Surprisingly, Authy and LastPass Authenticator adopt a red theme. As with most 2FA. Authy belongs to 'Security' category of the tech stack, while LastPass can be primarily classified under 'Password Management'. Some of the features offered by Authy are: Very secure- We take security seriously. We use industry standard secure algorithms (HMAC RFC 4426) and 256 bits keys which are always encrypted at rest.
Take some work off your plate while beefing up security with three changes you can make today.
- I recommended Authy, but that’s only because I use it and find it incredibly convenient. But, honestly, there are plenty of other great 2FA apps, too— 1Password comes to mind, if you don.
- The Authy API is used to verify a user has access to the right phone number (for SMS and Voice channels) or has access to the right trusted device (for TOTP via the Authy App or use of the SDK). Twilio's Authy API follows the algorithms described in RFC 6238 and RFC 4226 to generate TOTP (Time-Based One-Time Passwords) passwords.
- With Authy, your back up is encrypted with your password, similarly to how 1Password works. This makes it the second password you can’t forget, if you don’t want to lose access to your codes. If you reset your account, they all go away. I can deal with remembering two passwords; I’ll take that trade.
We’ve already got enough to deal with without worrying about our cybersecurity. When humans are busy and under stress, we tend to get lax in less-obviously-pressing areas, like the integrity of our online accounts. These areas only become an obvious problem when it’s too late for prevention.
Cybersecurity can be fiddly and time-consuming. You might need to reset forgotten passwords, transfer multifactor authentication (MFA) codes to different devices, or deal with the fallout of compromised payment details in the event one of your accounts is still breached.
Thankfully, most of the work necessary to keep up our cybersecurity measures can be outsourced.
Here are three changes you can make to significantly reduce the chances of needing to fiddle with any of these things again.
1Password
I’ve historically avoided password managers because of an irrational knee-jerk reaction to putting all my eggs in one basket. You know what’s great for irrational reactions? Education.
To figure out if putting all my passwords into a password manager is more secure than not using one, I set out to see what some smart people wrote about it.
First, we need to know a thing or two about passwords. Troy Hunt figured out almost a decade ago that trying to remember strong passwords doesn’t work. In more recent times, Alex Weinert expanded on this in Your Pa$$word doesn’t matter. TL;DR: our brains aren’t better at passwords than computers, and please use MFA.
So passwords don’t matter, but complicated passwords are still better than memorable and guessable ones. Since I’ve next to no hope of remembering a dozen variations of p/q2-q4!
(I’m not a chess player), this is a task I can outsource to 1Password. I’ll still need to remember one, long, complicated master password - 1Password uses this to encrypt my data, so I really can’t lose it - but I can handle just one.
Using 1Password specifically has another, decidedly obvious, advantage. I chose 1Password because of their Watchtower feature. Thanks to Troy Hunt’s Have I Been Pwned, Watchtower will alert you if any of your passwords show up in a breach so you can change them. Passwords still don’t completely work, but this is probably the best band-aid there is.
One last bonus is that using a password manager is a heck of a lot more convenient. I don’t need to take a few tries to type in a complicated password. I don’t end up spending time resetting passwords I’ve forgotten on sites I only rarely use.
When tasked with remembering all their own passwords, people typically create simpler passwords that are easier to remember – and easier to hack. This occurs most frequently on sites that are considered unimportant. Using 1Password and generated passwords, those sites are now also first-class citizens in the land of strong passwords, instead of being half-abandoned and half-open attack vectors.
So, yes, all my eggs are in one basket. A well-protected, complex, and monitored basket.
Authy
Okay - so it’s more like one-and-a-half baskets. 🤷🏻
Authy, from the folks over at Twilio, provides a 2FA solution that’s more secure than SMS. Unlike Google Authenticator, you can choose to back up your 2FA codes in case you lose or change your phone. (1Password offers 2FA functionality as well - but, you know, redundancies.)
With Authy, your back up is encrypted with your password, similarly to how 1Password works. This makes it the second password you can’t forget, if you don’t want to lose access to your codes. If you reset your account, they all go away. I can deal with remembering two passwords; I’ll take that trade.
I’ve tried other methods of MFA, including hardware keys, which can make accessing accounts on your phone more complicated than I care to put up with. I find the combination of 1Password and Authy to be the most practical combination of convenience and security that yet exists to my knowledge.
Privacy.com
Finally, there’s one last line of defense you can put in place in the unfortunate event that one of your accounts is still compromised. All the strong passwords and MFA in the world won’t help if you open the doors yourself, and scams and phishing are a thing.
Since it’s rather impractical to use a different real credit card every place you shop, virtual cards are just a great idea. There’s no good reason to spend an afternoon (or more) resetting your payment information on every account just to thwart a misbehaving merchant or patch up a data breach from that online shop for cute salt shakers you made a purchase at last year (just me?).
As a bonus, a partnership between 1Password and Privacy.com lets you easily create virtual credit cards using the 1Password extension.
Authy 1password App
By setting up a separate virtual card for each merchant, in the event that one of those merchants is compromised, you can simply pause or delete that card. None of your other accounts or actual bank details are caught up in the process. Cards can have time-based limits or be one-off burner numbers, making them ideal for setting up subscriptions.
This is the sort of basic functionality that I hope, one day, becomes more prevalent from banks and credit cards. In the meantime, I’ll keep using Privacy.com. That’s my referral link; if you’d like to thank me by using it, we’ll both get five bucks as a bonus.
Outsource better security
All together, implementing these changes will probably take up an afternoon, depending on how many accounts you have. It’s worth it for the time you’d otherwise spend resetting passwords, setting up new devices, or (knock on wood) recovering from compromised banking details. Best of all, you’ll have continual protection just running in the background.
We have the technology. Free up some brain cycles to focus on other things - or simply remove some unnecessary stress from your life by outsourcing the fiddly bits.
Want to give the gift of cybersecurity to someone you know? Get them started with a cybersecurity starter pack.
I've only used the iOS app Authy for a few months. If you are unfamiliar, it is a very nice application for managing different two factor authentication secrets and generating tokens. It creates a single place to look for all 2FA tokens.1 There's also a companion Authy Mac app that can receive the token over Bluetooth and set the clipboard with the token. That's mildly more convenient than typing. Both require your phone to be next to you.
About 2FA
You should read the 1Password blog post about the difference between 2FA and expiring one time passwords. It may matter to you. I consider it equivalent for the things I am securing.
Authy 1password Code
While Authy made 2FA easier (and has some nice features), it always bugged me to not have everything in 1Password. With the most recent update to their iOS app, it's now possible.
Here's a nice walkthrough of setting up Gmail for 2FA, from the makers of Authy.
If you are here for Synology tips, then I won't disappoint. 2FA is enabled for each account on the Synology and accessible through the 'Options' menu item by first clicking the user icon in the upper right menu bar.
Generate the new QR code and get ready to snap a photo with your 2FA app of choice. Any good 2FA app will work with the QR code.
To do this with 1Password, you enter edit mode on the iOS app and tap the 'Add new one-time password' option. From there you either manually enter the code provided by the service or take a photo of the QR code.
Now, when you need to login, that login entry in 1Password will always have the code you need. It's live and even provides expiration feedback.
This setup syncs between all iOS copies of 1Password too. My iPad and iPhone both become 2FA devices with one setup.
Authy Vs 1password
My hope (and expectation) is that 1Password adds ability to generate a token to the Mac application. For now, it's nice being back on one single password manager with a lot of power. Authy was good but 1Password is more convenient.
Authy 1password Chrome Extension
I'll use '2FA' to save words but if you use that acronym while speaking, you are probably a terrible person. ↩