Two-factor authentication is one of the most effective ways to keep your accounts safe, but it also means that if you ever lose your phone and don’t have access to a backup code, you won’t be able to read your email or sign in to your WordPress blog. Authy, a startup that focused on making two-factor authentication easier to use, wants to make this a thing of the past by allowing you get your second factor authentication code from multiple devices.
As Authy’s founder Daniel Palacio told me earlier this week, the company expects that this move will be somewhat controversial. Virtually all two-factor authentication systems today are set up to only work on a single device. Some, like Google Authenticator, can be used on multiple devices, but Palacio argues that this is due to poor design choices and not really an intended use case.
Using Authy, users can add new devices to their list through a system of inherited trust. When users set the application up on a new device, they will receive a push notification on a previously authorized device to confirm that the new device can be trusted. If you ever lose one of your devices, you can simply deauthorize it from another phone or tablet. To be able to do so, Authy uses a multi-key system to ensure that different keys are generated for each of your devices. Users don’t have to worry about all of these details, though. For them, the sign-in process remains exactly the same.
As Palacio admitted, this move will likely be somewhat controversial. He acknowledges that adding more devices also increases the number of attack vectors, but the Authy team believes the advantages of this system outweigh these issues.
For one, he told me, there is currently often a long window of time between losing a device and deactivating it. This new system lets you just deactivate the Authy app on your phone from your tablet. “Incorporating multiple devices solves many of the problems users face and should be part of any modern multi-factor authentication system,” Palacio writes in a blog post today.
One thing the Authy team also notes is that most two-factor authentication users either don’t generate offline backup codes or store them in an unsafe spot. For them, using a second device may actually be safer than using backup codes.