We recommend that you use two-factor authentication (2FA) on your accounts, in addition to a strong password.
This is a guide to setting-up a two-factor authenticator on your mobile device. We’ve chosen an app named Authy.
Some password managers, like LastPass, have their own authenticator service and you may choose to use it. However, using a separate two-factor authenticator ensures a higher level of security.
How to sign-up & get started with Authy
- On your mobile device, download Authy from the Apple App Store or Google Play Store.
- Open Authy. You will be asked to turn your device into a secure token (an authenticator). Select Australia > enter your phone number > tap Ok.
Remember: drop the 0 at the start of your phone number. e.g. +61 499 888 777
- Enter your email address.
- Choose whether to verify your account via phone call or SMS message. Enter the code you receive.
- You may choose to enable notifications. This will display your autheticator codes when you login to a service, without requiring to manually open the app.
You’ve now completed the initial Authy set-up and can start adding services.
Add services to Authy
Two-factor authenticators are typically installed using QR codes.
- Tap the plus icon to add a service.
- Tap Scan QR Code to quickly add a service to your authenticator.
- Go to your chosen service, login and access your security settings. Choose to set-up two-factor authentication with an authenticator (it may say choose to set-up with Google Authenticator). As long as a QR code appears, you can add it to Authy.
- When the QR code is on-screen, hover your camera over the QR code. Your phone should add the QR code almost instantly.
If you have problems adding the service using a QR code, you can add the service manully. There should be a long code of characters that you will need to enter.
- Once the QR code is scanned, a new screen in Authy will appear. If you’re adding a popular service, you will see its logo. Your username should also display. Tap Done.
- The service you just added will likely ask you to verify that it was correctly added to Authy. When prompted, enter the code shown in Authy.
- Repeat for any service you want to add to Authy.
Switch on backups
Being able to recover your authenticator services when you change phones is the key feature of Authy (unlike Google Authenticator). Here’s how to switch it on:
- Open Authy > tap the Settings option in the top right.
- Tap Accounts at the bottom & middle of the app.
- Tap the Authenticator Backups toggle > set and confirm your backup password.
This backup password will be used to restore your Authy account on a new device (you will also need to receive a code via SMS or phone call).
- Once the password is set, Authy will backup your authenticator keys and they will be easily recoverable when you move to a new device.
Additional Authy security
Authy is a simple app with few options.
Your phone should be secured by a passcode and/or a biometric option (e.g. Touch ID or Face ID). This should provide adequate security. However if you’d like added security, you can enable an app-specific passcode for Authy every time it is opened. Here is how:
- Go to Settings > Security.
- Tap the App Protection toggle > create and confirm a PIN.
- Enable Touch ID or Face ID.
- Authy now requires the PIN or biometric to be entered any time you’d like to change your settings.
- If you’d like a further layer of security, you can require the PIN or biometric to be entered every time Authy is opened. In the Security settings screen, tap the Protect Entire App option.
Authy is a straightforward authenticator that includes a password protected backup option. The backup option allows you to restore the app, with all of your authenticator keys, on a new or replacement phone. Otherwise you’d have to re-configure the authenticator keys from scratch every time you use a new phone.
Furthermore, by separating your password manager app from your authenticator app, it ensures a greater level of security. E.g. if your LastPass account is breached, the attacker won’t be able to login to your two-factor authentication enabled accounts if you’re using Authy. If you’re using the LastPass authenticator, they can get the codes.