I have been interested for quite some time now about the importance of two-factor authentication – 2FA – (or two-step authentication). In fact, just recently, I discussed the advantages of using a YubiKey instead of an authentication app, which streamlines and speeds up the whole 2FA process.
But YubiKeys cost money, and you may not want to spend money on a security feature you can use for free. Therefore, you will need a good smartphone authentication app to generate the codes to get into your account. Today, we will look at five possibilities. Others have been tried, tested, and ultimately discarded; these survived the rigorous testing at O’Neill Labs, helped by my assistant, Beaker.
First, a Quick Look At Google Authenticator
Before we start looking at alternatives, let’s take a look at Google’s app. You may not be familiar with it, so it’s useful to have a quick look for comparison purposes. Google Authenticator is very well made and more than does the job it promises. There are some Google products which are “meh” and some which are superior. Authenticator definitely falls into the latter camp.
The 2FA process for various accounts (and many are supported), differs from site to site. But to switch on 2FA for Google accounts, you first need to go here and click on Start Setup. Enter your phone number and how you would like the number verified (a SMS is usually easiest). Enter the verification code you are sent, and switch on 2FA.
To use the Authenticator app, you will have to choose the Switch To App option on the Google webpage. Now open Authenticator, and tap the “+” icon at the top right hand side. This will pop up two options at the bottom of the screen. Choose Scan barcode.
When you choose Switch To App on the Google website, a QR code appears. Use Authenticator’s QR code reader to scan the code, and the account will appear on the Authenticator screen. Enter the six digit code from Authenticator into the website box and click Verify and Save. Everything should now be tickety-boo.
From now on, whenever you are asked for a 2FA code, just open up Authenticator, get the current code, and enter it on the account screen. The little countdown icon to the right of the code will tell you how long you have until the code changes.
Now that you have an overview of Google Authenticator, let’s take a look at those five free equivalents. It’s worth setting up a dummy email account and trying them all out to see which one ultimately meets your standards.
Authy has positioned itself as the clear rival to Google Authenticator, and right off the bat, it does have one clear advantage. It offers to back up all of your saved accounts, in case you have to wipe the phone, or if you change phones. This is it does by encrypting the information and storing it in the cloud.
Authy also distinguishes itself by offering a desktop app, as well as the smartphone version. So you don’t have to be handcuffed to your phone if you don’t want to. Instead, you can get your codes directly from your desktop computer screen. If you don’t own a smartphone or tablet, Authy is particularly useful, allowing you to finally use 2FA.
Finally, it offers passcode protection, so no-one can just casually access your codes. Why has Google not implemented this with Authenticator?
Authy describes its aim as finding a solution to “a complex problem – killing passwords”. Whether that will happen or not, nobody knows. But they sure make one solid app which gives Google a serious run for their money.
Duo is very visually pleasing. The dark green color, the “interesting” logo, the huge numbers. The only thing which lets the side down is the lack of a countdown clock, so you could be in the middle of typing the number in, only for it to change suddenly.
Duo also knocks Google Authenticator down a notch by offering iCloud backup of all your information. But the downside to that is that it can only be used to restore to the same phone, not to a new phone. So if you have to reset the phone to factory setting for example.
Most intriguingly, Duo also works on ordinary cellphones and landlines, and even BlackBerrys and Windows Phones! So, all the rare, antique devices then.
HDE OTP also offers their users passcode protection, to stop the snoopers from snooping. The app is compatible with all of the popular services — Google, Facebook, Amazon Web Services, Dropbox, Evernote, WordPress — to name a few. The only limitation to this app though is that it is only available for iOS. So, sorry users of other operating systems.
But if you are an iOS user, and want something simple, without many bells and whistles, this is a solid contender to think about.
Authenticator Plus is a free app, but when you start it up, you are told that if you are willing to pay a very small one-time payment, it will unlock lots of other features, as you can see below. You can easily reject the offer though and continue using it for free. It doesn’t seem to nag you again.
To get the full benefit of Authenticator Plus, you should really crack open the wallet or purse and pay the few Euros/Dollars that it asks for. As you can see, it is quite clearly worth it, and puts Google Authenticator to shame.
Everything is encrypted with a passcode, and you can import/export your settings from/to iCloud and Dropbox. Paying the payment gets you cool features such as organizing accounts into categories, cross-platform syncing, and automatic backups.
If I had to choose a preference to Google Authenticator, this would be the one I would highly recommend.
I’m going to end with one which is very interesting, but I think it is ultimately a bit of a gimmick. It’s still very intriguing though as it shows that a wide range of different possibilities to the 2FA situation are actively being researched. Who would have thought sound would play a part in generating one-time codes?
As is obvious by the name of the app, this option relies on sound to generate the one-time codes. As well as the apps, it also requires that you install a browser extension (Chrome, Firefox, or Opera). Your PC should also have a microphone (we’re dealing with audio, remember?).
When you want to log in, point your phone to the PC microphone, and tap the account on the smartphone screen that you want to access. The app will give off a short ringtone which transmits the temporary code to the browser extension. This pre-fills the code into the website you’re trying to log into. So there’s no typing involved. Just point the phone, tap, and wait.
It was a bit glitchy though, giving me inaccurate codes at first, but in the end, I got it to work just fine. So it looks as if the rough edges on this one need to be smoothed out, making it impractical as your sole 2FA application. Still worth looking at for the novelty value alone.
In an era where hacking and identity theft are on the rise, it is absolutely essential that you enable two-factor authentication. But the key to sticking with it is to find a 2FA solution which you are comfortable with. Whether that’s an app or a YubiKey is a matter of personal preference. But hopefully this article has shown that you don’t always have to follow the Google line, however much they try to convince you otherwise. There ARE other options out there.
Have any of these apps piqued your interest? Or do you already have a firm favorite? Let us know your preferences in the comments below.
Image Credit: Safe – Pixabay