Authy Blog

  • Home
  • Website
  • @authy
  • Contact us
  • Apr 28, 2014

    Introducing Authy for your personal computer


    Authy lets you use "something you know" paired with "something you have" to log in securely into your accounts using two-factor authentication. Up until now, however, what you "have" was either your cellphone, your smartphone or your tablet.

    But now, with our goal in mind to provide secure and seamless two-factor authentication to users everywhere, we are excited to announce the Authy App for PC's available on Windows, Mac, and Linux. (I know what you're thinking, is this secure? Is this still two-factor authentication? Yes, and we'll explain more below.)

    You usually log in to your accounts from your desktop or laptop, right? And now, using Authy for PC's, you'll be able to access your two-factor authentication tokens directly from your computer screen without the hassle of copying them over from other devices. Simply put, you'll never have to type a token manually again.

    All of this was possible thanks to the recently released Chrome Apps framework. Using the Chrome Apps framework we were able to build a great multi-platform app that not only is very easy to install, but it also feels and looks native across different operating systems. So, if you've been using Authy on your smartphone, Authy for PC's works just as great as the Authy mobile app. If you don't own a smartphone, this app provides a better alternative to text-messages and phone calls, and we think you'll love it.

    Authy for PC's is available for free on the Chrome Web Store. You can use it to login to your accounts on any browser (although you have to install Chrome), but you'll get the best experience if you use it with Chrome.

    So is this still Two-Factor Authentication if I am using the same device?

    The short answer is yes, two-factor authentication is still valid regardless of whether the second authentication factor "you have" comes from your cellphone, your tablet, or right from a desktop app in your laptop. For example, RSA Security, the leader in Two-Factor Authentication also has a desktop application which has been securely deployed at some of the largest and most secure organizations worldwide. What really matters, is that it is something only you can have. When you register your laptop as a new device with the Authy App for PC's, we use the same secure registration process we use with the mobile app by verifying your identity with your cellphone number - something only you have access to.

    So what if someone steals my computer?

    This is a valid concern, however the same can be said for your RSA secure token or your smartphone. Two-factor authentication was never designed to protect against device theft. There are many other security technologies that are meant to defend against this, for example full-disk encryption.

    However, we recognize that most people don't use these protections, so we built encryption right into our app. Authy for PC's makes it easy for you to encrypt your local accounts using a master password - simply enter a password and we'll take care of all encryption/decryption for you. The password also blocks access to the application when you are idle by automatically encrypting all accounts which protects you in case your laptop is lost or stolen.

    Also, because of the way we built the Authy platform, if your laptop is ever lost or stolen you can automatically deactivate your tokens using another Authy device, like your smartphone or tablet.

    We also built the app under Chrome's tight security restrictions for Chrome Apps and the Chrome App CSP. Regardless, you should take proper security precautions: make sure you download and install the Authy App from the Chrome Web Store and not from any other source.

    So what about malware, can malware steal my Two-Factor tokens?

    Yes, but that's the wrong way of looking at it. If there is local malware on your computer it doesn't really matter wether you are using 2 separate devices to log in with two-factor authentication. To illustrate the threat, lets take a look at the following authentication scenario where the user uses a RSA Hardware Token and see why even in this scenario, two-factor authentication cannot prevent the attacker from gaining access to your account.

    Once you successfully log in to a site, your browser locally stores a unique identifier for your session, called a session cookie. This cookie is then used to inform the site on subsequent requests that you have already authenticated, so that the site doesn't ask you to log in again. What this basically means is that there's no point for the malware to steal your credentials or two-factor token when it can simply steal your authenticated sessions.

    Protecting against the most common threat - Phishing Attacks.

    However, there is a great security advantage of running on the same device. Most of the attacks we see today on our customers are advanced real-time phishing attacks. On these attacks, users are redirected via a fake email, or some other means, to a fake page that looks and feels exactly like the authentic site. Once a user is on the phishing site, he is deceived into entering his login credentials, including his two-factor authentication token, and thus giving away access to his account.

    These attacks are so well orchestrated that even the most proficient users were being tricked. So we knew we had to do something about this. And today we are finally taking the first steps towards making phishing attacks obsolete. Authy for PC's comes with Phishing Detection right out of the box. To use Phishing Detection, users only need to download the Authy Chrome Extension which acts as a complement to the App. This extension gives Authy the ability to access all active tabs in the browser and verify them against a whitelist of official urls for a variety of sites. So, when a user attempts to view/copy an authentication token for a site, if the site's whitelisted url is not open on the user's tabs, we will warn him of a possible phishing attack.

    And this is only scratching the surface. We are actively working on some really cool technologies to finally solve this problem. Soon we'll also maintain a black list of known phishing sites (updated in real-time) that will further protect all of our users and customers from falling victims to this attack.

    So if you are looking for an excuse to use Authy on your PC, this is it.

    Conclusion

    The Authy App for PC's, along with its complementary Extension, go a step further to make two-factor authentication a truly seamless experience, and to bring the power and security of strong authentication to users everywhere, anywhere. Authy for PC's not only provides more convenient and secure access to two-factor authentication tokens, but it goes the extra step by keeping your tokens safe on your computer, and by offering protection from phishing attacks.

    The Authy App for PC's is a simple and great way to access your two-factor tokens fast, conveniently and securely from your desktop or laptop.