Innovation in Two-Factor Authentication

When I first read the article Authy Makes Using Two-Factor Authentication Easier I thought to myself, “why have I never heard of this Authy thing?” After all, we have been covering two-factor for a while. I went ahead and installed it, and started digging into the application and the company. I even fired off some questions about how they treat the information in the application and I’m impressed. This application is advancing the state of the art for two-factor authentication by making it not just simpler to use, but more secure as well. This article is covering how Authy is simplifying the use of two-factor authentication. Next week I’ll publish another article about how they are also advancing the state of the art when it comes to securing two-factor authentication.

Bluetooth

Before I installed Authy, the standard two-factor authentication process for me was this:

• Get prompted for an authentication code
• Take my phone out of my pocket, unlock the phone’s screen
• Launch Google’s authenticator app
• Scroll through to find the right account
• Type in the code on the website and hit submit
• Put my phone away

Every time I needed a code, I’d have to go through those steps. The techcrunch article above mentions it, but Authy just rolled out a feature that allows you to communicate the one-time codes over Bluetooth to your computer (currently Mac only, but Windows is coming.)

Authy has greatly simplified this process for me. Now, when I sit down at my desk, I launch Authy on the phone, and connect the desktop app to my phone before putting my phone away. Once I’ve done that, my standard two-factor authentication process now is:

• Get prompted for an authentication code
• Hit the appropriate shortcut key on my mac corresponding to the code I need
• Paste the code on the website and hit submit

For someone that has as many two-factor authentications to perform on a regular basis as I do, I welcome this simplification. (All these services are now offering two factor authentication: Gmail, Facebook, Twitter, Outlook.com, Lastpass, Dropbox, WordPress, App.net, Amazon Web Services, Linode, Dreamhost, Guildwars2, Evernote, Digital Ocean, World of Warcraft. If you use any of these and don’t use the second factor, well, get on it!)

Cloud-Based Backup

Another important innovation provided by Authy is cloud-based backup and recovery of your secret keys. Google’s Authenticator product gives you no way to save your secret keys. (Even Google’s built-in capability to back up Android phones skips the database of secret keys.) So if you lose your phone, or even upgrade, you have quite a bit of work ahead of you. You have to go disable two-factor authentication on all your sites, and then re-enable it, scanning in new QR Codes as you go.

Authy performs a cloud-based backup of your secret keys. Turning on the backup prompts you to select a password which will be used to encrypt the backups. According to Authy:

[The password is] passed through 1000 Rounds of PBKDF2 with SHA-2. The result is then use as a key encrypt the account key using a random salt and [the encrypted key and the salt are] then uploaded to our servers. The key is never uploaded so only you can decrypt them as long as you remember the password.

This is important to remember, that Authy never gets your key – so if you forget this password, you’re out of luck. (Just imagine you were using Google Authenticator.) If you remember it, though, all you need to recover your account to a new phone is your phone number (which lets you download the encrypted information to your new phone), and the password (which is used to decrypt the backup).

Authy has made at least two significant innovations in a two-factor authentication client which I think will help to improve the long-term adoption and viability of two-factor authentication solutions. It is always good to see some innovation in the world of information security.