Feature Friday: Two Factor Authentication

With everything in the cloud now, it is important to protect your most sensitive information. I like two factor authentication for doing that. Bad people can steal passwords, but stealing your password and your phone at the same time is not as easy. And under the theory that being harder to rob than your neighbor is often enough, I feel pretty comfortable with two factor auth security and use it on as many online services as I can.

But having a dedicated piece of hardware, or a dedicated mobile app like Google Authenticator, for every web service is also a pain.

I've been watching a company called Authy for the past few years attempt to solve this problem. And I think they are getting there. I use their app as my primary way to get two factor codes on my phone. They support Google Authenticator codes as well as a host of other web services. They have an API so other developers can easily add Authy support to their apps.

So I have two recommendations.

1) If you are a user, see if you can set up two factor autentication on the web services that host your most sensitive information. And see if they support the Authy app.

2) If you are a developer, think about adding Authy two factor support to your app.

And if you have logged in sensititve information on your phone, use a pin to lock it down.

I am far from paranoid. If anything I am too trusting and prefer convenience over security in most cases. But when things should be protected, you need to protect them.

#mobile#Web/Tech

Comments (Archived):

  1. William Mougayar

    I will try Authy. Great name.What do you think of password management services that also encrypt them further, like PasswordBox http://passwordbox.com

    1. fredwilson

      I dont use them.

      1. asicengg

        I haven’t used passwordbox, but I do use the free version of lastpass which I think is similar. I really recommend lastpass, because it really allows you to have a different really strong password for every website. That’s really handy when some site gets hacked – it’s not like the hackers will have the password to any other of your accounts.A different aspect of security for sure, than what Authy is tackling.

  2. Julien

    2 factor auth is a very useful feature indeed. Can’t wait to see it supported by banks for example.However, I wish they were also not just reliant on the mobile phones/network.My only concern is that there is *always* a risk of being locked out and that these protections may eventually turn against us.I’d love to see a 2 factore auth pattern relying on “social”. Where my friends on social networks could confirm that I am who I claim I am, if that’s possible at all.

  3. mikenolan99

    As I have moved 100% to the cloud, I too worry about security. I’ve been using Dashlane for a while, and like it (B+) but if it has two factor authorization, I have not found the feature.Two factor is a key feature for “master password” vaults – would be great to be able to log in for 1 a 24 hours via a second verification…. Will give Authy a try.

  4. Nicholas Bagg

    How does this replace / improve on Google Authenticator?

    1. fredwilson

      Think google authenticator but for all of your apps instead of just the google apps

      1. Nicholas Bagg

        Thanks. I was under the impression Google Authenticator could be used for other apps; I use for Dropbox.That being said, you have to open up a separate app. A preferred use case would be to be able implement within an app so you end up with less “clunky” experience.

        1. fredwilson

          i did not know that. i feel like a company that is dedicated to being your aggregated two factor auth platform is likely to provide a better solution to developers and users

          1. Nicholas Bagg

            Agreed 100%.

          2. Aaron Klein

            I use Google Authenticator for both Google accounts, Stripe, Evernote, Dropbox, etc.The problem I see with a standalone company doing this is the question of monetization. What add-on services would be cool enough for them to make money, when Google has it free as do many others?

          3. fredwilson

            great point

          4. Aaron Klein

            The only thing I can think of is the other side of the network. “Here’s a two factor widget to drop into your app for $99/year so you don’t have to write to Google’s APIs and maintain that code.”Still a tough sell.

          5. Matt A. Myers

            Acqui-hire by Facebook and then ruin!

          6. Aaron Klein

            LOL.

          7. Matt A. Myers

            At least they may not have alternate motives to influence the experience.

          8. digerati9

            Fred, this is actually just using Google Authenticator codes for all the apps. It has a more differentiated display (Google displays them all in line so its harder to see which is for each app) but this adds no functionality.

          9. ToopherSeth

            Check out Toopher for a better two-factor authentication experience. It’s more than just one-time passwords repackaged. Faster, easier, more usable invisible authentication.

  5. awaldstein

    Post suggestion.A discussion on the what appears to be Disqus targeted ads from publishers at bottom of post.Was wondering what I was looking at till I read the explanation. Pushing these before the data match is really crisp is a bold more.

    1. fredwilson

      Next Friday. Done

      1. LE

        Slippery slope. Remember get up in the am and write whatever moves you.

    2. jason wright

      i was wondering this myself yesterday, the moneynews and moneyvista links caught my attention. i couldn’t see the nativeness of them.

