At this point, I hope you know that two-factor authentication (2FA) is an absolute must to stay safe on the internet. By setting your accounts to require an extra, time-sensitive code when you login, you’re protecting yourself from the constant and increasing scourge of widespread password leaks.
But while two-factor is important, there is a good way to do it and a better way to do it. Most online services will guide down a path where you’ll be texted a verification code, but this isn’t as foolproof as you may believe.
We talked with Nabeel Saeed who works on the terrific security app Authy — available on Android and iOS — for the basics on why going the extra mile to use an authentication app is worth the trouble.
2FA is essential and you should absolutely turn it on.
When you go to log in to Twitter or Facebook and dutifully type in your password, you’re performing something that could be described as one-factor authentication. You are proving you are who you say you are by sharing a secret that, theoretically, only you should know: your password. Though if you’ve ever been hacked, you know this isn’t always the case.
With two-factor authentication, you’re adding an additional complication that stacks the deck in your favor. “It just provides a second additional layer of security,” Saeed says. “So we can have a little bit more assurance that the person is not just a robot that’s feeding off a database of login information.”
A second factor can be a number of things. It can be something you are, which is what you provide if you verify your identity with a fingerprint or retinal scan. Or it can be something you possess, like a physical key. In the case of SMS-based 2FA, you are proving that you possess your phone by delivering the special code that is delivered to it.
Except when you’re not.
Text messages are far from secure.
“So most people use SMS today because it doesn’t require the download of anything,” Saeed explains. “But SMS is susceptible to man in the middle type attacks.”
The con works like this: I have your password and want to break into your account, but you have SMS-based 2FA on. What now? Well, I find out your phone number and your service provider, call the support line pretending to be you, tell them I lost my phone and that they need to change the number to a new one. It’s a technique known as a “SIM swap.”
Sound far-fetched? It’s absolutely not. “A very high profile case of this happened last year, Saeed explains. “CEO of Twitter Jack Dorsey got hacked his Twitter account got hacked into because its 2FA codes were being sent via SMS.”
Think you are safe just because you aren’t a juicy target? That’s not quite the case either. SMS messages are insecure by the very nature of the network they’re sent on. Specialized quasi-legal equipment, known to be widely used by law enforcement, can slurp up texts in bulk. “That doesn’t it doesn’t even require the kind of social engineering or ‘SIM swaps’ more high profile attacks are prone to,” Saeed says.
Authentication apps are safer and will work without internet or service.
Instead of sending you a secret message that you then have to send right back, authenticator apps work by generating two matching codes, one on Twitter or Instagrams or Gmail’s servers, one on your phone. By using a secret number the app and the service shared when you first set up 2FA, some publicly available information like the time of day and a little bit of math, both the app and the service can independently generate an identical time-sensitive code without ever talking to each other to do it. Now your code can’t be intercepted because it’s made on your phone, instead of delivered to it.
And that’s not the only benefit. “It doesn’t even matter if your device is offline,” Saeed points out. “Because there’s nothing actually being transported.”
Authentication apps are better than SMS, too.
There are a whole host of authentication apps that work according to this basic principle, including Google Authenticator, Microsoft Authenticator. But there are a few factors that set Authy apart. The first, and the one that drew me towards it in the first place, is that it is independent of any broader tech-giant platform.
“We’ve used our relatively smaller size and laser focus on authentication to our advantage to innovate a lot faster,” Saeed says. “We have a huge community of developers that are tremendous fans of ours.”
There’s a reason to use Authy besides just to support a third-party option, and that is its support for account backup. One risk with 2FA is that if you lose your phone, you may be permanently locked out of the accounts that are tied to it. It’s something that happened to one of Authy’s founding developers.
“His phone got stolen. And not only did he not have access to his phone, he really realized that he couldn’t access any of its social accounts anymore,” Saeed says.
As a result, Authy offers to bundle all your accounts together, back them up into the cloud and protect them with a single strong password. That way, if you lose or change your phone, you won’t be left with no recourse for getting back into your accounts.