[This post has been updated on 7 May 2020. Click here to navigate to the update]
I don’t know if its due to my previous experiences or not, but I have this habit of giving, sort of a background before I hop onto things…same drill here too.
Ever wanted additional security for your accounts (please…not bank accounts!)? Fear giving even your mobile number to receive OTPs due to privacy concerns? You are at the right place then…there is a solution for you! Read on…
2FA = 2-Factor Authentication; an additional step after you put in your password before you login!
In cyber-security language, there are 3 types of authentications –
- what you know (the usual passwords)
- what you have (2FAs – OTPs, tokens, etc)
- what you are (biometrics – most secure)
Well, biometrics being the most secure, practicably don’t make sense, at least currently, to be implemented in each and every login service!
2FAs, hence, are the most convenient and secure means to further secure your accounts i.e. what you have in addition to what you know.
2FAs could be in the form of OTPs (One-time passwords) on your email, mobile numbers; or even mobile prompts.
However, there are genuine issues to it:
- Mobile number or an email to be registered to receive OTPs (some people may not be comfortable divulging personal information)
- User has to wait every time for an OTP to arrive
- Common network issues may result in late / no receipt of OTPs hence leaving you out of your own account!
So, to solve all these issues we have TOTPs (Time-based One Time Passwords). These are OTPs that reset at predefined frequencies (not in users’ control) – generally 30 seconds and completely function offline
The usual 2FA process
If your service supports it navigate to it (Generally these are in Security settings / Profile settings of your Account)
Let’s take Google, for example,
- Go to accounts.google.com
- Navigate to ‘security’ tab
- Look for ‘2-step verification’
- Now here you can select any of the methods (prompts, mobile numbers, emails and ‘Google Authenticator’). Google Authenticator is nothing but your TOTP generation tool!
- Click it, follow the instructions (and download the ‘Google Authenticator’ app (Android, iOS)
- Scan that QR code that will be displayed on the screen from the ‘Google Authenticator’ app and you are all set! Every time you sign in, apart from the password you’ll have to enter the code generated by the app.
Again, as the heading stated, this is the USUAL process for every other account you have for enabling 2FA
Ya, really, I just *unintentionally* demonstrated Google Authenticator above, so why I use Authy over it?
Well, its more secure and convenient in usage plus has some secure worthy features under the hood:
No Screenshots (ANDROID ONLY)
I see very few apps which use Android’s underrated functionality and this one is among those ones. Yes, YOU CANNOT TAKE SCREENSHOTS IN THIS APP. (the next screens that you will see are picked from Google Play or the App store or Google Images). These are screenshots from my phone:
Secure Backups and Multi-device
Switched your phone, lost all your data on the phone, performed a reset of your phone? – Good job! all your TOTPs are gone forever, and you will have to re-set up your 2FA on your account by logging in through alternative means (verify your mobile, answer security questions, password reset, look for backup codes, etc.). Some account providers are so strict that there’s no way out, you lose your TOTP codes, you lose your account. Eg: Discord [I had to learn it the hard way:( ].
Authy solved this problem, you can backup your codes securely and PASSWORDS FOR THOSE BACKUPS ARE MANDATORY. Please ensure to not skip that, else you cannot recover those codes back!
Courtesy of the above functionality, this app can simultaneously run on more than 1 device and again you can keep a track of them too!
The app offers ability to view your codes in Grid or List mode, and even assign custom names to the different accounts making them easily identifiable and searchable. You can even assign custom colors / icons for different accounts.
So which Services offer 2FA?
Well every popular one has it. Some of which are –
Want even more? There is an entire website dedicated to it where one can find even more services offering 2FA – twofactorauth.org – one can even submit any other known websites if not available there.
Pro-tip – Got an apple watch? You can view your TOTPs right there!
Authy is available for free on Google Play and the App store. Just click below
Have any queries over 2FA? the comments section is all yours!
Stay Aware, Stay Appy! (Stay Safe too!)
[Update: 7 May 2020]
There is an update to the above article over the Google Authenticator aspect covered as part of the intro. The app received its first update this morning since 2017 which adds some much needed features:
- Screenshot restriction on the important sections of the app (Warning!! You might see some potato quality screens at the end…just saying!)
- A revamped introductory interface
- Importing or exporting the TOTPs between devices (by scanning a QR code on the old device!). Indirectly, even Multi-device functionality works!
Oh, as now you have already noticed, the app has even got a fresh coat of white paint (Google’s Material Theme as they call it).
Okay…Welcome additions, but I am still not convinced about using it over Authy, because of the problem when a factory reset is performed of the phone…these codes will still be gone.
Whoever, wants to give it a shot, Google Authenticator is available for free to download (Android, iOS).
If the update it still not live for you (the Android user), you can grab the same from APKMirror right now.
Stay Aware, Stay Appy!
—End of Update—