      1. awaldstein

        I’ll hold till next week.As a publisher of sorts, be cool to get sold on these by Disqus as I’m sure every blog has the opt in to decide to let them be there. Understanding the dollars, the overrides and the like.I like the idea. Execution will be everything.

      2. awaldstein

        Native monetization I get. Native interrupt ads are just displays you can’t avoid, ala YouTube.

        1. jason wright

          if we follow Fred’s view that an ad on twitter should be in the form of a tweet then an ad on here should be in the form of a post. a random bottom feeder ad doesn’t work for me.

          1. fredwilson

            The problem with promoted comments is that it would be hard to scale without putting comments out if context into the thread

          2. jason wright

            i agree. it is already not always easy to follow the chronology and narrative of a thread’s development at avc.there’s room for ad innovation in disqus world.

    3. JamesHRH

      IS there a chance that CDN users are not seeing any of what you are talking about?Or do I have other issues (restrain yourself!)

      1. awaldstein

        Holding….Should be a great discussion. I want to bite but I won’t.

        1. Matt A. Myers

          Maybe I should delete my comment and post it next Friday … I have less restrain than you… must be I’m young, or the French part of me.

      2. fredwilson

        if you are logged in, the thumbnails are at the bottom of the comment thread if you are not logged into disqus, they are at the top of the thread

        1. JamesHRH

          I have around the web at the bottom of the thread. No ads, just the usual link bait.

          1. William Mougayar

            That’s the ones we’re talking about. “around the web”.

      3. Matt A. Myers

        (Haha)I’m getting ads that look targeted, too – with big ugly intrusive images.Intrusive ads with images are why Facebook will be able to fall, not good if Disqus is going to depend on them as a major source of revenue.

  6. jason wright

    i’m so paranoid that i never tell my right brain what my left brain is doing.

    1. William Mougayar

      Ask your nose.

    2. Matt A. Myers

      You my friend need yoga nidra! πŸ™‚

  7. jason wright

    is this a chrome/ android only thing, or do iOS users also get to play?

    1. fredwilson

      there is an iphone on their front page. i assume that means it runs on iOS too

      1. jason wright

        i hadn’t looked. sorry.

      2. Matt A. Myers

        That would be pretty horrible and disconnected design if not πŸ™‚

  8. jason wright

    for tablets too, or just phones?

    1. fredwilson

      not sure

      1. Authy

        Tablets too!. Any android or iOS device. Soon Blackberry, Windows – and every intelligent device.

        1. jason wright

          nice.”Soon Blackberry” – you know something we don’t?

  9. mark

    I use authy for coinbase. i’m happy with their product.

  10. William Mougayar

    How about biometric authentication like retinal scan? Maybe an idea for Authy to add to their arsenal of stepped authentication.Why not use our smartphone camera as an iris scan device?

    1. PhilipSugar

      That is the one thing I hated giving up to Canada. I could take my four fingerprints but that too?

      1. William Mougayar

        Are you referring to the Nexus ID cross-border pass? It’s operated jointly by the US and Canadian immigration.Apparently, it’s the most accurate and secure biometric identification.

        1. PhilipSugar

          Yup.

        2. Matt A. Myers

          And now with your retinal scan, they can 3D print an exact replica, and get by any scanner – maybe just need someone with a missing eyeball to insert a glass one that’s been laser etched.Obviously most everyone wouldn’t go to these lengths, but what if you’re trying to replace some super high level security or military member of a different government – or research official, etc..Basically, whatever you see in Mission Impossible is probably possible in order to get through security measures.

          1. William Mougayar

            Really? I read it’s very reliable and fool proof. The fact that Nexus uses them in the kiosks at airports is a good validation of that. They wouldn’t mess with something as important as people going in and out of the US/Canada.

          2. CJ

            You mean like the body scanners at the TSA checkpoints that barely work and might give you just a bit too much radiation?

          3. PhilipSugar

            Ok….seriously? I am going to have to call bs. Please post a link..

          4. LE

            This falls along the same lines as people who refer to something in the law as absolute or believe that just because the government can prosecute you they will prosecute you.In theory:https://www.eff.org/deeplin…Point being it’s close enough to reality to make it into the movies in an action thriller given the person being scanned is a high value target. Which I think was Matt’s point. Interestingly I always though Matt’s old avatar made him look like Tom Cruise.

          5. Matt A. Myers

            I suppose I should switch back to my old avatar. Maybe photoshop some sunglasses on my face.

