How Authy cripples my 2FA experience

by on

Security on web services has improved a lot lately. Most of them have switched to being available over HTTPS only, use decent hashing and encryption for user credentials and support two-factor authentication by now. Authy provides an easy to use two-factor solution for organizations. However, this seems to be a bit of a poisoned gift.

Why do we need two-factor authentication?

Online authentication used to rely on remembering a password. This is by far the easiest solution, but it has a few drawbacks. People are bad at remembering things, especially if they don’t use them every day. This results in passwords being written down and attached to computer screens and keyboards. Even worse is that most people use the same password for every site they visit.

Using the same password on multiple sites becomes a problem when one of them leaks user credentials. Trying out the leaked username/e-mail and password combinations may give access to a lot of other sites, creating an avalanche effect.

Two-factor authentication attempts to solve this problem by combining the password with a physical item. A mobile device or hardware token generates an access code, usable for a limited time only. This means that someone who knows your password is still unable to access your account. Great!

A hardware two-factor authentication token

How does two-factor authentication work?

An authenticator app generates an access code based on a secret and the current time. This code changes every 30 seconds, but can usually be used for about 5 minutes. Every site gives you a unique secret, and thus you can’t use a single code for multiple sites.

Notice that I talk about “an authenticator app” and not a specific application? These services support the TOTP or HOTP standard. There are a lot of applications that allow you to generate these access codes. The most well-known is the Google Authenticator, but there are many more! On every platform and for every device. Even if you’re using a 10 year old smartphone, chances are you’ll find a suitable two-factor application.

And then there was Authy

Authy provides a solution for websites that makes it easy to implement two-factor authentication. This is a good thing as it allows more organisations to use 2FA. Their own authenticator app provides a few extra features too. Unfortunately, in order to do this, they decided to take an open standard and completely break it. They deliberately prevent you from using any other app than their own. As usual, this is a one way situation: you can import other accounts to authy, but not the other way around.

When asked about other apps, their customer support replied:

Are you asking about using Authy-powered tokens with third-party apps? If so, we do not support that feature, but many of our clients support authentication via SMS or phone calls.

Sure, their own app has a few amazing features. It allows you to backup an encrypted copy of your secret keys to the cloud, for example. But is that worth it? What if you’re using a platform that doesn’t have an Authy app? As more organisations switch to Authy, they are effectively ending the freedom of choice when it comes to authenticator apps.

Is this a bad thing? Up to you to decide.