, too. Well, that about sums up the entire point that using it this way essentially defeats the purpose.

    With Google Authenticator or any reasonable 2FA tool what we get is effectively similar to having a digital version of a “physical key” and that “inconvenience” is what we need to accept.

    Dear readers, please make no mistake, if you care for the value of a vault and if you WANT to ensure you’d, at least, know that any time this vault is opened your PHYSICAL KEY or an exact copy would be required, then you’d HAVE TO live with that very arrangement for yourself, too. It’s not an inconvenience, it’s what you want.

    Since physical keys won’t appear from thin air every time we want it and again won’t magically go away after every use, any good review/suggestion on its usage would NOT direct you away from having its need (and to the “convenience” of letting it go in favour of an “on air” keys available from any device).

    Dear readers, please consider this before deciding, using Authy this way would simply mean having similar kind of two layered passwords and that’s really it. Repeat, it would be like having a double set of passwords but passwords nonethemore. Any hacker would be enterprising enough to go through the “pain” of putting your Authy generated password in case she does get her hands on the supposed master password. And, what would you do, use Google Authenticator only for this master password?

    Yes, of course, many users are availing Authy and I’m not suggesting it’s insecure. What I’m only saying is — it REMOVES the necessity of HAVING the physical device on which your Google Authenticator or the 2FA tool is installed.

    I love Gtricks and it is one of the very few newsletters I read and still look for these days (I use Unroll.me for 99% of my newsletters) but this article and the suggestion seems to miss one critical aspect and, I’m worried, it puts forward a potentially dangerous proposition to readers many of whom, understandably, would be quite lean to adopting Gtricks suggestion without much deliberation because of Gtricks’ hard-earned credibility which is very well deserved.

    Please take note of this in making your choice. Thank you.

    Best regards,
    Oli

    • Hello Oli,

      Thanks for sharing your thoughts. Our intention was not to undermine the security provided by Authenticator by convenience of Authy. I will re-write the article so the distinction becomes crystal clear. Our work is to produce facts and let users decide what works best for them.

      Thanks again for your feedback.

  2. Wayne Mitchell says:

    Hi there. Just reading this post (and the comment from Oli below) and want to clarify a few things, especially in response to his comment: “many users are availing Authy and I’m not suggesting it’s insecure. What I’m only saying is — it REMOVES the necessity of HAVING the physical device on which your Google Authenticator or the 2FA tool is installed.”

    To gain access to the encrypted backup, you must first prove access by performing 2FA via SMS. Then the encrypted backup is delivered to the local device, where a user-provided password is used to decrypt the backups locally. Authy has no hash table or password table to attack.

    Backup codes actually deliver a riskier form of “something you know”-only access, usually with 10 never-expiring passwords that users often don’t have when they need them, or handle insecurely.

    When Authy designed the service, they solicited input from the highly security conscious bitcoin community. And Authy delivers the feature turned off by default (no backups), and wrote this detailed blog documenting how the backup feature works: https://www.authy.com/blog/how-the-authy-two-factor-backups-work

Leave a Reply

Your email address will not be published. Required fields are marked *