          6. PhilipSugar

            I stand corrected. I have sent somebody to that conference every single year since its inception.Our favorite was when they showed how you could beat a $15k lock that required a smart card and pin entry by simply bonking it on the top with a neoprene hammer. http://www.forbes.com/sites

          7. LE

            I had the same reaction though that you did. Only when you challenged it did I do a search.Interestingly (I sometimes try to reverse engineer wording) I think the thing that gave us that reaction was the way Matt worded it.My guess is that if the style hadn’t been flippant we wouldn’t have had that reaction.And now with your retinal scan, they can 3D print an exact replica, and get by any scanner – maybe just need someone with a missing eyeball to insert a glass one that’s been laser etched.I play with style and wording many times when I’m negotiating by email in order to lead the reader in a particular direction that I want them to take.Maybe like this:Retinal scanning and 3d printing is almost to the point where they could potentially be able to print a replica and get by the scanner (then insert link to the article)…or something like that.

          8. PhilipSugar

            I looked and did not find your article

          9. Matt A. Myers

            It’s a theory based on what I know of what’s possible. The technologies I mentioned do exist, and even if they needed a ‘moving’ and reacting eye – that could be done too.The last line regarding if you see it in Mission Impossible was more of a joke..

      2. panterosa,

        Funny story on fingerprints. My English mother, 4 star cook, insists on hot plates. We joked always that she made the plates so hot they would melt your fingerprints.Last time she went through immigration they couldn’t read hers. Turns out we were right!

        1. William Mougayar

          wow.

          1. panterosa,

            That’s what growing up in WW2 London with no heat will do to you – you become obsessed with having hot food. And growing up with grey overcooked vegetables made her into a top notch cook.More and more I see we grow up obsessed to fix the bΓͺtes noires of our childhoods….

    2. Sebastien Latapie

      I completely agree with a push to biometric authentication. I’m thinking of the iPhone 5S and their fingerprint reader. It is great to be able to purchase apps without the needing of inputting my password but just pressing my thumb down.

      1. PhilipSugar

        You still need two especially if you get in a drunken stupor. Sorry Canadians

        1. William Mougayar

          No prob. All the US comedians and talk shows are loving Rob Ford because he is providing them free daily material.

    3. CJ

      The problem is that once it’s compromised it’s irreversibly compromised. That’s the biggest hurdle to cross. That and the knowledge that it will be compromised somehow.

      1. Roman Gonzalez

        Agreed here. Also, there’s a vastly unacceptable false positive rate, which is so much worse than a false negative rate. They’re going to have to get it significantly more accurate for me to consider biometrics as the best option. The unchangeability of it doesn’t jive well with me either.

  11. Guest

    I’m the target of identity theft (currently). It hasn’t been hard to adopt a new perspective: I don’t need the convenience of online access to everything, so the dual auth thing, while great, hopefully will not be relevant shortly.

    1. Matt A. Myers

      :(I can only imagine how much of a headache it is though to have to go to each account.It’s more a matter of how much damage can be done, that can’t potentially be undone, if they quickly get access to all accounts – vs. – how quickly you can return things to “normal” and alleviate and refute or reverse any damages done ASAP. And what’s that worse to insurance companies or otherwise to know that $10,000 item purchase wasn’t yours, or a $100k mortgage taken out was yours, etc.. (I don’t know all of the possible scenarios)

  12. John Revay

    Hanging out w/ some of my friends after college – we always had this saying….Protection, Protection, Protection!#FunFriday

  13. ShanaC

    I should try this. And set up 2 factor for twitter and facebook. And for google apps…(which doesn’t seem to have a way to turn it on easily…drives me nuts)

  14. Morgan Warstler

    I have always suspected the best value of a smart watch, or even less secure Bluetooth LE would make two factor easier. If my phone is next to my computer, or my watch is next to my phone, letting me only type in one password ought to be two factor, no?

  15. panterosa,

    I heard about years ago, and have yet to see, biometric motion signature capture (no idea of correct name). It’s not just that my signature is x, it’s the speed and pressure of making the x which the screen records the pen’s movements. Seems much better than pass-wording.No idea why it never caught on. If anyone can tell me why, I’d love that.

