I stirred up a bit of a hornet’s nest this week when I suggested that people should switch from Google Authenticator to another two-factor authentication app on Android. I recommended Authy, but that’s only because I use it and find it incredibly convenient. Not only does it forbid you (and other apps) from taking screenshots of it, but I appreciate the additional verification security built into Authy (and the options you have to maintain the security of your 2FA keys even when using more controversial features, like its ability to quickly synchronise your 2FA keys to other devices you own).
But, honestly, there are plenty of other great 2FA apps, too—1Password comes to mind, if you don’t mind paying for it (and you should, if you don’t yet have a password manager). Better yet, use a hardware token for whatever accounts you can, rather than your smartphone. I don’t really care what you use; I, and many others, like Authy, but you’re welcome to use whatever authenticator app works best for you.
Feeling overwhelmed? You shouldn’t be, but it can seem like a lot to process if you’re not especially savvy with technology or two-factor authentication. As Lifehacker reader Jenny writes:
“I just read your article about 2FA apps, and I need a little guidance, please, if you wouldn’t mind? I’m only semi- techie and most of that thanks to the nice people on Reddit.
This week I turned on Google 2 Factor Authentication for my Reddit signon, and still haven’t really gotten the hang of how it works.
Now you’re saying that it isn’t secure, and I should switch to Authy, right? How do I do that? If I delete the Google one off my phone, will that mess up my Reddit signon? Or will it automatically swap over? And if I do go to Authy, can I put it on my tablet so that if something happens to my phone I can still get into my accounts? And if I do swap to Authy, should I delete the Google one off my phone before or after I download and turn on the Authy?
Any guidance you could give me would be most greatly appreciated!
Have a wonderful day, and thank you for all the work you put into informing all of us out here!”
Let’s go over the basics! First, here’s the simple version of how 2FA protects your accounts. You set up 2FA on a website or service and link it to an app (in this case). That app has a rotating number on it. When you go to log into the website or service, you have to pull up the app and provide this rotating number to verify that you are you and not a hacker who got their hands on your login and password. The protection comes from the notion that while your credentials can be easily stolen in a variety of ways, odds are very low—if not infinitesimal—that an attacker will be able to also guess (or brute-force) this special number that changes approximately every 30 seconds or so.
[referenced url=”” thumb=”” title=”” excerpt=””]
This is slightly different than when a website or service texts you a number that you then have to enter during the login process. This is known as two-step verification, and while it’s better than nothing, it’s less secure than 2FA because it’s easier for an attacker to SIM-swap or otherwise yoink your phone number—intercepting your messages, including these login requests, and having a field day. It’s a lot harder for an attacker to get physical control of the device you use for two-factor authentication, hence why the latter is preferred.
Now, to your question. Honestly, you’re probably fine if you stick with Google Authenticator, because it’s better than not using a two-factor app at all. As long as you aren’t downloading crappy malware or random apps onto your device—often one and the same thing—then it doesn’t matter that Google Authenticator allow screenshots (as of when I wrote this).
If you want to be super-safe, you can wait or switch to another authenticator app, like Authy. Here’s how I’d do that with Reddit:
-
Use Google Authenticator to sign into Reddit as you normally would
-
Turn off two-factor authentication temporarily
-
Turn it back on, and set it up with Authy instead of Google Authenticator
That’s it. You’ll have to repeat this process for every site or service where you’ve enabled 2FA and linked it to Google Authenticator. It’s an annoying process, but it shouldn’t take very long; and at least you have a list of all the sites that have to be adjusted, since you’ll be able to see them within Google’s app.
Once you’ve swapped all your accounts over to Authy and can confirm that you can log into them using Authy’s codes, delete Google Authenticator. However, to share Authy codes across devices, the process is much simpler. Install the Authy app on whatever other device you want to use for 2FA. Then, jump into the Authy app on your original device and pull up its settings. Tap on “Devices” at the bottom, and enable “Allow Multi-device.”
Then, sign into Authy on your second device using whatever credentials it asks for—your phone number, I believe, or the first device. Once you’ve set it up and see that all your 2FA codes are synchronised over, go back to your original device and disable the “Allow Multi-device” setting. The new device you just configured will continue to work, but nobody else will be able to sync your account to another device until you flip that switch again.
[referenced url=”” thumb=”” title=”” excerpt=””]
Normally, for 2FA apps, you’d have to do the process I described previously to sync an account to authenticator apps across multiple devices: Logging into your accounts and disabling 2FA temporarily, setting it back up again, and scanning the provided QR code (or whatever) using the authenticator app on each device. Otherwise, there’s typically not a way to just “add” a new device and have it sync up.
Authy is the exception, which is also a source of some of its controversy—though convenient, this feature does theoretically make it easier for an attacker to gain access to all your 2FA combinations, if you haven’t prevented them from doing so by disabling it. I like the convenience, but I can see how this would be a sticking point for people who want as secure and as private an authenticator experience as possible. If that’s you, perhaps Authy isn’t the best fit after all.
Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email [email protected].
Leave a Reply
You must be logged in to post a comment.