I know first-hand how scary password hacks can be, but I still put off two-factor authentication for years — relying instead on a strong multi-digit 1Password-generated password — because it felt clunky and hard to set up. What if I lost access to my phone number because I was restoring my iPhone? What if I couldn't get network access for my two-factor code? Too much hassle, I thought.
Authy changed my opinion on two-factor authentication: The app makes it far less terrifying to deal with; it also lives on both my Mac and iOS devices, so I don't have to worry about losing access to my accounts while my phone is restoring. Authy was recently acquired by Twillo, but the company still plans to support its two-factor authentication customers, so you don't have to worry about it mysteriously disappearing anytime soon.
What is two-factor authentication?
Two-factor authentication is the most prevalent way to secure your accounts: It asks you to authenticate that you are who you say you are by supplying not only your password, but also a six-digit code supplied from your phone or an external app. It ensures that those accessing your accounts have access to your physical devices as well as your virtual passwords, and makes a simple password crack or social engineering hack a lot more insufficient in actually accessing your personal data.
How to set up Authy
Downloading and setting up Authy is simple: The app is free and available for both iOS (opens in new tab) and Android (opens in new tab), as well as on your computer as a Google Chrome plugin. Once you download Authy, you'll be asked to set it up with your primary phone number via a call or text message; once you do so, you're ready to start adding third-party services.
Add third-party services to Authy via code generation
Authy connects to any service that integrates with Google Authenticator for two-factor authentication; the Google service lets you randomly generate two-factor authentication tokens even while offline.
Authy supports a slew of different options, including your Google accounts, Facebook, Tumblr, Dropbox, Outlook, Evernote, Amazon Web Services, Wordpress, DreamHost, and LastPass, among others. Sadly, you won't be able to hook up your iCloud account to Authy.
To use Authy with these services, you need to make sure they have code generation turned on. Each service has a slightly different way of enabling this, but in general, you should find it under the Security section of your preferences. As an example, here's Google's setup screen below.
When you click to enable code generation, you'll be presented with a barcode; scan this with the Authy app to add the account.
Once you've added your account, use the code generated by the Authy app to activate two-factor code generation back on the original service.
How to use Authy in day-to-day life
From here on out, you can use Authy's codes to unlock that service for new devices — whether or not you have internet access on your primary Authy device. The app even offers a Notification Center Today widget to give you easy clipboard access to your codes. And if your phone is dead or otherwise occupied, you can also use Authy on your computer via the Google Chrome widget.
Do you use Authy or another two-factor authentication app? Let us know in the comments.
Serenity was formerly the Managing Editor at iMore, and now works for Apple. She's been talking, writing about, and tinkering with Apple products since she was old enough to double-click. In her spare time, she sketches, sings, and in her secret superhero life, plays roller derby. Follow her on Twitter @settern.
I've been looking for something just like this. Trying out now.
Interesting app, thanks for the info on it. Any idea on their business model? It seems like they are doing all this for free which doesn't seem right.
I believe they make their money from selling their service to the sites/companies using their 2fa. Posted via the iMore App for Android
I've been using Authy for a little over a year now. Prior to Authy switching phones and re-establishing 2fa did not seem like an easy process. With Authy, when I recently switched to a iPhone 6 did not have any problems.
Used and liked Authy for quite some time. However now that 1password also has this capability now I don't see the point in having the extra app for me. Sent from the iMore App
I thought the point of a tokencode-based 2FA was to separate the thing you know (your password) from something you have (your token). If your token is also stored online, doesn't it significantly reduce the challenge? All Eve needs to do is break into Authy and it's game over. It's not a question of if, but when, Authy will be hacked. By contrast, Eve would have to determine your password and steal your phone or another physical device with a traditional tokencode 2FA.
You stole the words from my mouth... It doesn't seem a very smart move.
Not sure about Authy in particular, but with the other 2FA apps I've used (that handle the same services -- Google, MS, FB, Dropbox) it is all local to the app. Get the QR code or key, and then it takes the seed and current time and horks out a code for you. http://en.m.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm As an aside, I keep a USB drive at home with a picture of the QR codes so when I cycle through devices I don't have to go update the 2FA apps on all of them (I usually do that anyway once a year or so). Just scan in the codes on a new device and bam, up to speed.
With SMS relay I've switched to verifying with text messages, since I can read the code right off the banner. A little less secure (instead of needing one of my devices, I can get in using any linked device), but not having to switch between apps is worth it to me.
Neither my bank nor the investment company that manages my minuscule retirement account have ever offered an opportunity to make use of 2fa.
Good one. Sent from the iMore App
Ok Sent from the iMore App
Get the best of iMore in in your inbox, every day!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.