4

One company now requires that I either use Authy or Google Authenticator. Supposedly these are safer than getting a text message, but I'm still seeing people complain about how dangerous these are. For instance, this article says that both Authy and GA less safe than U2F for security. But a few years, Authy was all the rage.

If forced to use one of these two, what's safer and why?

*Yes, I am looking at another company to use.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
StopSigningMeOut
  • 43
  • 3
  • 6
    The link doesn't say that GA and Authy are dangerous, it says that U2F is safer, which is true. But U2F support is far away from being sufficiently widespread that you can require its use. – Mike Scott Jun 01 '17 at 13:58
  • @MikeScott Thanks I used that terminology in the OP instead and removed dangerous. – StopSigningMeOut Jun 01 '17 at 14:02
  • Your link makes no sense to include in the question. Your question isn't about whether to TOTP or not, but comparing TOTP providers. – schroeder Jun 01 '17 at 14:47

3 Answers3

4

Most HOTP/TOTP apps are essentially the same; the algorithms are publicly documented, so most users merely see slight UI differences. However, there are a few security things you might consider when choosing one:

  • Is it open-source? Google Authenticator, for instance, used to be, but no longer is (which IIRC directly inspired RedHat's FreeOTP). However unlikely it is that Google has introduced code to steal users' tokens, it is possible; you also miss the other benefits of open-source, like being able to hunt for bugs in the source directly.
  • Are secrets backed up somewhere external? I recently had my phone unexpectedly die, and this meant I had to reset my 2fa codes on a bunch of services (while not having access to my phone number for sms or phone calls, the most common backup method). This was a huge pain. It's not surprising that many users would like to use a service that stores the underlying secrets somewhere external, so they can continue to use them in case of a device switch. However, this comes with an inherent risk: that factor is no longer "something you have", but access to your account, which is often another "something you know". You can make the argument that codes are no longer a second factor. Authy (optionally) falls into this category.

Beyond that, you've got considerations like "Does this integrate nicely into my existing tools?" that are very real UX considerations, but don't impact security other than in how they persuade users to use (or not use) MFA.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • I think you missed an important point: How is the secret protected? Having open source and having no additional backup alone does not make the app safe. Of course for open source you can find out what the app does, but when it uses external libraries or APIs that are not open source, you cannot be sure. – U. Windl Nov 05 '21 at 11:53
0

Google Authenticator is widely used and supported by many applications to support the use of multifactor authentication. It is becoming more widely used than Authy, possibly because of the "Google" brand association. I feel the GA authenticator delivers a suitable level of security and usability for the most cases it is used. Whether this meets your level of acceptable risk appetite only you will know.

ISMSDEV
  • 3,272
  • 12
  • 22
  • If you do use any make sure you have a back up plan to login if you loose the device with the app on, or store the original private key (commonly a QR Code) somewhere you can get to in an emergency – ISMSDEV Jun 01 '17 at 14:16
0

Google Authenticator, Authy and any 'security app' are only as good as the security which is employed on the underlying device by the end user. If you don't adopt good security principles on your phone, or whatever medium you are using to exchange 2F keys, then the app may range from very secure-useless. The human factor is one of the biggest elements of good cyber-security. In terms of which is better, I would personally go for Google because they have their own private security research teams and rather large bug bounties for their programs and apps.

Rice
  • 370
  • 1
  • 2
  • 8
  • On another note, would YubiAuthenticator be an option? It works the same as the other two but it requires an NFC enabled Yubikey to turnkey your TOTP/HOTP tokens – Rice Jun 01 '17 at 15:34