How Do I Switch From One 2FA Authentication App to Another?
I woke up the hornet a bit this week when I suggested people switch from Google Authenticator to another two-factor authentication app for Android. I recommended Authy, but that’s only because I use it and find it incredibly user-friendly. Not only does it prevent you (and other apps) from taking screenshots, but I appreciate the extra verification security built into Authy (and the options you must maintain to keep your 2FA keys safe even when using more controversial features like the ability to quickly sync your 2FA keys with other devices you own).
But honestly, there are many other great 2FA apps out there – 1Password comes to mind if you don’t mind paying for it (and you should if you don’t already have a password manager). Better yet, use a hardware token for whatever accounts you can, not your smartphone. I don’t care what you use; I and many others love Authy, but you can use whatever authenticator app works best for you.
Feeling overwhelmed? You shouldn’t be doing this, but it can seem time consuming if you’re not particularly tech-savvy or two-factor authentication. As Lifehacker reader Jenny writes:
“I just read your article on 2FA applications and I need a little tutorial, please do you mind? I’m just a techie, and most of that thanks to the nice people on Reddit.
I turned on Google’s two-factor authentication for Reddit login this week and still haven’t figured out how it works.
Now you are saying that this is insecure and I have to switch to Authy, right? How should I do it? If I delete my Google account from my phone, will it ruin my Reddit registration? Or will it automatically swap places? And if I go to Authy, can I put it on my tablet so that in case of something with the phone I can access my accounts? And if I switch to Authy, should I uninstall Google One from my phone before or after downloading and enabling Authy?
Any advice you could give me would be greatly appreciated!
Have a nice day and thank you for all the work you put in keeping all of us here! “
Let’s go over the basics! First, here’s a simple version of how 2FA protects your accounts. You set up 2FA on a website or service and associate it with an application (in this case). This app has a rotating number. When you visit a website or service, you must open the application and provide this rotation number to make sure that you are you and not the hacker who received your username and password. The protection is based on the notion that while your credentials can be easily stolen in a variety of ways, there is a very small – if not infinitely small – chance that an attacker will also be able to guess (or iterate over) this special number, which changes approximately every 30 seconds. or so.
This is slightly different from when a website or service sends you a text message with a number, which you then have to enter during the login process. This is known as two-step verification, and while it’s better than nothing, it’s less secure than 2FA because it’s easier for an attacker to change SIM or otherwise bind your phone number – to intercept your messages, including these login requests, and get significant day. It is much more difficult for an attacker to gain physical control of the device you are using for two-factor authentication, so the latter is preferable.
Now to your question. In all honesty, you’re probably okay sticking with Google Authenticator because it’s better than not using a two-factor app at all. As long as you don’t download trashy malware or random apps to your device – often the same thing – it doesn’t matter if Google Authenticator allows screenshots (at the time of this writing).
If you want to be supremely secure, you can wait or switch to another authentication app like Authy. Here’s how I would do it with Reddit:
- Use Google Authenticator to log into Reddit as usual.
- Temporarily disable two-factor authentication
- Turn it back on and set it up with Authy instead of Google Authenticator.
That’s all. You will have to repeat this process for every site or service where you have enabled 2FA and linked it to Google Authenticator. It’s an annoying process, but it doesn’t take long; and at least you have a list of all the sites that need to be configured as you will be able to see them in the google app.
Once you’ve moved all your accounts to Authy and confirmed that you can sign in with Authy codes, remove Google Authenticator. However, exchanging Authy codes between devices is much easier. Install the Authy app on any other device you want to use for two-factor authentication. Then go to the Authy app on your source device and open its settings. Click on “Devices” at the bottom and turn on “Allow Multiple Devices.”
Then, log into Authy on your second device using whatever credentials it asks for – your phone number, I suppose, or the first device. After you set it up and see that all of your 2FA codes are in sync, go back to your original device and turn off the Allow Multiple Devices option. The new device you just set up will continue to work, but no one else can sync your account with another device until you toggle that switch again.
Typically for 2FA apps, you will need to follow the process I described earlier to sync an account with authentication apps across multiple devices: sign in to your accounts and temporarily disable 2FA, reconfigure your backup, and scan the provided QR code (or whatever- then) using an authenticator app on each device. Otherwise, there is usually no way to simply “add” a new device and sync it.
Authy is an exception that is also the source of some controversy – while this feature is handy, in theory this feature does make it easier for an attacker to access all of your 2FA combinations if you haven’t prevented them from doing so by disabling It. I like the convenience, but I understand that this can be a stumbling block for people who want the most secure and confidential experience with an authenticator. If it’s you, then maybe Auti isn’t the best option after all.