Tuesday, November 3, 2015

Authy: Two-Factor Authentication Made Easy

Authy is supposed to make two-factor authentication simple and painless by centralizing your accounts into one app. Sounds awesome, but is it safe? Let’s look into it further and find out.
2-factor authentication or 2FA is meant to add another layer of security to your online accounts, so even if your password is compromised, your account can’t be accessed without a special code. This code isn’t something you know until you request it.

When you request a 2FA code to verify a new device, app, or browser, it might be sent as a text, or an e-mail, or you might have to open an app that’s already been verified, so you can use it to retrieve the code, or you might have to use a special authenticator app for one specific service.

If you’re confused, that’s good, that’s the point, users try to use 2-factor authentication but often give up on it just because of all those hurdles we just discussed. In fact, here’s a quick primer on how to set up 2-step verification on sixteen web services.
It seems like a first-world problem, but 2FA is important, and shouldn’t drive away adoption because it’s annoying or inconvenient. Fortunately, Authy mitigates this inconvenience because all your 2FA codes are generated from one source.

Centralizing Your Two-Factor Tokens with Authy

It doesn’t necessarily follow that if Authy makes using 2-factor authentication more convenient, more people will use 2FA. That said, if you want to use 2FA, Authy sure does help.
With Authy, you will need to initially invest some time to set it up, but once you do, you can use it to generate all your 2FA tokens.
Want to verfiy your Tumblr on your new iPad? Just got a new Android phone and you need to authenticate all your apps to work on it? No problem, fire up Authy, enter your master password, and you can systematically go through each of your apps, whether it’s Facebook, Gmail, Dropbox, etc., and authorize them all in a matter of seconds.
No more waiting for texts or e-mails, no more firing up Facebook on a verified computer and generating a code. Nothing like that; authy makes it easy and just works. Authy is available on a number of platforms including OS X, iOS, Blackberry, Windows, and Linux.
Like we said, getting Authy up and running takes a little initial investment of time because you have to set up each of your accounts to use 2FA. Upon doing that, you will need to authorize the Authy app to generate 2FA tokens for that account. You do this by scanning a QR code with your mobile device, or typing in a passphrase if you don’t have scanning capabilities.
This can seem a little confusing at first, but once you set up Facebook or Google, it kind of clicks, and you can always find more information by searching online. Nevertheless, let’s take you through the process with a Google account, so you have an idea of what’s involved.

Setting Up a Google Account With 2-Step Verification

We’re going to show you how to set up a Google account with 2FA and then add that account to work with Authy. We need to stress that every account you have, whether it is another Google account, Dropbox, Facebook, or anything you want to configure to work with Authy, will have something akin to the following process.
To begin, log into your Google account and select the “Security” tab from the top navigation bar. On the Security screen, choose “Setup” 2-Step Verification (this is what Google calls 2FA) in the Password box.
sshot-1 (2)
The next screen will explain the merits of 2FA. Please click the “Start setup” button when you are ready to begin.
sshot-2 (2)
You have the choice of verifying your account either via text message (SMS) or voice call. We add the phone number with which we want to associate this account, choose the text message method (obviously, you can choose the method you prefer), and click “Send code.”
Enter the code that Google sends you and click “Verify.”
At this point, you’ll be asked to trust the computer you’re on. This means that from now on, and until such a time that you de-authorize this computer, you’ll be able to log into your Google account on this computer using only your password.
We’ll trust this computer and click “Next.”
And finally, at the confirmation screen, we’re told that from here on out, we’ll be prompted for a code whenever we log in from an untrusted computer or device. Click “Confirm” and 2-step verification will be enabled on your Google account.
That’s just for Google. Every account that supports 2FA will have it’s own method. They’ll all be be more or less similar, and usually can be activated by opening your account preferences, and then choosing the security settings. Again, when in doubt, search for an answer.

Adding Your Account to Authy

What will immediately happen whenever you set up 2FA on any account is that it will “break” your connection with any untrusted devices or computers. This means that you won’t be able to use them again until you verify them. In the following screenshot, Google will immediately throw up a warning and offer you the option to reconnect your apps.
We want to choose “Do this later” and instead set up Authy to generate codes for this particular Google account. Again, like setting up 2FA, all your accounts will have some similar method to setting up an authenticator app.
sshot-4 (2)
We are returned to the verification codes tab. We’re next going to click the “Switch to app” button where it says “Get codes via our mobile app instead.”
Google has its own authenticator app, which you’re more than welcome to use. Instead of the Google authenticator app, however, we’re going to use Authy. Since we’re on an Android phone, we choose the Android option, and click “Continue.”
You will now be shown a QR code. Here’s where you’re going to fire up Authy.
sshot-7 (2)
With the Authy app open, swipe from the left screen edge and tap the “Authenticator Account +” button at the bottom.
2014-10-18 23.48.36
The next screen is going to ask you to scan the QR code. This is the easiest and fastest way to add an account, provided you’re using a device with a camera.
2014-10-17 23.32.42
If you cannot scan QR codes, such as if you don’t have a camera on your device, then you can select the “Enter key manually” function in Authy, and click the “Can’t scan the barcode?” link to reveal the secret key for your Google account.
That said, assuming you’re using the Authy app on your phone or tablet, tap the “Scan QR Code” button and scan the QR code shown. On the next screen, you’re given the opportunity to change the logo if it is incorrect, and you can give your account a custom name.
2014-10-17 23.45.00
When finished, click “Done” and your new account will be added to Authy.
If you’re using the Chrome app or extension, then you’ll want to manually enter the key, so you’d click “Add Authenticator Account” and then enter the code (secret key), and click “Add Account.”
Let’s quickly cover the basic procedure for reconnecting apps.

