본문 바로가기 메뉴 바로가기

티스토리 뷰

Better Two-Factor Authentication with Authy for iOS and OS X

In my list of Must-Have iPad Apps for 2013, I mentioned Authy and two-factor authentication:

Authy. If you’re not using two-step authentication for online services that support it, you’re doing it wrong. And if you assume that the ugly Google Authenticator app is the only way to generate one-time security codes, well, let me tell you about Authy. Simple and well designed, Authy is “a Google Authenticator app” in that it can generate codes for services, like Evernote and Dropbox, that would normally ask you to use Google’s app. Authy is secure and fully compliant with the standards required by two-step authentication; it has a clean UI, it’s free and Universal, and it comes with a Mac utility to share codes locally over Bluetooth.

Because it’s an app that I use every day, I thought that Authy deserved a separate mention on the site; I replaced Google’s terrible Authenticator app with Authy, which provides a cleaner interface, support for multiple devices, and a Mac utility to share tokens using Bluetooth Low Energy.

Authy is a Google Authenticator app: when you’ll configure it with services that support two-factor authentication with Google Authenticator (like Dropbox and Evernote) you likely won’t see a text description saying “You can use Authy too” – you’ll just see “Use your Google Authenticator to retrieve your secure code”. If Authy is installed on your device and set up correctly, you don’t need the Google app at all.

Setting up Authy for the first time is easy. Once downloaded, you’ll be asked to go through a series of confirmation steps such as verifying your email address and phone number and scanning a QR code to add your first account. QR codes are used every time you want to add a new account, and the app comes with a built-in Camera to scan a code and authenticate you. If you lose or upgrade your phone, your email and cellphone number will be used to restore your account and previously configured external accounts.

The design of Authy is clean and it doesn’t drive you crazy. Accounts are listed in a sidebar with icons and usernames, and you can tap on them to switch to a single account view where you can view your token and copy it with a single tap through a button that doesn’t require the iOS tap & hold menu. As usual, codes expire every 20 seconds and they are tied to your token ID.

Authy is available on multiple devices: by going to Settings > Devices and allowing Multi-device, you’ll be able to access your accounts on multiple devices at once (like an iPhone or iPad) with the same set of secure tokens. Backups are encrypted with a secure key (which I keep in 1Password) and the Authy app can be given an optional passcode for extra security.

There’s a free Authy Bluetooth app available on the Mac App Store that uses Bluetooth Low Energy to use your iPhone as a token generator for your Mac: once paired, an iPhone can be locked and put away in your pocket and the Authy Mac app will be able to generate tokens from it, automatically copying them to the clipboard, ready to be pasted in, say, a website in Safari. The Mac app, which sits in the menubar, can also fetch tokens using keyboard shortcuts for individual accounts, which is handy. However, in my tests with an iPhone 5 and a mid–2011 MacBook Air, I noticed that I was often getting on-screen notifications for Bluetooth disconnections, which forces me to quit the app and only open it when needed.

My understanding is that Authy is making money as an Enterprise solution for companies who want to roll out better security on their network or platform, with an API also availableto developers. For consumers like me, Authy offers a solid alternative to Google Authenticator that I’ve been using for months on my iPhone and iPad mini without issues or even a minute of downtime. With a combination of something I know (my passwords stored in 1Password) and something I have (my devices with Authy and local Mac with Bluetooth) I can enjoy the benefits of two-factor authentication without cringing every time I have to copy a token.

Authy is a free download on the App Store.