Better Two-Factor Authentication (2FA)

The Authy App Is Safer than SMS for 2FA

We have required all of our customers to use two-factor authentication (2FA) from day one. In keeping with our security-first philosophy of protecting and educating our customers, we want to provide some background on our 2FA system to encourage our customers to use the Authy app for 2FA rather than SMS, and to dispel some common misconceptions.

About Authy

Authy offers multiple options for second-factor verification:

  1. SMS: One-time passcodes (OTPs) are delivered via text message.
  2. Voice: Similar to SMS, with the codes read aloud by an automated text-to-speech system.
  3. Mobile application: Users install an app (or Chrome extension), which generates an OTP based on a secret “seed” and current time according to the TOTP standard. TOTP is an open standard implemented by multiple apps including Google Authenticator and the Authy app.
  4. OneTouch: Pioneered by Duo Push, this model dispenses with codes altogether. Instead users confirm a login by responding to a simple yes/no prompt.

Each of these options comes with different tradeoffs. SMS is simple and can work on any mobile phone including legacy flip-phones that are not “smart” and don’t have an application ecosystem. Voice codes further improve accessibility by allowing codes to be sent to landlines or heard by users who have difficulty with visual information.

TOTP codes generated using an app do not require internet connectivity. TOTP apps can work offline, even if the phone itself has no service (e.g., when a user is outside a service area). OneTouch further improves usability by avoiding the need to transcribe digits from one device to another, but (unlike TOTP) it does require a data connection.

Encouraging Mobile Apps

At the same time, we recognize there is no one-size-fits-all solution. Customers may have unique requirements which rule out the Authy mobile app, so we will continue to support SMS. However, once you have Authy installed, you will no longer be able to request codes via SMS. We’re doing this to prevent would-be attackers from circumventing the security of the Authy app by falling back to SMS.

Risks Associated with SMS

Last July, the National Institute of Standards and Technology (NIST) came out with a recommendation to deprecate the use of SMS for 2FA. Almost on cue, the industry experienced an uptick in the incidence of phone number hijacking events. In this type of fraud, a miscreant impersonates the legitimate customer and ports his or her number to a different carrier, pretending to be that person switching carriers. If the attacker is successful in convincing the other carrier to reassign the number to an attacker-controlled device, all voice calls and SMS messages will be routed to the perpetrator. As a result, any 2FA system relying on SMS or voice for delivering one-time passcodes is susceptible to such attacks.

Setting up the Authy Mobile App

Looking Forward

These risks cannot be addressed by changing how one-time passcodes are generated or delivered. As long as the possibility exists for a user to be tricked into entering codes into the wrong website, phishing remains a viable attack. For these reasons, we are continuing to explore alternative 2FA paradigms such as U2F or Authy OneTouch for Gemini which are based on fundamentally different models. (Case in point: our internal systems for administering the exchange use public-key authentication with hardware tokens based on the PIV standard.) Our priority is to find a solution that combines high security and usability, and is available to our customers across a broad range of platforms.

Security professional, Googler, Manhattan refugee adjusting to Bay Area life, MSFT alumni. (Opinions expressed are my own; I do not speak for my employer.)