Authy Now Supports Google Authenticator

Developers implementing two-factor authentication security should note that the Twilio Authy 2FA API now supports users of the Google Authenticator app.

Learn More about Authy

Authy Now Supports Google Authenticator

When it comes to longevity, you have to give a lot of credit to Google Authenticator, a mobile app using the time-based one-time password (TOTP) protocol for Two-factor authentication (2FA) that has been around for over seven years. So, when Authy developed its own two-factor authentication apps in 2012, we knew we had to improve upon the Google offering.

However, developers choosing to use Authy often didn’t include the ability for users to use Google Authenticator, and this led to frustrated users. We believe user choice is important, and so we’re pleased to announce that the Twilio Authy 2FA API now supports Google Authenticator and other compatible apps.

Comparing Approaches To Authentication

Google launched it’s 2FA implementation in 2010 and it supported getting the login codes via SMS, voice, and smart phones, using the TOTP standard. Anyone can write a TOTP app to capture the 2FA secret used to generate the login codes, but when Google launched, there wasn’t another viable TOTP app out there, so they created their own: Google Authenticator.

Businesses slowly started to add 2FA to their sites. They wrote their own code for implementing TOTP-based 2FA and, without an app of their own, recommended Google Authenticator to their users. It quickly became the standard.

Then along came Authy. Authy’s goal was two-fold. First, save developers the time and cost of having to write all the code to handle SMS, voice calls, TOTP, and push authentications and help avoid the worries of ensuring high delivery rates via SMS due to ever changing telecoms filtering rules. To accomplish this, all the complexity of two-factor authentication was built into a very simple API that would give developers the peace of mind that someone else is testing, maintaining, and improving authentication for their users. More time and effort was saved by making mobile and desktop 2FA apps available for users to download for free.

Why not just use Google Authenticator? To start with, the Authy app eliminated the complexity of getting the 2FA code from the authentication implementation to the user’s phone. Instead of scanning in QR Code, which requires the user to take several steps, the 2FA data is delivered via the API direct to the mobile app, leveraging the phone number as the link between the user’s account and the installation of Authy on their device.

Additionally, in just a few year’s time, Google Authenticator had already started to lack essential features such as desktop apps, the ability to share 2FA tokens across devices (useful for when you’re in one room and your phone is in another), or a secure way to backup 2FA data, which can be a lifesaver if you lose your phone.

By designing their own, Authy introduced improved functionality and an intuitive user interface. New features included a multi-device sync feature so that users had the choice to authenticate from either a mobile phone, tablet or desktop. Or any combination of the three. And cloud-based backups were incorporated to allow users to quickly restore accounts should they lose a device or change their associated phone number.

Most importantly, because Authy’s solution is managed, continually updated, and built with simple APIs that require just a few lines of code, developers with short development timelines, or enterprise organizations with core competencies that were not in online security, had more practical go-to-market options.

App Confusion Leads to API Evolution

By 2015, when Authy was acquired by Twilio, many companies — including CloudFlare, Twitch, VMware, Pinterest, and SendGrid — had chosen to implement the Authy API. Meanwhile, Google Authenticator was still a very popular app. This resulted in situations where developers working with the Authy API required that the Authy app be downloaded by their users, many of whom also used Google Authenticator with other sites. In some cases, this led to companies implementing a separate set of backend features to support users who demanded they be allowed to use Google Authenticator. Not the ideal developer experience and that extra development time resulted in more costs.

Agnostic App Support

This is no longer an issue thanks to a new feature released in our latest update to the Authy API. Now, by implementing a single API, developers can offer 2FA security that works with the Authy app, with the Google Authenticator app, or with any TOTP-compliant application they want.

This is a pretty big deal in the world of two-factor authentication. And it's excellent news for developers and enterprise organizations looking to bring strong security to as many users as possible. Since the Authy app continues to develop features not found in other apps, we’re confident that this move will make the decision to use the Authy API even easier. We still think that the Authy app is the best choice: it allows for push authentication support, users can access 2FA codes easily across mobile and desktops, and when devices are lost or inaccessible, they can still recover access to 2FA protected applications. Using the Authy app also brings greater security to the authentication process by providing data that can be used to contextualize logins.

By adding support for all standard TOTP applications, what had typically been an “either/or” decision is now a non-issue. Being agnostic to which app is used lets us be more supportive in helping our customers build whatever authentication experience is needed to reach the majority of users out there.

Authentication Evolution: Fully branded. Powered by Authy

At the same time, Authy supports custom 2FA solutions. Innovative companies like Transferwise and Namecheap are giving their customers the convenience of authentication directly from within the brand application they’re using, built with the Twilio Auth SDK, and supported by Authy.

Evolve your 2FA strategy to reach more users!

Contact us to get started. Or dig in deeper: