Choosing the Right Authentication App
If you’re reading this after part 1 of the Multi-Factor Authentication series, it’s safe to assume that you’ve accepted the importance of two-factor authentication (2FA) for your security. If you haven’t read Part 1, I suggest you do so here.
How to Choose?
The question now is, which 2FA app should you use? The truth is, there’s no wrong choice. Having any form of 2FA is better than none at all. However, there are factors to consider when making your selection.
Google Authenticator
If you’re familiar with my content, you know I’m critical of FAANG (Facebook/Meta, Apple, Amazon, Netflix, and Google) companies. They prioritize data collection over user privacy. However, there’s one product from this group that’s worth mentioning: Google Authenticator.
Pros of Google Authenticator
Google Authenticator’s key advantages are its cost-free availability and simplicity. Google doesn’t charge for the app, making it accessible to everyone. It’s also easy to set up, which is a bonus for beginners.
Cons of Google Authenticator
On the downside, the app lacks a straightforward backup feature. In case of a serious failure, you might lose all your data without any recovery option. Plus, Google’s ‘free’ offerings often tie users to their ecosystem. If you’re not comfortable with such dependence on a tech giant, this could be a deterrent.
Final Thoughts
Google Authenticator is a decent starting point for exploring 2FA apps. It was my first choice, and it helped me understand the concept. But if you dig deeper, you’ll find superior alternatives.
LastPass Authenticator
This is an authentication offering from LastPass, the company that offers password management software. And while I’ve loved using LastPass for their password manager, I’ve had trouble falling in love with their offering in the authentication space.
Setup for an authentication app is usually a breeze because there isn’t really much that you have to do. It’s as simple as downloading the software and scanning a QR code and then you’re off to the races. This was not the case when setting up LastPass Authenticator. The setup process was difficult and clunky and the application felt unresponsive. Additionally, navigation between LastPass Authenticator and LastPass Password Manager was anything but a seamless experience when trying to set a password on my account.
In addition to setup woes, the application has the lowest rating of any that I reviewed on the app store, at 2.6. Complaints were various, but the most concerning talked about the application wiping out codes, and the backup process not working at all.
This seems like more of a tack-on offering as LastPass builds out its security and privacy ecosystem. I’d avoid this offering from LastPass until it’s a little bit more of a mature product.
Twilio Authy
When researching an authenticator app to switch to myself I was very excited about Authy. It has plenty of great features out of the box, the setup is very simple, and one very interesting thing offered by Authy is multiple-device support. That means you can have your 2FA on your phone, PC, tablet, laptop, Mac, and more…
Cross-Device Syncing
The inconvenience of fetching my phone from downstairs to access applications on my upstairs computer is a familiar struggle. The cross-device syncing feature of this app is a standout solution.
The Trade-off
However, there’s always a catch with such features. For syncing to work, your 2FA data must be stored in the cloud, facilitating movement between devices. While not entirely bad, it does compromise the security and privacy of having your 2FA codes on a single device.
Manual Code Entry
Another commendable feature is the option to manually enter codes instead of using the QR reader. Although the QR reader is handy, it can inadvertently introduce unnecessary information into your app, like your email or domain name. Thus, having the manual entry option is a significant advantage.
There are many reasons to like this app, including a great UI, but the reason I don’t use it is that it requires SMS backup(why am I not surprised that Twilio wants my phone number) which is odd because SMS is far less secure than the authentication app which you’re trying to set up, yet they’re expecting SMS to back up the authentication app… am I missing something or are they? And if that wasn’t enough to put one off, they then require your email address in order to create an account.
This app is feature-rich and user-friendly, but as it always seems, free things come with a cost. In this case, you pay with your phone number and email and they deliver an app. If you aren’t as concerned with your personal data privacy then this is a sure-fire winner, but if you’re like me, it’s on to the next thing.
FreeOTP
Now let’s take a look at FreeOTP, the only open-source option on our list. Out of the gate, the name gives away the best feature. Since it’s open source, if you’re a programmer or a non-programming nerd who reads code in their spare time, you’ll get your wish with this offering. Not only can you read the code, but if you don’t like something about the app, you can contribute to the codebase to help make the application better.
One thing I really liked about this application was the ability to lock individual items behind a second password. That just adds an additional layer of security to the whole process and it’s not a half bad idea.
Backup System Concerns
Upon attempting to use this feature, a message pops up: “Locked tokens are not included in backups.” This could cause worry if there was an existing user interface for the backup system. However, I found no such interface. A quick online search revealed that setting up backups requires a complex coding process.
Additionally, as a result of being an open-source application, it has some of the downfalls associated with a lack of dedicated development resources being devoted to it (even though it is a Red Hat product) such as bugginess and reliability issues. I even ran into problems when trying to delete a token, as the system required me to remove the entire app just to remove a single token.
Who would I recommend using this product? Today, I’d only recommend it for the brave programming types out there who want to use open-source instead of proprietary software. This type of person is a great fit because usually they also know how to fix problems they will encounter when using the software.
2FA Authenticator (2FAS)
Admittedly, the picture I’ve painted about 2FA may seem grim. But rest assured, most 2FA options are adequate. Having tested several over the years, they’ve served their purpose well. However, given the importance of 2FA, we should demand excellence from app manufacturers.
Enter 2FAS
In my search for the best, I found 2FAS. It delivers what you need and omits what you don’t. It doesn’t collect unnecessary data like email or phone numbers and provides solid backup options, both offline and online.
User Interface and Functionality
The user interface is well-executed, with aesthetically pleasing screens and smooth operation. The backup and restore process is seamless. In my experience, I was able to export a backup, delete the app, reinstall it, and reimport everything in under three minutes without any data loss.
Security Features
2FAS also offers robust security features. During setup, you can opt for a default 4-digit PIN or a more secure 6-digit PIN. It supports biometrics (fingerprint authentication) for quick access.
Drawbacks
The only downside I found was the absence of peek protection, which hides each entry until unlocked. This prevents onlookers from seeing your authentication codes. While this feature might be required in corporate settings, it’s more of a bonus than a necessity for everyday users.
Next Steps – Get 2FA setup today
If you’ve gotten this far, then you’re probably ready to add 2 2-factor authentication to your current security plan, which is great, but how do you get started? Let me give you the essential steps.
- Download 2FAS(or an authentication app of your choice) to your phone
- Brainstorm a list of accounts whose security is important to you(I’ve added a small list to get you started). Start out with 1-2 accounts based on what’s most important to you.
- Bank Accounts
- Email Accounts
- Social Media Accounts
- Video Game Accounts
- Work/Business Accounts
- Log into the sites you’ve added to your list and navigate to the settings or security pages in your profile. Usually, this will be near the settings to reset your password.
- Find the 2-Factor Authentication or 2-Step Verification area, this could also say something like setting up Google Authenticator.
- After clicking, it will usually provide a barcode that you’ll scan using your new Authentication App. You may have to allow the app access to your phone camera.
- Finally, the site should ask you to verify setup by entering the 6-digit PIN displayed on your Authenticator App.
That’s it. Once you’ve followed these steps, you’ll be on your way to increasing your personal privacy by protecting your data and sites online and protecting your security by introducing an additional strong layer of defense to protect your accounts from being hacked.
From here, you can begin adding additional sites to your 2FA policy as necessary until eventually all of your important data is secured!
If you have any questions feel free to reach out to me at admin@personalprivacyonline.com.
Pingback: Edge vs Chrome: The Ultimate Browser Showdown for Safety