Breaking Up With Authenticator

3 minute read Updated

Why you may come to regret using Google Authenticator for two-factor auth.

One of the first things you’ll learn when you create your first bitcoin wallet is to set-up 2FA. The two most common forms of 2FA today are standard telephony and security tokens, which come in both the hard and soft and variety.

If we took hard U2F tokens off the table, we’re left with software and telephony. Which of the two would you choose? Well, it depends. Let’s explore.

2FA Pros and Cons — Phone

A pro of using a telephone number for two-factor auth is that phone numbers have the ability to turn pretty much any SMS-capable device into an auth mechanism. This convenience comes at the cost of security, however.

The purpose of two-factor is to decrease the likelihood an unauthorized user can gain access to one of your systems by splitting the bill between something you have and something you know. With VOIP services it’s possible to emulate a telephone using software like Twilio, breaking the “something you have” part of the 2FA contract.

And though going with a virtual telephone is still better than not using 2FA at all, the real problem is that standard telephony is easily hacked. And when you’re storing value in a computer getting hacked is the last thing you want.

2FA Pros and Cons — Token

As mentioned, tokens come in both the hard and soft varieties. And since software is the more common of the two let’s focus specifically on software tokens.

The two most popular software tokens today are Authenticator and Authy. Authenticator, created by Google, is the more well-known of the two. In fact, Authenticator is so much more popular some exchanges don’t even mention Authy. And that’s a problem.

There’s an important difference between Authenticator and Authy to be aware of. It’s something you’d never think of until you actually needed it—which is precisely too late. Are you ready? Because if you didn’t know this it may come as a bit of a shock.

To set the stage, here’s a pullquote from someone on the CoinSheet Discord server I saw earlier today, which is what prompted me to write this post:

ARRGHHH! I was expecting this day! My phone broke its screen and I saw this misleading article about changing your Google Authenticator from one phone to another. But it doesn’t mention it doesn’t change the keys! /: FUCK! Should have used Authy. For you to learn and change asap :p

Looks like someone realized the reason why many individuals preach about Authy.

So Here is is. I’m just gonna lay it on you…

If you lose your phone while using Authenticator you may lose both an expensive piece of hardware and the keys to all of your 2FA-secured accounts.

Your only hope to restore with Authenticator is to rely on a manual backup process which is non-trivial and prone to human error.

And while one clever individual I spoke with on the matter suggested they took screenshots of their Authenticator seeds before encrypting and saving them to the cloud the act of taking screenshots increases the risk of key exposure.

Authy creates backups of your 2FA keys in-app without screenshots and sends them encrypted into the cloud in a similar fashion to password management services such as BitWarden – giving individuals a fast, reliable and secure way to regain access to 2FA accounts while systematically reducing risk of exposure.

Take time to educate yourself and Secure Your Digital Life.

Ledger Nano X - The secure hardware wallet