  16. Matt Zagaja

    As a security minded person I have been using Google Authenticator with a bunch of services for a while now. I got the PayPal security key when it was released years ago. Does authy backup the keys? When I upgraded my iPhone to the 5s I thought Google Authenticator would and was surprised when I restored my backup and they were gone. I had to go to each service and initiate the recovery procedures. Some were simple, like Dropbox let me login from my already signed in desktop app using an interesting trick. Amazon Web Services had me call them and prove I was me.Secondly I think security is important but this creates a ton of friction for users. As someone who has worked in IT departments at my school, and just from seeing “normals” use their phones in the real world, it seems that many if not a majority of individuals do not remember their regular passwords and the consequence of this is they usually end up not using whatever service requires the password. This means smartphones do not have apps added to them. This limits the potential market for the apps and probably ends up costing developers and startups real money and market.TouchID on my iPhone 5s seems to be a nice solution to this. When it works it is great for unlocking the phone and especially delightful for purchasing things on iTunes. No password required. I am hopeful that it will eventually work with iCloud keychain and/or third party apps.

    1. pointsnfigures

      great point about backup. I would get in a pinch and forget every damn password I inputed.

  17. kirklove

    Authy is dope. I use it with Coinbase (pimping for you). It feels like magic.Plus their UI is fantastic.

  18. Drew Meyers

    Really awesome timing. Been thinking through our user authentication flow this morning, I show up for my AVC coffee, and wham – a post about authentication greets me πŸ™‚

  19. Salt Shaker

    Bank and financial service online security is atrocious. They obviously don’t publicize but the amount of theft in the industry is outrageously high. I came very close to losing $100K to a Russian based ring of identity thieves. Of course, my liability was capped but it was extremely unsettling and did not engender much confidence in the system. I try and do as little online banking as I can, although that’s becoming increasingly more challenging. If two factor or even biometric authentication helps to solidify, then sign me up. It’s only an inconvenience until you are victimized!

  20. jonathan hegranes

    Of course, my favorite use case for Authy is Coinbase!!

  21. LE

    Authy is a great idea but at this point I would never use it for any production web service.For a security solution or anything mission critical (and this is) I prefer a company that is a larger and more established. From what I’m seeing on their site I am not getting the feeling that I need in order to feel confident enough to recommend integrating their products. And you know what? I really don’t care if other startups have decided to use it. Not going to walk off a cliff by following a weak link.Separately I don’t like the fact that pricing is not front and center or easily found.My first thought was “I don’t like that this is free”. So I googled and came up with this page:https://www.authy.com/devel…But there is no link for that anywhere (that I can find on the site). All I can see is “get started for free” on the developer page. Why?Pricing should be clearly stated up front. I’m not looking to hunt for something that might happen later.This is a really bad practice especially for a company that is selling trust or security services.

    1. Dale Allyn

      I hate when services don’t put the price right on the landing page. No need for the whole pricing structure, but at least “Starting at $10 per month” or whatever and a prominent link to a price guide. And don’t show me the lowest rate for the five year signup option or something ridiculous like that (like web hosts often do). Burying the price is disrespectful of the potential user, and suggests they’re not proud of their value proposition. = bad business.

      1. LE

        In traditional type businesses not including pricing is typically a marker for shady practices.If someone is hiding pricing it means they are either trying to pull one over on you or the price is high and they want to make sure they get the lead so they can have a chance to sell you. (Because a high price will mean you won’t contact them at all.) If I run an ad and tell you a new bathroom like the one in the ad photo will cost $50,000 you may never call me.This is not what happens with startups almost certainly though. They just don’t know any better. They don’t have any history in the business world and the only thing they can do is mimic what they see others doing w/o regard to whether it makes sense or not. They don’t know the pros and the cons. No judgement.I also wonder how much shopping car abandonment happens because people don’t have complete information to make a decision. Unanswered questions means “I’ll come back later to many unknowns”.

        1. Dale Allyn

          LE, we agree on this. To me it shows a lack of intimate business knowledge and sensitivity to what makes a potential client comfortable with engaging in business with a service.

    2. awaldstein

      If everyone in the world felt like they would never take a chance on something that seems better but was from an unestablished player, nothing in the world would every change.What a grim future that would be.

