Comment by shinratdr

12 years ago

Count me as another vote for Authy. One more amazing feature: Your tokens stick to your Authy account instead of your physical device. If you need to restore your phone or delete the app, you don't need to disable two-factor on all your accounts and then set it up again.

Just reinstall Authy, reauthorize with your Authy account, and you're done! Helped me countless times, from when I had to rebuild my iOS install because of a backup problem to when I got a replacement device due to a hardware issue.

6 comments

shinratdr

Reply
oakwhiz  12 years ago

Doesn't giving the device keys to a third party, while also authenticating using a password with that third party, sort of defeat the whole purpose of two-factor authentication?

  • acchow  12 years ago

    Yes.

    Unfortunately, their marketing is highly convincing. Most people (even most engineers) won't realize the tradeoff here: Authy replaces "two factor authorization" with "two password authorization". It should be clear which is more secure.

    The "two factors" with GA are a knowledge factor (something you know - your password) and a possession factor (something you have - your phone number for SMS or phone for GA app).

    See also https://en.wikipedia.org/wiki/Multi-factor_authentication

    • rdl  12 years ago

      Ultimately all of the cellphone 2FA are at some level "two passwords". If the machine on which you enroll initially is pwned at that time, the attacker sees the seed. It's a little better with physical tokens (where you'd need to compromise the token itself, or do MITM at setup time and persistently after). I believe most of the good iOS TOTP apps use the "keybag" correctly so the seeds don't leave the device when backed up, but it's not perfect. An x509 cert would fundamentally not be any different, and PK-based MFA (which Duo, OneID, and I think some other companies do) isn't that different -- it just requires the verifying application talk to the app directly vs. something you can do as a human.

      2 replies →

    • _djo_  12 years ago

      Although using Authy's backup service is optional and the app works just fine with local-only storage and no Authy account, which is how I have it set up.