I admit it: I’m dithering.
After agreeing that passwords are no longer enough, I continued my mission to explore strange new cyber security worlds and to boldly go where…oops, sorry. Anyway, I carried on looking into 2FA. The default, simplest and most easily understood (at least by me, and, I suspect, by many others) method of applying a second factor is to use SMS, a.k.a. text messages. I’ve experienced this, and it works. Trouble is, it’s far from foolproof: messages can be intercepted, my phone can be stolen and used to read them, or there’s a fiendish fraud trick called SIM swapping that can give the cyber-thief the information they need.
To overcome all these weaknesses, there’s an alternative called Time-Based One-Time Password (a.k.a. TOTP, which in my day always stood for Top of the Pops, but there you go). This method requires an app such as Google Authenticator or Authy, which is generally reckoned to be superior. In addition to overcoming the issues with SMS, Authy has other advantages.
So, having decided to try out the “Authy” 2FA app, I duly installed it on both my Android phone and my iPad. Here’s how the journey proceeded:
On opening Authy on my phone I was asked to enter my “cellphone” number (that’s mobile number to we Brits), consisting of the international code (i.e. 44 for the UK) and then the normal mobile number, which doesn’t need the leading zero and which Authy displays in typical American format. So if my number is 07123 123456, Authy shows it as 44 712-312-3456; slightly confusing but not a big deal.
I then entered an email address (although not sure what that’s used for yet…) and then had to choose between a voice call and SMS for initial verification of the mobile number. (Yes, it slightly goes against the grain to use an SMS verification code in this context – where the point of the app is not to use SMS for two-factor authentication – but as they point out I haven’t yet entered any confidential info in the app so the security risk is extremely low.) After receiving the verification code, Authy was ready to add 2FA accounts.
But first I wanted to install it in other places, because one of the advantages of Authy over, say, Google Authenticator, is supposed to be that it’s much less troublesome if my phone is lost or stolen, or if I port my number to a new phone. I read this Authy page and got slightly perturbed at a potential delay of several days. Nevertheless I decided to press on, so I installed it on the iPad, entered my mobile number and, as before, entered the verification code that was sent to my mobile (by SMS).
Finally, I installed it on a Win 10 desktop PC. This too required an authentication process.
Being the cautious type, before actually setting up any 2FA I wanted to clarify various Authy options, PINs, protection passwords and the like. But although I set out to read the Help info on those topics, I ended up reading an FAQ about the “phone change process“.
And I was alarmed.
It was all starting to sound rather involved and potentially complicated. Now I’m torn; I know that SMS-only 2FA is insecure, insofar as it can be bypassed by various nefarious means, but do I really want to go this more complex route??
I’m going to do some more reading before taking the plunge. I understand all the arguments for not using SMS, but my brain just hasn’t yet got to grips with all the scenarios. It whispers to me: “What’s the point of increasing the security of your online accounts if you can end up being locked out of them for days – or even permanently?”
Have you used an authenticator app? What do you think about my hesitation? Shall I just quit dithering and dive in?