Replacing Google Authenticator

2020-06-09

On this blog and in Learning Tree's Cyber SecurIty introduction, Course 468 I have been promoting two-factor authentication or 2FA. One of the common tools for that is Google Authenticator.

Authenticator is a tool for mobile devices that generates a "one-time password" for use with another password for logging into websites. The idea is that the user types in a traditional password and the website then asks for the 6-digit number displayed on the Authenticator app. That number changes periodically and the server knows that and also how to recognize the correct number. The generated number is based on a secret (a long number) shared between Google and the user. This makes two-factor authentication available to any internet user.

Some users have criticized Authenticator for lack of a backup mechanism, no official desktop app, and other issues. I had an issue with a lost secret when I changed phones a while ago. It may have been my error, but it was a difficult situation. Google does have ways to back up the secret, but does not have an official desktop version as of this writing.

I chose to switch to a different app. I am not saying Authenticator is inappropriate, per se, but I also wanted to try an alternative. I chose Authy from Twilio. It is free and works on my Android phone.

Authy can be used from the desktop, has printable one-time codes if your mobile device is lost or fails and it is easy to share the secret between devices. All of these features are now available with Google, too. It also can generate codes when not connected to the internet and supports a push authentication mechanism. The app allows access via PIN and password. The account backups require a password and I use a random one.

The user interface is clean and easy to use. Since each site for which I use Authy has a separate 6-digit code, it is easy to select the proper site such as this Wordpress site and see the proper code.

I like Authy and I will stick with it.

An app is not the only path to two-factor authentication. Two types of hardware tokens are other options. One is a USB key, and I described that in another post. Another is a small device (often a key fob) that displays changing numbers similar to the Authy and Authenticator apps. These may or may not have USB connections. Those devices are generally used for enterprise authentication. RSA SecurID is one example. Some sites use SMS messages for 2FA, but there are risks with that for highly sensitivity data. Most of us are probably not very susceptible to that.

The issue is not which tool you or I use or that we use something. With weak passwords, leaked password databases, and other security issues, the use of 2FA is increasingly important. I won't claim that it is as easy as entering a few characters into a window, but it is far more secure. While many organizations require 2FA, it is usually an option for websites. Increasingly, though it is becoming necessary to enable two-factor authentication to access shopping and other secure sites. I suggest getting comfortable with it now, before being forced to install and use a 2FA app.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.