Google Authenticator is a potential timebomb waiting to happen
In the world of crypto currencies and altcoins, the use of two factor authentication is a MUST. One of the easiest ways to enable this is using the Google developed app that is Google Authenticator. It's easy to use and well rated on the Google Play store as well and supported across multiple platforms. But I'm here to make you consider an alternative fact, if you're using Google Authenticator you have a potential disaster waiting to happen.
So what's the issue with Google Authenticator?
I'm not here to attack the tech behind Google Authenticator today but rather the fact that it lacks a backup feature. Sure, you can restore to a different device using a method of choice but what if you have a total device failure or your phone is stolen and you didn't get that chance to transfer to another device your settings? At that point, you've just been setup for a long process or going through support or using restore keys to go in and reset two factor authentication for all your Crypto Exchange sites as a BEST case scenario.
A better solution using Authy
Authy is another leading Application for Time-Based One Time Password (TOTP) authentication. Authy can even integrate your sites that support Google Authenticator only enabling you to store keys for these as well. This means the process of migrating from Google to Authy is relatively easy. Typically it will be just a matter of going into sites and resetting or disabling/re-enabling your Two Factor settings.
How is Authy going to help avoid the lost or stolen device issue?
The feature that is going to make Authy far more beneficial for users in the crypto space using 2FA with monetary investments involved is the backup feature. Unlike Google Authenticator you can backup your setup for Authy using your account with data stored in the cloud.
Cloud backup for my two factor auth data sounds like a security risk....
Although it sounds like a huge security hole, it isn't. Authy goes into great detail about what happens when you enable the backup feature and I want to touch on it a bit here to put fears to rest. This gets a bit technical but it's hard not to throw some jargon around when describing this process:
- Authy asks you for a backup password, make this secure.
- Authy then takes that password and using Password Based Key Derivation Function 2 (PBKDF2), it "stretches" the password. This process takes the password, and adds a salt to the password. The salt is so that if the same password is used by a user multiple places the hashed value of other operations will vary and not produce the same hashed value each time.
- After the salt is added, the result is run through the SHA256 hashing algorithm 1000 times (this is actually a lower number but is set that way due to lower processing power on phones for operations of this type).
- The output of the SHA256 hashing is then encrypted prior to upload using AES256 encryption, the decryption key is NEVER sent to Authy.
- The encrypted data and salt are sent to Authy to store.
As you can see the process is pretty secure and compared to the option of no backups, it offers a far better solution! Implementing the backup setup on your device is pretty straightforward too.
- In your app, go to your settings and then go to Accounts.
- In this area click the button for Backups.
- Enter your backup passphrase (don't lose this! Store it offline in multiple places at least).
- After this you will see Backups are now enabled and your accounts will show Backed Up next to them when complete and it will look something like below (on an android device):
Summing Up
Google Authenticator is quick and easy, but with the importance of having a fallback plan when significant amounts of money are on the line a true Secure backup solution is a requirement. Using Authy, secure backups eliminate the need to have to do a process like restoring settings from one phone to another.
Sidenote: In a future post I will go over why Time-Based One Time Password devices (TOTP) are not nearly as secure as Universal Two Factor (U2F) devices as well to further elaborate on the security aspect of two factor in our world today.
Thank you in advance for your comments, upvotes and follows!
Ethereum 0x79B4fAEAA31EAc19f33A1517288abE82cB2da6Fd