      1. LE

        Which is why I’m perfectly wiling to let other people take the chance and insure we don’t have a grim future. [1]But I am perhaps looking at it through a difference lens than you are. The amount of risk you are willing to take relates to what you stand to loose vs. what you stand to gain. [2]By the way “established” player in my book doesn’t accurately explain my way of looking at these things either.Amazon is an established player but they are also large and arbitrary in their actions with no accountability. My local bank is an established player but I can’t even get them to refund a $17 charge on my statement (so far the fun has not ended). In that case the established player can also be the wrong choice.[1] I’ve told the story about how I got a big contract out of college going up against Xerox where I told the purchasing agents that if they wanted the secure choice they should go with Xerox. I really did. But if they wanted someone that would really bust their ass (and some other stuff I can’t remember) they should go with me. And they went with me. And I had maybe 1 employee at the time. And didn’t even have the equipment. Point being I fully understood why it made no sense for them to choose me. And I sold to that point with success. So in this case they choose correctly (person ended up getting promoted) but 9 out of 10 it would be the wrong decision.[2] My guess is (only a guess) that I know much more about machinery, computers, programming, security than you do. So I have more of a sense of what can and does go wrong. And how close to the edge these places fly. And how little some of them actually know (not a comment on authly just a general comment).

    3. jason wright

      “Help” on the home page has the “Developer” option, click it, and at the top of the next page is “Pricing”.

      1. LE

        That is a “where is waldo.”Wouldn’t it make sense to include it on the home page, and the developer page and a link from the faq and where you are saying it is? The answer is yes.Whose brain says “I want pricing” and then thinks hmm “I’ll try help. Then I’ll click on developer”. “Oh, there it is at the top”.Not to mention that it needs to be at the footer as well.Lastly should not assume that if someone is a consumer and not a developer that they don’t think “what is the pricing for me, do I pay or is it free”.Ambiguity causes lost sales. Period.

        1. jason wright

          giving up privacy on the web is free, and keeping privacy on the web has a price.we live in a web culture where things are free, and it’s a counter culture move to be charging for things.

  22. daryn

    I started a company trying to do 2-factored authentication as a web service back in ’06. Still love the idea, unfortunately didn’t love my relationship with the cofounder, or our (my) execution.https://www.mypw.com/

  23. rmchrQB

    Just curious if anyone has tried TeleSign for 2FA, as opposed to Authy, and how it might compare. I have not. Would welcome feedback.

  24. Matt McCormick

    If you want to become truly paranoid, you should read this article from Wired:http://www.wired.com/gadget…Kind of scary how bad a couple of big companies are at security (Apple and Amazon) and how even a tech savvy person can have invaluable data (a year worth of baby pictures) destroyed by someone whose only motivation was to be an ass.Just think what the people motivated by money could do.

  25. Rick Mason

    The leader in two factor authentication is Duo Security. Very smart and focused team backed by Google among others.

  26. ParanoidChris

    I’m so paranoid, I wait until my 2-factor code only has 2 seconds left before I type it in.

  27. Peter Van Dijck

    What I do with my new company and team is use Meldium. Two-factor for Google, and everything else gets a really long password 9d8ifurnnskiuh-odijsnh22 and then we use Meldium.com to manage all the accounts we have (tons) within the team. Works great so far.

  28. Calvin Conaway

    Hi Fred, I jumped on this for my web app zenbilling.com, but found the process of getting started using Authy not so easy. The registration process itself was complicated, and then I couldn’t get the API tutorial to work. It won’t validate the token for me, and I’m not sure how to make it. It won’t send SMS token either. I love what it aims to do, and the elegance and simplicity with which they aim to do it, just seems like it’s falling short in a few places …

    1. fredwilson

      Great feedbackThanks!!

  29. Alex Prushynskyy

    How about using your iPhone 5s finger printing tech to double oath on the web. The app on the phone prompts the scan when you login to your Gmail for example. The number of the people with 5s is quickly growing and its easier than retinal scan, since phone cams probably not that great yet and it looks awkward to do.At some point you can bypass password all together and just scan your finger all day long to log into services.

  30. Prokofy

    I’ve heard so much about the need for “two-factor authentication” but I’ve been puzzled until now how I could actually get it. Thanks for the tip.

    1. Roman Gonzalez

      Plenty of products offer consumer facing applications. There are some cooler ones out there. Check Clef, Launchkey, and Toopher, for instance. Clef is kind of like a glorified QR code as I understand it and Launchkey has some key vulnerabilities. I’m a fan of Toopher since after you set it up, you kind of don’t have to do anything anymore — no codes or using your phone or anything. Mailchimp uses it and I actually forgot today when I signed in that it was using multifactor. I smiled a little inside.

  31. nickowen

    Authy and Duo are fine hosted solutions, but most enterprises want to control the keys to the kingdom. We offer an opensource version as well a supported Enterprise version with LGPL API packages, Radius, LDAP etc, http://www.wikidsystems.com/