The first thing you need to learn when you start working with Bitcoin is to set-up 2FA. The most common forms of two-factor auth today are standard telephony and security tokens, which come in both the soft and hard variety.
If we took hard U2F tokens off the table, we’re left with software and telephony. Which of the two would you choose? Well, it depends. Let’s explore.
2FA Pros and Cons — Phone
A pro of using a telephone number for two-factor auth is that phone numbers have the ability to turn pretty much any SMS-capable device into an auth mechanism. This convenience comes at the cost of security, however.
The purpose of two-factor is to decrease the likelihood an unauthorized user can gain access to one of your systems by splitting the bill between something you have and something you know. With VOIP services it’s possible to emulate a telephone using software like Twilio, breaking the “something you have” part of the 2FA contract.
And though going with a virtual telephone is still better than not using 2FA at all, the real problem is that standard telephony is easily hacked. And, trust me, when you’re storing value in a computer getting hacked is the last thing you want.
Takeaway: Phone numbers make managing 2FA easy and versatile. But don’t use a telephone for 2FA unless you’ve got nothing to lose. Otherwise you just may.
2FA Pros and Cons — Token
As mentioned, tokens come in both the hard and soft varieties. And since software is the more common of the two let’s focus specifically on software tokens.
The two most popular software tokens today are Authenticator and Authy. Authenticator, created by Google, is the more well-known of the two. In fact, Authenticator is so much more popular some exchanges don’t even mention Authy. And that’s a problem.
There’s an important difference between Authenticator and Authy to be aware of. It’s something you’d never think of until you actually needed it—which is precisely too late. Are you ready? Because if you didn’t know this it may come as a bit of a shock.
To set the stage, here’s a pullquote from someone on the CoinSheet Discord server I saw earlier today, which is what prompted me to write this post:
ARRGHHH! I was expecting this day! My phone broke its screen and I saw this misleading article about changing your Google Authenticator from one phone to another. But it doesn’t mention it doesn’t change the keys! /: FUCK! Should have used Authy. For you to learn and change asap :p
Looks like someone realized the reason why many individuals preach about Authy.
So Here is is. I’m just gonna lay it on you…
If you lose your phone and were using Google Authenticator and you lost both an expensive piece of hardware and the keys to your 2FA accounts.
Your only hope to restore with Authenticator is using a manual process of backing up your own seeds which is non-trivial and prone to human error. And while one individual I spoke with suggested they took screenshots of their Authenticator seeds before encrypting and saving them to the cloud they made the mistake of screenshots.
Authy creates backups of your 2FA keys in-app without screenshots and sends them encrypted into the cloud in a similar fashion to password management services such as BitWarden, giving users a fast, reliable and secure way to recover from the loss or theft of a smartphone.
Take time to educate yourself. Learn How to Secure your Digital Life.