So far, I have 2FA set up for Google and my iCloud account. On another site I visited, someone recommended Authy as a more secure alternative to having your code sent to you over SMS. The fact that Authy is free troubles me.
The developer has a very professional web site, etc., and something/somebody has to pay for that. Is the Authy developer culling something from its users and selling that info?
Are readers of this site using it? Recommend it?
Many thanks.
—–
Carl Hammel
I've never heard of Authy. Why even look for a third-party solution, though? Just use the 2FA solutions provided by the different services: Google Authenticator for Google, the built-in 2FA for Apple, etc. I don't see how using a service like this would make you more secure, but it may be more convenient for some people in certain situations. Maybe for instance if you don't want the Facebook app on your phone, but you need it to get the 2FA codes to log on to Facebook on desktops.
I know that third-party services like this exist and they do fit within the model. They don't have access to your accounts or even your password to those accounts. They just act as a way to get your 2FA code. Without your ID, password and in some cases your physical devices, they really can't be a threat. I don't see how they can get your information as they wouldn't really have any on you, unless that is part of their sign-up process or something.
I'd be interested to know what the reasoning was in that recommendation you read, as to why this is a more secure alternative. Maybe they just mean more secure than SMS? But most services (Facebook, Google, Apple) already use apps instead of SMS as the primary way to get 2FA codes.
Hi Gary & thanks for that detailed answer.
I have seen numerous references to the fact that 2FA combined with receiving your codes via SMS is insecure.
I just Googled "2fa & sms not secure" and came up with three pages of articles why this in so.
That's what drove me to look at Authy when someone mentioned it on another site.
carl: I definitely agree that 2FA with SMS is weaker than 2FA using a dedicated app or OS-wide-message system like Google and Apple respectively. But note that it is still much better than not using 2FA at all. In fact, the real weakness of 2FA over SMS is when someone is specifically targeting you, which is not something a typical person needs to worry about (CEOs, gov't officials, spies, etc).
Leo Notenboom from AskLeo.com is a technologist that I believe Gary has heard of before. Leo did a post titled "Why SMS Two-Factor Is Better than No Two-Factor at All". In this post he discusses using applications like Google Authenticator and Authy along with other methods (e.g. SMS or email) even says that he uses Authy. As of May 2017 he has 14 different accounts setup inside of it. https://askleo.com/27948
Douglas: Thanks for finding that link. Leo knows what he is talking about!
Authy is free to users because companies pay to embed the security API into their sites and applications. It's owned by Twilio. And you can use it wherever Google Authenticator is used. In fact - it has many more user benefits that GoogleAuth (including easier acct restoration if you lose/change phones). See the article here: https://authy.com/blog/authy-vs-google-authenticator/