Dear Authy 2FA: A Two-Factor Authentication Love Letter
If ever you receive an email that starts off with “At [NAME OF COMPANY] we take your account security very, very seriously,” you can pretty much prepare yourself for bad news: either a data breach, or a hack, or some other compromise of personal information. Here at Authy, we really understand the importance of account security. We’re well aware that a single line of poorly protected code on a retail website, or just one reused password used to access a blog, online bank, or a presidential campaign, can really ruin someone’s day. It could even likely have financial implications for millions of consumers.
That’s why we’re huge advocates of two-factor authentication. Occasionally, we’ll be tagged in a Facebook post about how easy Authy is to use, or we’ll see a tweet that describes how Authy is preferred protection for a particular site. And we appreciate every one of those accolades. But then we got the note below… Consider it our favorite fan mail yet!
I just wanted to tell someone at Authy how much I love this product, and how much I appreciate the work that went into it. It just makes so much sense. It’s intuitive and useful in a way that no other 2FA system is.
I’m thinking in particular of Authy’s ability to make backups and to authorize multiple devices. Who doesn’t have at least two phones these days? And who knows when you’ll be carrying either phone? Who hasn’t had a phone stolen? Everyone has. And when you look into 2FA, these are the first concerns you have. Yet, as far as I can tell, Authy is the only product that truly takes them into account.
I can speak on this with some authority because I recently went down the rabbit hole of trying to implement 2FA on two WordPress sites with miniOrange and then with Duo. I invite anyone who has a couple of weeks to spare and is willing to spend hours upon hours every day reading the online documentation, scouring the support forums, watching videos, and exchanging complex emails with support teams to try to understand and use Duo or miniOrange – and then fail completely.
With miniOrange, I did as much research as a human could do, and I did everything right (as far as I could tell), and it just led to disaster. I ended up in a permanent loop and locked out of both of my WordPress sites. I was so deep into it by that point that I barely understood what I had done, let alone how to back out of it and gain some control. I received long, technical emails from the support staff containing sentences like this one:
“Can you please make sure that the folder /var/lib/php/sessions have sufficient write permissions? You will need to assign the directory with the owner that has the appropriate write permissions.”
I could live to one-hundred and study all that time, and I would still not be unable to understand what that sentence meant. And if miniOrange as a product, required that much effort just to get it to work, how could I trust it to protect anything?
With Duo, I was just left utterly bewildered. I knew in my head what I expected to happen and how things should work, but when I looked for that pattern in Duo, I couldn’t find it. I followed their instructions step-by-step, and it seemed far more complex than it needed to be. I had no idea why I was doing 90% of the things they were telling me to do. It just felt wrong. And what I ended up with was a system that just felt weird. Things didn’t make sense and didn’t match my expectations. For example, I ended up with just one entry on the Duo mobile app for both accounts. I had two fully separate websites. Yet the same button on the Duo app gave me codes to open both of them. As I said, it felt wrong.
And along the way, I looked for the things that I mentioned in my opening paragraph – such as the ability to install the Duo mobile app on two phones. But no matter how I twisted and turned, how much I read, and how much I pestered people in online forums, I could not figure out how to do it. I could see in my head how it should work: open up a Duo account on the web; install the Duo mobile app on my first phone; then scan the QR codes for my various accounts to add them to the app. Final step: download the Duo app to my second phone and authorize it to access my online Duo account. I had one account, right? It just made sense to put it on two phones and have both those devices synced to my account.
It took me a long, long time to figure it out, but apparently, this can’t be done. It’s not how it works. I was so puzzled by that.
And that’s where the amazing (to me) Authy comes in, because that’s exactly how Authy does work: exactly how I imagined that 2FA would work. The language you use on your website to set up Authy and the way that Authy works just makes sense on a human level, and in a way that none of the other products do.
This is a paragraph from the Authy website:
“With Authy’s multiple-device functionality, your 2FA tokens automatically sync to any new device you authorize. And, if a device is lost, stolen, or retired, you can deauthorize it from any authorized device just as quickly.”
When I read that, it’s like the clouds parted and the sun came shining through. “Exactly!” I thought. “I’ve got two phones, and I want to authorize Authy on both of them and have them synced to my main Authy account. And if one phone is stolen, I want to be able to deauthorize it from my remaining phone.” This is exactly the type of language I was looking for (and expected to find) for Duo and miniOrange, but couldn’t find.
Another hallelujah paragraph from the Authy website:
“Out of the gate, Authy lets you take advantage of encrypted backups in the cloud. How is this handy? Lose a phone, and you can still access Authy accounts from other devices (as long as you have not disabled the multi-device feature). Get a new phone, and you can install the Authy app, verify your identity, and access all your Authy tokens relatively painlessly when compared to Google’s solution.”
“Exactly!” I thought again. “Of course it works this way. It’s logical.” The real question is why none of the others do.
And I haven’t even mentioned how good Authy looks. Nor have I mentioned the browser extension. It’s just a great product. And I have to say that the industry as a whole doesn’t do you guys any favors. 2FA is a difficult concept to grasp for a newbie like me, and the instructions for setting it up on a Google account, on Facebook, on Microsoft, on Amazon, and on Dropbox can be intimidating.
As you know, all these sites handle it differently, but they all have one thing in common. They try to trick you into believing you have to use Google Authenticator. They hide the reality that you just need an authenticator app, and you have a choice. No one ever offers up the option of using another authenticator, like Authy. And anyone who figures this out and does the research will quickly come to the conclusion that Authy is the way to go.
I don’t know if I’ve ever written a message like this before. Probably not. This message is a result of the absolute horrors that I went through as I tried to master 2FA and come to grips with the mind-boggling complexities of products like Duo and miniOrange, plus the inadequacies of others like Google Authenticator. It’s no joke to say that I was going out of mind.
And then came Authy, a 2FA system that did exactly what I expected it to do, what I thought a 2FA system should do. And it did it better than any of the others. It was such a relief, that I had to let you know.
Thanks for making my life a LOT easier.
Doug (Last name withheld because…privacy)
A point of clarification:
Some, but not all, sites will mention Authy as an authenticator app that can be used for 2FA security. But Doug is correct: most sites will tell you to use Google Authenticator and not let you know that any TOTP-based authentication solution will work. Since Authy and Google are built on the same basic principles, you can use Authy anywhere Google Authenticator is offered. We just made an app that has more options, better benefits, and is easier to use.
We hope you pass this blog post on to others who may not be aware of Authy, and please send us a note if you also have a 2FA story to tell. You may also be interested to read a more in-depth comparison of Authy vs. Google Authenticator.