Hacker News new | past | comments | ask | show | jobs | submit login

IMHO the Authy app is nicer than Google Authenticator.

https://play.google.com/store/apps/details?id=com.authy.auth...

http://itunes.apple.com/us/app/authy/id494168017?mt=8




Maybe the UI is nicer, but the permissions on Android are unnecessarily intrusive, which—to me—is a dealbreaker with a 2FA manager.

  Device & app history
      read sensitive log data
  
  Identity
      find accounts on the device
  
  Camera/Microphone
      take pictures and videos
  
  Wi-Fi connection information
      view Wi-Fi connections
  
  Other
      receive data from Internet
      access Bluetooth settings
      pair with Bluetooth devices
      full network access
      view network connections
      control vibration
      prevent device from sleeping
      send sticky broadcast
Contrast this with Google Authenticator:

  Identity
      find accounts on the device
  
  Other
      control vibration
      full network access
      use accounts on the device
      create accounts and set passwords
      close other apps
https://play.google.com/store/apps/details?id=com.google.and...


Well, each of those permissions they request ties to a very obvious and useful feature.

Camera/Photo for QR code-based 2FA, Bluetooth permissions and Internet Data to handle local connection to trusted machines and callbacks from sites like Coinbase (when I log into coinbase, I get a handy 2fa notification from authy that leads me right to the code)

Log data is the most questionable, but it really makes debugging so much easier when you can see what's going on, and is a pattern/permission they share with Evernote, foursquare, fring, Netflix, Rdio, Dolphin Browser, AccuWeather.com, Hotmail, doubleTwist Player, MOG, Handcent SMS, Bump, TweetCaster, etc.


Wait, Google Authenticator lets you provision accounts by scanning a barcode, how does it not list "take pictures and videos" in its permissions manifest ?


IIRC Google Authenticator uses a third-party barcode scanner via an intent.


Having used DuoMobile, very quickly looked at Authy and heard about Google Authenticator from colleagues, I'm pretty happy to have found http://cooperrs.de/otpauth.html.

It does one thing, and does it well. It doesn't keep trying to get me to use a service where I hand over all my 2FA secrets to some company, and whats more the developer responds pretty quickly when there are support issues (e.g. some QR codes are weird sizes and there was a trick pre-iOS8 to make them scan) or even bugs.


redhat also makes a prettier version (https://play.google.com/store/apps/details?id=org.fedorahost...). not as pretty as authy, but less sketchy w/ the pointless permissions. Also, authy cloud syncs your accounts which seems like a bad idea.


It enables http://blog.authy.com/multi-device , which is either very handy or stupid depending on how paranoid you are.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: