When you use two-factor authentication, chances are you are getting your second factor from a mobile phone app like Google Authenticator or Authy. This makes sense, given that you want to ensure that nobody who has access to your computer also has access to the application that provides you with your second key for accessing your private accounts.
Authy is turning this idea on its head today by launching a desktop app for its two-factor authentication service. Authy for Desktop is now available as a Chrome app here. While it uses Chrome’s app framework, it’s a completely stand-alone app, though, and you don’t need to run Chrome to use it. This approach allows the same app to run on Windows, Mac and Linux.
As the company’s founder and CEO Daniel Palacio told me last week, being able to get your second factor from your desktop and laptop makes for a far more seamless user experience. Instead of typing in a code, you can just copy and paste it from the desktop app. For those users who don’t have a smartphone, this also provides an easier alternative to the usual SMS messages services like Authy utilize to send their codes.
By switching to the desktop app, your phone only becomes important when you log in to another computer that is not under your control.
But doesn’t that defeat the purpose of a two-factor application? Authy — unsurprisingly — claims it doesn’t. “Two-factor authentication is still valid regardless of whether the second authentication factor ‘you have’ comes from your cellphone, your tablet, or right from a desktop app in your laptop,” the company writes in a blog post today. “What really matters, is that it is something only you can have.”
Palacio also noted that while most people aren’t aware of this, RSA Security — one of the leading two-factor authentication services for enterprise companies — has long offered a desktop application.
Two-factor authentication was also never designed to protect against device theft, the company argues. To protect your accounts in the unfortunate case your computer gets stolen, Authy allows you to encrypt all of your local accounts with a master password. Thanks to Authy’s recently launched ability to use multiple devices to get your second factors, you can also easily deactivate your tokens in case your laptop is stolen.
The company also argues that while there may be malware installed on your local machine that could steal your two-factor tokens, that’s a concern whether you use two separate devices or just a single one. In the end, your session id will typically be stored in a local session cookie that tells a given that site that the session has indeed been authenticated. If an application gets access to that, it doesn’t matter where the second factor came from.
Users who install both the Authy for Desktop app and the company’s new Chrome extension will also get the added benefit of Authy’s phishing detection. The extension gives the service access to all of your active tabs and then verifies them against a whitelist of official URLs for a wide range of sites. Whenever a user tries to copy an access token into a site that isn’t on the white list, the service will throw an error.
Overall, Palacio believes that Authy for Desktop is “probably the best app we’ve ever done.” As he also told me, the company has also been experimenting with using the presence of your phone itself as a second factor. The low penetration of Bluetooth LE among smartphones, however, remains an issue.
Authy currently protects about a million accounts and is being used regularly by more than 600,000 people.