Whether you are using the Internet to buy stocks, currencies, or investing in something else or you are using it to shop on Amazon, your data is at risk. When I say data, it includes not only your financial info like CC details, SSN numbers, and bank account details, but also your name, address, and email IDs. To counter these hacks, 2FA was created as a means to add an additional layer of security.
For the uninitiated, 2FA stands for 2-factor authentication where after entering your ID and password, you will need to enter a 6 digit code that will expire within a set period of time. This code can be received via SMS or generated using apps like Authy and Google Authenticator. Using a 2FA app is much easier, quick, and reliable as sometimes, SMS codes may take time to deliver depending on your network. I have faced this issue personally.
Let’s see which one is better and why. Plus, some 2FA generator app work without an Internet connection, in case you were wondering.
1. Tied to Phone or SIM
This is probably the first thing that you will notice and also one of the most important differences between the two services. When you install Authy for the first time, it will ask you for your mobile number. Google Authenticator will not. Why?
This is because Authy assigns itself with your SIM card and Google Authenticator assigns itself with your mobile device on which you have it installed. This is where Authy loses, making it more vulnerable to hacker attacks because SIM cards can be spoofed making Authy that much less safe than Google Authenticator. Getting hold of your device will prove to be much tougher.
Note that in order to use Google Authenticator, you will have to sign in using one of your Google accounts. So make sure you use the one which is your primary and permanent account.
Also Read: A Guide to Windows 10 Login Security Options to Protect your PC
2. Back Up
You have enabled 2FA on all the important sites that you use and you are all set. Now, the moment comes when you have lost (stolen) your phone or simply want to change it. How do you transfer all the codes to the new phone?
While Google offers no way to back up 2FA codes and data to the cloud, Authy does. If you are using Google Authenticator, you will have to use the backup codes that were generated at the time you scanned the QR code, and use them to disable, re-enable, and rescan the codes on a new phone.
Authy comes with multi-device support. What does that mean? It means that Authy will create an account in the cloud and all the codes are backed up there. In case your smartphone is compromised or switched, you simply download the app on a new phone, install the app, establish your identity and voila, all your codes are there.
You can also manage devices and remove or add them as you like. This makes it easier to transition to a new device making it the preferred choice.
What about the security flaw mentioned in point 1 then? If you want to use Google Authenticator, I have a workaround that involves two smartphones. If you scan the same QR code on two different smartphones using Google Authenticator, both the phones will show identical codes. If you lose one, you always have the other. Don’t forget to wipe your stolen/lost phone remotely using Google’s Find My Phone service.
3. App Passcode
I am not sure why but Google Authenticator lacks this very basic feature. Judging by the importance of this app, and how many accounts it is connected to, Google dev team should have included app passcode by default. Makes it that much vulnerable.
Authy, on the other hand, allows you to passcode protect it. After all, it allows access to everything you have and own digitally. Note that you can also unlock Authy using your fingerprint apart from the 4-digit numerical value that you set above.
Also Read: Best Cross-Platform Password Managers to Keep Private Data Secure
During my research, I found out that there is much misunderstanding among the users of 2FA about Authy. I think it needs to be cleared up. Most sites that support 2FA list Google Authenticator, by default, as a way to scan and save 2FA codes. This does not mean that you cannot use Authy on the same sites.
In fact, you can use Authy anywhere you use Google Authenticator because both the apps offer similar functionality. Only their UI, security, and priorities seem to be different.
5. Offline 2FA Token Generation
You are on a holiday, maybe hiking in a remote area, and there is a need to access one of your 2FA secured accounts. The only problem is that your smartphone has no network. Turns out that both Google Authenticator and Authy are able to generate 2FA codes offline.
This makes it easier to use these two 2FA app leaders anywhere in the world. Even if you have no network or have your smartphone set to Airplane mode because you are flying back home from your trip.
To test the feature, I enabled 2FA on a dummy Godaddy account, set my iPhone to Airplane mode, and tried logging in using the codes generated by Authy. Worked like a charm. The same process was repeated for Google Authenticator too. So its a draw here as far as offline code generation is concerned.
Also Read: 10 Best Android Antivirus & Mobile Security Apps with Anti-theft Protection
Google Authenticator vs. Authy
Which one should use choose and why? Big question because your life may depend on it. Google Authenticator is not featured rich but seems to be more secure. Authy has some additional features like multi-device support and cloud backup but seems to be less secure. Note that if you have two smartphones, as discussed earlier, you can use Google Authenticator on both.
It all comes down to convenience and the purpose of 2FA. How secure do you want to go and where exactly are you using 2FA? Both the services are good and none of them has been hacked yet which cannot be said for LastPass which also provides a similar app.
Authy may ask for a phone number but, you can use a Google voice number or other VoIP. The phone I use has no sim card.
Authy disables multi-device functionality by default. When you want to add multiple devices, you add enable the feature, add the device, then disable the feature. The devices you already added will stay there, but a spoofer will not be able to install Authy on his device. So I disagree with your No 1 criticism.
If Google gives you a QR code to tie your device to its authentication service, that would imply that the QR code would need to appear on a computer screen to be read by a phone or phones, no? If so, why couldn’t one take a screenshot of the code first, then save it for future use with a new device when it comes time to upgrade? Just wondering…
The setting used to be the other way by default. Only after it was pointed out did they change the default. If someone gains control of your phone number, they can still cause a problem with Authy even with the default as it is now.
What then about about SMS if authy needs to text you?
I use an online system that uses 2FA as security. Many of my co-workers use Google Authenticator while I chose Authy from the start. The last 2 weeks people have been locked out of their accounts because our system says the GA codes entered are wrong, while Authy works fine. They tried everything listed online on (a surprisingly large number of) sites with people seeking help for the same problem. Nothing worked so we now have to wait for our IT to remove the 2FA from people’s accounts to let them re-do it. I don’t know, I have used both and I find Authy the better option.
Authy can make backups for its own use, but does it offer an export function if one wants to use a different brand?