A lot of us are familiar with two factor authentication with Google Authenticator. Could you give us a run through of the differences between GA and Authy? What are the advantages of Authy over GA?

Edit: suggestions - do not ask for cellphone number twice. Sending SMS PIN as a link is a bit weird.

You can see: http://blog.authy.com/authenticator

But in general terms:

1. Authy tokens automatically sync even if you lose, change or upgrade phone.

2. Ability to do encrypted backups of Google Auth tokens. Same as above, they will sync if you lose, change or upgrade phone.

3. Bluetooth: Takes the hassle out of Two-Factor Auth.

4. Automatic time sync: Always makes sure your tokens work no matter what.

5. Key Rotation: We can automatically rotate keys if masters are compromised.

6. Privacy: WE DO NOT TRACK app usage or anything like it. We don't share data with anyone. Compare it to GAuth privacy policy.

> 1. Authy tokens automatically sync even if you lose, change or upgrade phone.

So the tokens are stored on Authy's servers? Doesn't that defeat the purpose of two-factor? How do I (or an attacker) recover my tokens if I loose my phone?

You're correct - there are serious security concerns with Authy's product, which were pointed out on an earlier HN thread: https://news.ycombinator.com/item?id=4916983

Personally, I'd be concerned with trusting my credentials with any company unless all members of the leadership team (yes, including "nontech" people) are incredibly familiar with basic security terminology and practices.

(Note that the founder is unclear when PBKDF2 and AES are being used in the product, which is concerning, because they have very different use cases and should be hard to confuse).

My tokens being sent to an external server that I don't control is a dealbreaker for me, sorry.

I get the convenience factor, but my security relies on the absolute secrecy and control of those tokens; I'm not willing to trust those to anyone else. Any company that requires 2FA is likely to have a similar policy; leaking the keys to the kingdom to a third party which is not subject to security audits is going to be a non-starter.

Bluetooth integration is a compelling feature, though.

Your tokens are only backed-up if you choose to (it's completely optional) and only the encrypted version is backed-up. It's also off by default.

I assume this means that cross-device sync is optional as well?

What happens if Authy is compromised?

Does the Bluetooth pairing functionality only work for OS X?

Quite handsome and useful looking. Good job!

Just a quick question, under security it says:

>>". Authy Bluetooth will only talk to pre-approved computers and all messages are encrypted."

Just wondering if you can speak to what sort of encryption and safeguards you've got going on here. The docs cover how the tokens are created, but not the communication between phone and mac.

Seems like an awesome thing but I wouldn't feel comfortable using it for work without knowing a bit more.

We use Elliptic Diffie Hellman when you are pairing your iPhone to your Mac. The key is stored on both iPhone and Mac KeyChains. Every message between them is encrypted/signed using that key.

I don't know about the internals of Authy, but Bluetooth encrypts by default and so far it has not been shown to be terrible (if you use a sufficiently random key while pairing).

So even if Authy does nothing special to send the data encrypted, BT itself will ensure that it's safe. Minus, of course, some malware that's running and inspecting the application in-memory or just watching the clipboard, but no encryption on earth will help you there.

I'm having a tough time understanding all the moving parts involved. Could you post some drawings of what happens in different scenarios? 'cause I'm more of a visual learner.

From what I can tell, the user navigates to a site previously provisioned with Authy, they choose to authenticate via Authy, and then ??? happens resulting in their cell phone giving them a time-limited one-time passphrase.

Hi Daniel, two questions:

1. What is your business model ? The app looks great and I wouldn't want to see it go away in a couple of months.

2. There is a registration process that ties the app to my phone and there seem to be a recovery process. Does it mean that the secrets are stored on your servers ? If yes, what prevents you or one of your employees to gain access to the secret keys ?

Business Model: We have an API that companies use to add two-factor auth to their sites/infrastructure. We charge for that. see www.authy.com/developer/pricing

2. The recovery process enables your phone. If you decided to enable backups(which is optional) encrypted versions of you accounts are stored in our servers (that's why it called backups). Authy employees can't gain access because only encrypted version is stored, you chose the encryption key and have to remember it.

Great commercial. I feel like my mom would even understand 2-factor auth now.

Hello,

This looks awesome.

When could we expect a Windows 7/8 app ?

Congrats

Probably. At this point we are testings things out and want to move as fast as possible. We want to make Two-Factor Authentication completely transparent, and we'll be launching other exciting things to see how they work in the real world.

Once we have the experience nailed out, we'll ported to other platforms.

I hope you are planning a Linux release too. So many companies leave us out, even though we're even more willing to work past bugs and set things up correctly.

Presumably their is an HTML5 app available?

You have a typo in this sentence:

We believe that the future of Two-Factor Auth is one were our devices will do the work for us in order to provide us a greater and simpler security.

Congrats Daniel! You guys are working on an important problem.