Fixing a “Broken” Google Account

In the following example, we’ll show you how to enter the code provided by Authy, so you can fix the Google account on your Android phone. No matter the account or app, you will use Authy in this same way every time you want to verify or re-verify something.
Remember when we set up Google’s 2-step verification and it broke the connection with all our apps on all our devices and browsers? This is a perfect time to show you how to use Authy to fix that.
sshot-4 (2)
Once this happens, the next time your tablet or smartphone tries to sync anything (mail, calendar, Keep items, etc.), it’s going to throw up an error. You can see the warning in the in your Android notifications.
2014-10-18 23.20.02
Click the notification that says “Account Action Required” and the account setup will tell us that our account has changed. We click “Try Again” on this screen.
2014-10-17 23.46.27
Re-type your password, click “Sign in” and authorization will promptly fail. Why? Because you’ve got 2FA enabled on this account and you’ll need to input a code before you can verify your account on that device.
2014-10-17 23.47.01
On the resulting screen, you’ll be told that you need to touch “Next” to initiate a browser sign-in. The browser sign-in for your Google account will then appear.
Open Authy on your device or your computer. If you have more than one Google account set up with Authy, choose the correct one, and type in the code it gives you. Each code Authy generates only lasts 30 seconds, so make sure you type it in before it expires, or you will have to use the next one it gives you.
2014-10-17 23.45.08
Upon entering the code in the browser, you have the option to remember that computer so it doesn’t ask you for a code again. If you’re using an untrusted device, such as a public computer or someone else’s tablet, don’t check this box. Otherwise, select it to trust the computer and tap the “Verify” button. Your Google account will reconnect and resume normal operation.
Note, setting up 2FA won’t just break your connection on your Android devices, it will also break synced data on Chrome, log you out of any active mail sessions, and so on. Bottom line, you may have to reconnect in this manner several times wherever you use your Google account.
Here’s a another example. We load the Windows Facebook app and enter our login credentials.
Since we have 2FA activated on our Facebook account, and we previously set up Authy to provide authorization codes for Facebook, we need to enter a code before we can access our account.
No problem, we don’t even need to find our phone or tablet since we have the Authy Chrome app installed, we can just use that to get the code we need.
We don’t even need to enter it, we can just click “Copy” and then paste it from the clipboard!

A Quick Note on Application-Specific Passwords

If you set up 2FA on your Google account, when you try to use a dedicated e-mail client like Outlook or Thunderbird, its login is going to fail. As a result, you’ll likely get an error telling you need an app-specific password and a login box asking your to enter your username/password.
An app-specific password is something you have to generate within your Google account. It’s best to do this on the same computer that your app is installed on so you can just copy and paste.
This kind of scenario will also apply to other webmail services, such as Yahoo! Mail as well as other apps, such as Picasa and Apple Mail. In any event, we suggest you conduct a quick search so you can quickly get your app reconnected.

Authorizing New Authy Devices

Once you’ve got Authy up and running, you can install it on other devices so they can generate 2FA tokens too. In the following screenshot, you see the set up screen for the Chrome app. You will first need to enter the phone number that Authy is associated with and then you can verify your identity via a call, SMS, or using another authorized device.
In this case, we select “Another Device” and we can use our phone or tablet or anything else Authy is installed on. Open up Authy and you will prompted to Accept or Deny the new device.
2014-10-17 20.49.56
Upon clicking “Accept”, you will need to confirm your intentions by typing “OK” and then tapping or clicking the “OK” button.
2014-10-17 20.50.03
That’s it, your new device is now authorized to use Authy and you can start generating 2FA tokens on it for your accounts!

Touring the Rest of Authy’s Features

Each time you want to add a new account to Authy, you’ll tap the “Add Authenticator +” button, which is pretty simple, but what about the rest of Authy’s interface? What other options are available to you? As it turns out, there are several important settings we need to show you before you decide whether to try it out, particularly for our more security-conscious readers.

