Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Authy Is a Potent Weapon in the Online Security Arms Race

   Josh Centers

   Digital security has been a hot topic this year. Between the theft of
   private celebrity photos (see '[1]iCloud Flaw Not Source of Celebrity
   Photo Theft,' 2 September 2014) and multiple credit card leaks, it's
   hard not to feel a little paranoid.

   One of the best ways to improve your online security game is two-factor
   authentication. In short, it adds an extra layer of security to a
   password ' a random number ' which is regenerated every few seconds,
   either by a dedicated device, or with a mobile app.

   [2]Google Authenticator has become the de facto industry standard in
   two-factor authentication. You can use it with your Google account, but
   it's also compatible with Dropbox, Evernote, Facebook, Tumblr, and
   other online services.

   While Google Authenticator gets the job done, it has a number of
   potentially disastrous limitations. It can only be tied to one device
   at a time, and it offers no sort of backup or sync, so if you lose your
   iPhone, or wipe the data off of it, you're in for a world of hurt (for
   an example, see '[3]Dancing the Two-Step: Coping with the Loss of a
   Second Factor,' 28 August 2013). One Google Authenticator update
   [4]accidentally wiped everyone's two-factor tokens, preventing users
   from logging into their accounts.

   Thankfully, there's a better way: [5]Authy, which is free for iPhone
   and iPad [6]in the App Store.

   Authy has a lot of features that Google Authenticator lacks. Authy can
   back up your two-factor tokens to the cloud, so if you wipe your phone
   or get a new one, you can restore those tokens and not be locked out of
   your accounts. Authy can also use the cloud to sync to your other
   devices, and the app is universal, so it works equally well on your
   iPhone or iPad. And if you own a newer Mac with Bluetooth LE (I sadly
   don't), then you can take advantage of the complementary [7]Authy
   Bluetooth app to automatically insert your two-factor tokens on the
   Mac, with no additional typing required.

   The Tradeoffs of Authy -- The sound of your two-factor tokens being
   uploaded into the cloud might make you nervous. Authy [8]encrypts your
   backups on your device before uploading them, which is good. However,
   that didn't stop the anonymous author of the shinynightmares blog from
   [9]breaking into his own account.

   As with all security decisions, Authy's cloud features come with a
   tradeoff. Any time you store sensitive information on someone else's
   server, you increase the risk that it will be stolen. But also consider
   the benefits. With Google Authenticator, if I lost my iPhone, I would
   lose access to my accounts, at least temporarily. Which scenario is
   more likely and/or more frightening: a single account being hacked, or
   losing access to all accounts due to a software glitch or a broken
   phone?

   Authy also adds a critical security feature that Google Authenticator
   lacks: the option to lock the app with a PIN or Touch ID, so
   interlopers can't view your tokens.

   Even if Authy was found to be vulnerable, my online accounts would
   still be more secure than if I just relied on a password. In addition
   to cracking my account password, an attacker also has to crack my Authy
   password. Even if the attacker infiltrated my Authy account, the tokens
   would be useless without the account password. I'm still twice as hard
   to hack as a typical user.

   For me, the decision to use Authy is simple. It makes me a harder
   target than if I only used a password, but also isn't as brittle as
   traditional two-factor authentication.

   Using Authy -- Authy is pretty easy to use, as far as two-factor
   authentication goes. A drawer at the bottom of the screen provides
   access to your tokens. Tap the drawer to expand it, select an account,
   then tap the copy button next to the code to copy it. But be mindful of
   the timer ' a token typically only lasts for 20 seconds before it
   expires. If there are only a few seconds left in a token's life, it's
   best to just wait for the next one.

   Setting up an account token is easy. Tap the drawer to open it, tap Add
   Account, and then either scan the QR code provided by the online
   service, or enter a provided code. The specifics of how you obtain
   either will be different with each service.

   [10][tn_Authy-add.jpg]

   If you want to manage accounts or set up additional security
   protections, enter the Settings screen via the text label in the upper
   right.

   Under Settings, the My Account pane lets you set what phone number and
   email address are tied to your Authy account. These are important,
   because if you upgrade your phone, Authy will ask you to use one of
   these contact methods to prove your identity. You can also set a
   Protection Pin and/or Fingerprint Protection here, which I recommend.
   If your device supports Touch ID, I think it's silly not to enable
   Fingerprint Protection, because it adds that much more security with
   little hassle.

   [11][tn_Authy-Touch-ID.jpg]

   The Accounts pane lets you manage your tokens, but perhaps more
   important to new users, it lets you set up cloud backups and change
   your backup password.

   The Bluetooth pane merely lets you allow Authy to use Bluetooth to talk
   to the Authy Bluetooth app, if that option is available to you.

   Finally, the Devices pane lets you set up and manage multi-device
   support. Activating other devices works by what [12]Authy calls
   Inherited Trust. In other words, when you try to use the same Authy
   account on another device, you must approve it from an already
   authorized device. In practice, it seems like a good balance between
   security and convenience.

   Boarding Up the Windows -- Unfortunately these days, digital security
   is sort of like a zombie apocalypse movie. You can stock up on supplies
   and board up the windows, but sooner or later, probably through simple
   human error, a zombie is getting into the house.

   But just because your efforts are likely futile doesn't mean you stop
   nailing boards. At the same time, you don't want to put up so many
   boards that you can't get out when you need to go get food.

   That's sort of how I see Authy. While, by the developers' own
   admission, its cloud features can potentially make you less secure,
   they also make it harder to lock yourself out of your digital house.

   And of course, Authy isn't a silver bullet for online security. It
   won't prevent your credit card number from being stolen from a
   retailer, nor, thanks to Apple's weird two-factor authentication
   implementation, have prevented Jennifer Lawrence's pictures from being
   stolen.

   Authy is just another tool in your security arsenal, but a potent one
   that makes two-factor authentication less imposing.

References

   1. http://tidbits.com/article/15040
   2. https://support.google.com/accounts/answer/1066447?hl=en
   3. http://tidbits.com/article/14036
   4. http://thenextweb.com/google/2013/09/04/google-authenticator-for-ios-update-reportedly-wipes-all-existing-user-accounts/
   5. https://www.authy.com/
   6. https://itunes.apple.com/us/app/authy/id494168017?mt=8&at=10l5PW
   7. https://itunes.apple.com/us/app/authy-bluetooth/id668841348?mt=12&at=10l5PW&ign-mpt=uo%3D4
   8. http://blog.authy.com/backups
   9. http://shinynightmares.wordpress.com/2013/10/24/authy-cracking-encrypted-authenticator-backups/
  10. http://tidbits.com/resources/2014-11/Authy-add.png
  11. http://tidbits.com/resources/2014-11/Authy-Touch-ID.png
  12. http://blog.authy.com/multi-device

.