Y0ur P@ssw0rd S*cks is a bi-weekly column that answers the most pressing internet security questions web_crawlr readers have to make sure they can navigate the ‘net safely. If you want to get this column a day before we publish it, subscribe to web_crawlr, where you’ll get the daily scoop of internet culture delivered straight to your inbox.
Welcome to Your Password Sucks, the Daily Dot newsletter that answers all your internet security-related questions.
Today, we’re here to discuss which two-factor authentication (2FA) you should use.
If you’ve read this newsletter column more than once, you know we stress the importance ofusing a password manager, generating and storing unique and complex passwords, and using 2FA. Those steps alone will place you ahead of the pack when it comes to security.
We’ve also discussed the different kinds of 2FA, such as SMS-based (better than nothing but not ideal), app-based 2FA (good), and physical USB tokens (the best!). But there are many options when it comes to 2FA apps. So which should you choose?
Which 2FA should I use?
What app will work best for you depends on several factors. Do you lean more towards security than convenience? Or the other way around?
One of the most popular apps is Google’s Authenticator. If you’re looking for ease-of-use, the app is likely your best bet. You can have your 2FA codes backed up to your Google account and can easily transfer them from one phone to another.
But the downside is that now your codes aren’t just stored on your phone. If someone were able to gain access to your Google account, they could potentially gain access to your 2FA data as well. While unlikely, assuming you have a good password, and, of course, 2FA enabled, you should be ok. You can also use the app offline and without having it directly connected to your Google account if you prefer.
Another problem though is that your 2FA codes aren’t encrypted on your device. This means anyone with access to your phone could potentially obtain them. Again, this might not be a likely threat for you and therefore the trade-off may be worth it.
Google Authenticator vs Authy vs Aegis
Next we’ll discuss the popular app known as Authy, which has many of the same features as Google’s. One plus side is that your codes are stored in an encrypted format. But you have to sign up for an Authy account to use the app. That account is also linked to your phone number, which can open you up, depending on the threats you face, to SIM swapping attacks.
This could allow someone to take over your phone number and gain access to your Authy account. Again, unless you’re hoarding millions in Bitcoin, you’re unlikely to be targeted in this way.
Nevertheless, it’s something to think about. Another issue is that your codes are stored in the cloud. Sure, they’re encrypted in the cloud. And yes, this allows you to easily access all your codes on multiple devices. Very convenient. But there is the security trade off.
Last is Aegis. Unlike the previous two apps, Aegis is open source, meaning its code is available for anyone to vet. Also, Aegis can be used completely offline. No account needed. And your codes don’t leave your phone, meaning they aren’t stored in the cloud.
Not only that, the codes are encrypted on your phone, so if someone tries to gain access, they’ll need a password or your biometrics, depending on which you choose during setup. You can create backups of your codes if you prefer, but they must be encrypted.
All in all, if you want all the convenience, choose Authy. If you don’t need all the bells and whistles, you can go for Google Authenticator. And if you want the best security, definitely grab Aegis.
Remember, any 2FA is better than no 2FA. Stay safe!
The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here to get the best (and worst) of the internet straight into your inbox.