The Accounts Settings

The first and most important thing is the Account screen. Here, you can set a Master Password to protect your app from unwanted access. Authy relies upon its own 2-factor verification of sorts. A user must first be able to access the computer or mobile device, so you need to have some method of security protecting your device in place.
Then there’s the Master Password, the second level of verification. Without this password, the app is wide open. This password is stored locally, so it’s not synced to every verified device. That means you can set a different password for each Authy installation (just make sure you use a different one from that of your device) or use the same one over and over.
Also, the Master Password is optional (but it should probably be mandatory).
The following screenshot is taken from the Google Chrome app. Aside from the differences in appearance, it acts and functions almost exactly like the mobile version.
The Master Password is required every time you open the app. On the other hand, here’s a view of the account settings in the mobile app. Instead of a password, you set a Protection PIN.
2014-10-19 20.23.29
The PIN is more nuanced than the Master Password. You can choose whether your PIN protects the entire app, which means the app will time-out after 60 seconds and you will need to re-enter the PIN again. On the other hand, you can simply use the PIN to protect Authy’s settings.
2014-10-19 20.23.37
The bottom line here is, use the password or PIN option. Do not leave the app wide open to unwanted access.

External Accounts Settings

One of Authy’s biggest selling points is that you can sync and back up your accounts to the cloud. This means you don’t have to manually add your accounts to every device and browser on which you install it. In the following image, you click the “External Account” tab and you can see all the accounts you’ve added. The green symbol means that it is backed up and synced to the cloud.
If you want to remove an account, you can click the little garbage can icon.
If you want to customize your accounts, such as to give them a more descriptive name or change the logo, you can click on the account and make your fixes.
If you use the backup and sync option, you will need to provide another password so you can decrypt your accounts when you sync them to other devices. Once your accounts are decrypted, you can change the password. Remember, your Master Password or PIN is unique to the device, but the “Backups and Sync” password is synced across any device or browser that connects to your Authy account.
Finally, and this might soothe the worries of the more security-conscious types, if you don’t want to back up your accounts to the cloud, you don’t have to. You can use Authy locally on one device such as your phone. That said, if you use 2-factor authentication with all your accounts, and you add them all to Authy, if you lose or break your phone, you will have to re-add them manually.

 Devices Settings

Finally, the settings for “Devices” allows you to accomplish two things.
First, you can remove other authorized devices. If you lose your phone or it is stolen, you can remove it from the devices list, and it will no longer sync with Authy’s servers. Keep in mind, this will not remove Authy from the device, and you can still use Authy to generate tokens for any accounts you’ve already added to it. The only way to remove Authy’s configuration data is to either uninstall it or purge the app’s data cache.
Also, if you change your mind and want to continue to use that device with Authy, you will need to reinstall it.
If you uncheck the “Multi-device” box, you will no longer be able to add new devices to Authy.
Both of these features on the Devices tab are meant to enhance security. Basically, you can install Authy on one device, turn off multi-devices, and you will not be able to verify any more devices.
So, in effect, by adding a Master Password or PIN, turning off “Backups and Sync”, and then disabling multi-devices, you can effectively silo your phone as your only Authy-enabled device. Don’t forget, you also want to lock your device, which we’re sure you already do!

Authy is Easy and Convenient, But is it Safe?

The appeal of using Authy should be apparent to anyone who wants to use 2-factor authentication on any or all of their accounts across multiple devices and platforms. For example, it’s possible to log into your Facebook or Twitter account from quite a few locations and if you have 2FA enabled, entering a code for every login can become a bit tedious.
You might use an app on your phone or tablet, perhaps also on your computer, or access it using a browser, and for each of these logins, you will need a 2FA token. Spread that out over multiple accounts – Google, Dropbox, Tumblr, Facebook, etc. – and Authy becomes almost one of those must-have apps.
That said, backing up and syncing those accounts and devices with the cloud might raise a few eyebrows and elicit security concerns. To those concerns, we can only say, Authy is about as secure as you make it. If you do use Authy, your first task should be to immediately lock it down with a PIN or password.
Moreover, if you don’t want to share your account information beyond your phone, then you should most definitely leave Backups and Sync turned off. Finally, if you only want Authy to work on one or two devices, then you can turn off the multi-device feature. Beyond all that, ultimate security is largely dependent upon the device or devices Authy is installed upon. In other words, lock your phone, tablet, or computer with a password or PIN.
If you’re still not convinced or have lingering questions, we encourage you to check out their website for more information. There, you can also find links to change your phone or reset it in case you are not receiving authorization texts.
So, what do you think? Would you use Authy or do you prefer old school methods of generating 2FA tokens? We encourage you to sound off. Talk to us in our discussion forum, let us know your thoughts, and whether you have any concerns about its security!

No comments: