Strong passwords are not enough anymore: we recommend using two-factor authentication whenever possible. Ideally, that means using an app that generates authentication codes on your phone or a physical hardware token. We prefer Authy when it comes to authentication apps—it’s compatible with all sites that use Google Authenticator, but is more powerful and convenient.
Two-factor authentication requires you have both the password for your account and an additional authentication method. That way, even if someone were to find out your email, Facebook, or other password, they’d need an additional code to sign in.
SMS is one of the more common ways to get these codes, but SMS is inherently insecure. It’s too easy to intercept SMS messages, which means someone with the know-how could get not just your password, but your two-factor codes as well—leaving your accounts vulnerable.
That’s why we recommend using an authentication app. Instead of sending you a code when you try to log in, these apps are constantly generating new codes that are only valid for about 30 seconds each. When you’re logging into an account and prompted for a code, you can just open your authentcation app, grab the most recent code, and paste it in.
Google Authenticator is one of the most commonly recommended apps for these codes, and it’s fine—it’s just a little too basic. When you get a new phone, your Google Authenticator codes can’t come with you. You’ll need to set up all your accounts all over again. If you’ve lost your previous phone, you may need your backup recovery codes to regain access to your account and disable the authentication.
Authy offers a more polished app that avoids these hassles. Authy lets you back up your two-factor authentication codes to the cloud and to your other devices, encrypted with a password you provide. You can then restore that backup to a new phone, or if your phone isn’t nearby, use your computer or your tablet to generate codes instead.
Here’s the most important part: Authy is completely compatible with Google Authenticator. Whenever a website directs you to scan a QR code with Google Authenticator to set up two-factor authentication, you can scan the same code to set up two-factor authentication in Authy. That means you can use Authy anywhere Google Authenticator is accepted—for example, with your Google, Microsoft, and Amazon accounts. Some sites offer Authy-specific integration, too, so it really works everywhere.
Once you’ve installed the app, enter your mobile phone number and email address. You’ll be sent a PIN, which you’ll enter to confirm you have access to the phone number.
Authy is now enabled. You just need to visit the two-factor authentication setup page on your account service of choice and pull up a QR code as if you were setting up a new Google Authenticator app. After you do, tap the “Add” button in the drawer at the bottom of the Authy screen and scan the QR code. The account will be added to Authy.
When you need a code, open the Authy app and tap the account you need a code for. Type the code into the service. There’s also a quick copy button here, in case you want to paste the code into another app on your device.
If you want to prevent people with your phone from easily gaining access to your codes even after you’ve signed in, you can enable as protection PIN (or Touch ID on an iPhone) from Settings > My Account > Protection PIN.
Authy can automatically create encrypted backups of your account data and store them on the company’s servers. The data is encrypted with a password you provide.
You don’t have to enable this if you don’t want to! If you just want to use Authy on a single device and not store anything in the cloud, go ahead and skip this feature. Authy will store your codes only on your device, just like the standard Google Authenticator app. However, you won’t be able to recover your codes if you lose your phone. You’ll have to set everything up from scratch again. We recommend using Authy because of these features.
Open Authy and tap Settings > Accounts. At the top of the screen, ensure “Authenticator Backups” is enabled. You can use the password link to provide a password that you’ll need to decrypt the backups. You’ll need this password to access your codes when you sign into Authy on a new device.
Authy can sync your codes across multiple devices, too. For example, Authy offers a Chrome app that allows you to access your codes on any computer. There’s also a macOS app in beta and a Windows app coming soon—you’ll find them all on Authy’s downloads page. Or, you may just want to sync your codes between a phone and a tablet. It’s up to you.
To add other devices to your account, head to Settings > Devices in Authy. Enable the “Allow Multi-device” switch.
Now, try to sign into Authy with another device—for example, via the Authy Chrome app or an Authy mobile app on another device. Enter your phone number, and then you’ll then be prompted to authenticate with an SMS message, a phone call, or through a prompt in the Authy app on a device you’ve already signed in with.
If you authenticate, the device you sign in with will gain access to your accounts. However, you won’t immediately gain access to your codes. If you’ve set up a backup password to encrypt your codes in the cloud, you’ll see a lock icon next to each of the codes you have in Authy. You’ll need to enter your backups password to actually access the codes.
Note that the password only applies to Google Authenticator-style accounts. Accounts using Authy’s own two-factor authentication scheme will be available after you sign in, whether or not you know the backups password. Authy’s own two-factor authentication scheme really just checks whether you have access to a phone number.
Any changes you make to your codes—such as adding or removing an account—will now be synced to your other devices. Your list of devices will also appear on the Settings > Devices screen in Authy, and you can remove any devices you like from here.
Once you’ve added all the devices you want, head back to Settings > Devices in Authy and disable the “Allow Multi-device” option. The multi-device sync feature will keep functioning normally, you just won’t be able to add new devices. This is a good thing, since adding devices uses SMS—which, as we already discussed, is insecure. So you only want to turn this option on if you’re adding a new device. Then disable it afterwards.
Note, however, if you disable multi-device and need to sign in on a new device—for example, perhaps you only had Authy on your phone and your phone was lost, damaged, or stolen—you won’t be able to do so. You’ll see a message saying multi-device is disabled and you need to re-enable it.
If you only had Authy on a single device and you no longer have access to that device, you won’t be able to access your codes. Authy has an account recovery form you’ll need to use, and it may take 24 hours before you get a response. This will wipe all the devices from your account and allow you to start over. However, if you’ve backed up your data, you’ll be able to provide your backups password and regain your codes afterwards.
Authy officially recommends adding two (or more) devices to your Authy account and then disabling the “Allow multi-device” feature. No one will be able to gain access to your account until you re-enable multi-device. If you lose access to one device, you can always re-enable multi-device and add a new device.
However, if you just have a single device, you may want to think twice before disabling the multi-device feature. This will make it more difficult to access your code backups if you ever lose access to your single device.