Domain: authy.com
Stories and comments across the archive that link to authy.com.
Comments · 8
-
Re:2FA finally
I recommend using Authy vs. Google Authenticator: https://authy.com/blog/authy-v...
It resolves your issues. -
Don't need to give them more info
Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.
-
Re:Needed it to protect my Bitcoin
I'd recommend Authy instead of Google Authenticator. It's compatible, but adds a bunch of features like multi-device support, a PC client, and encrypted backup of its database. Most importantly, it simply adds a password. If you have Google Authenticator on your phone and you don't have the lockscreen enabled (or you hand your phone to a friend with it unlocked), anyone who picks up/steals the phone can use your Google Authenticator to login to the accounts it's supposed to be protecting. With Authy, you have to enter a passcode or password to be able to use it. It's free if you use it fewer than 100 times per month. (For enterprise use, try Duo.)
-
Passwords have the same problem as credit card #s
They're unique, but stay the same between uses. So if someone manages to copy it when you use it, they can use the copy in the future to pose as you.
Fortunately, that means they have the same solution as credit cards. Chip and pin works by you remembering a PIN (like how you remember a password). You enter the PIN into an authorized device, and that allows the device to query the chip. The chip then establishes a secure link to the processing site. Intercepting that session's communications doesn't make it any easier to forge a future communication.
Likewise, passwords can be replaced by a authenticator. Your password unlocks the authenticator. The authenticator then takes the site you're trying to login to and the time of day to generate a unique code you need to login. That way your password never has to leave your control. In theory this could be used in lieu of a password, but so far it's mostly being used to augment your password. That is, you still use a password (which can be stolen) to login to the site, but you also need the authentication code as a second factor to let you in.
This is mainly because Google's implementation is half-assed and lets you use it if you have access to the device (which is always for phones without security enabled. Authy is better implemented, requiring a passcode or password to use every time, backs up your authentication keys on the cloud so you can share them between multiple devices (they're still useless without a passcode/password), and is compatible with Google Authenticator. It's still vulnerable to some sort of keylogger. So ideally, this authenticator would be a separate physical device which did only authentication so there's no opportunity for rogue software to be installed onto it. -
Re:Locksmith, four seconds to unlock your house/ca
When I used to do locksmith work, it would take me a few seconds to unlock your car or house if you locked the key inside. Customers were happy that I could bypass the security for them.
Now that I work in information security, most people seem to think something is horribly wrong if I'm able to bypass the security.
There is an appropriate level of security for each use case. Neither your apartment nor your Slashdot account needs to be an impenetrable fortress that even the CIA can't get in to . Sometimes, convenience does trump security.
that's why I used to use a three password system. One simple alpha password for accounts that don't matter and then a beta and gamma passwords for sort of secure and really secure accopunts respectively and then a delta password for my email. Nowadays I use a Password Manager and Two Factor Authentication for every place that allows it. I use KeePass because while I'm pretty careful I wasn't help with the security of a 3+1 password system nor the flexibility such as the fact that I tended to use Alpha for everything and only switch when that site got hacked. I started to use Google Authenticator but I hit that phone failsafe issue where I was constantly worried about what happened if my phone was off or dead or lost. The fact that I had to go through a version of that when I switched phones only cemented my fears. I ended up at Authy and full Two Factor because Authy provided me the flexbility and failsafes to complete the loop that KeePass started. I now feel comfortable with appropriately complex passwords on everything. I don't worry about having to enter them on my phone because KeePass has android ports that can access a cloud stored back up of my database. It's controlled (by me) it's uniform. I know how to do it on every site I need to do it on. It's practically unintrusive at this point in my life. The type of secuity I'll use is about how much I trust it, how consistent the experience is and how easy it is to use. Two Factor isn't hard and it's rigedly consistent.
-
Google already lets you protect yourself
Just enable 2-factor authentication on your Gmail/Google account. (Note: I linked to Authy because I recommend it over Google Authenticator. Authy requires you to enter a passcode or password to view an authentication code. Authenticator will just spit out the authentication code if you're in possession of the account owner's device. Kinda defeats the purpose if you're trying to protect yourself if your phone should be stolen.)
-
Re:the reason why
I'd recommend Authy instead of Google Authenticator. Authy requires you to enter a 4-digit PIN to use it. Anyone who has access to your phone (if it's lost, stolen, or borrowed without a passcode) can use Authenticator. Authy also allows you to sync it with multiple devices on multiple platforms, not just your phone/tablet.
-
Authy
Its the easy button for 2FA