DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at rtfm.co.ua on

Authy: step by step Multi-Factor Authentication configuration for Github and AWS

I’m sure that using MFA (Multi-Factor Authentication) today is oblivious.

For 2FA (2-Factor Authentication) the most used method is TOTPTime-based One-time Password, when alongside with the common login:password also needs to enter a code generated by a device or software.

The most known implementation is Google Authenticator but also there is a lot of other solutions.

On the last couple of days, I was looking for such a solution for our project and have found the Authy – really nice and usable thing.

Authy vs Google Authenticator

Authy benefits in a few words:

  1. it’s not tied to a concrete device – can be installed on multiple cellphones (but still the original phone number will be used)
  2. has desktop applications for Windows, macOS, and browsers extension to make access to codes more simple, also – you’ll not be dependent on phone device and still be able to log in if you left your phone on a kitchen
  3. create accounts backup – when installing Authy on a new device it will restore all your records

See more here>>>.

InstallingAuthy

Install on a phone from Google Play on Apple Store:

Set your mobile number – it will be also used for authorization on other devices, and your email.

Authorize using SMS or phone call. Best to use SMS as calls will be done via Viber and can be with awful quality:

The is also AUR package for Arch Linux but I didn’t use it and not sure it has a sense as there is nice Chrom’es extension.

Install an application for Chrome via Chrome Apps and extension for quick access.

Application without the extension can be launched via chrome://apps.

For Windows and macOS applications can be downloaded from the downloads page.

Authorize again using SMS:

Configuring Github MFA

Documentation here>>>.

Go to the Settings > Security, click on the Enable two-factor authentification:

Click on the Set up using an app:

On the next page, you’ll get codes to restore access in case if you’ll lose your MFA-device.

Save them!

On your phone open Authy, click the Add account and set backups password:

The same password will be used to access your data from other Authy applications so store and remember it.

Github will display QR-код:

Scan it from your phone:

Choose a logo and save new account:

After creating a new account Authy will start displaying generated codes.

Enter it at the bottom on the Github page:

Done:

On this page you also will be able to configure SMS to restore access – do it :

Configuring AWS MFA

Repeat for AWS.

The documentation is available here>>> but it’s a bit outdated.

Go to the Security Credentials:

Click on the Activate MFA:

By default the Virtual MFA device will be checked – leave it and press Continue:

Click the Show QR Code:

Scan it, create the account in Authy and enter the code from your Authy application at the bottom, then wait when it will be updated with a new one – and enter again:

Done.

Similar posts

Top comments (2)

Collapse
 
tarialfaro profile image
Tari R. Alfaro • Edited

I would not trust Authy to handle my OTPs.

  1. Their code is not open-source, which means no one can verify that they are handling the data securely.

  2. They use SMS to authenticate users/devices. Not everyone has a phone number and a phone number is personal. A solution to this while not changing much, is to switch to passwordless authentication with email.

I do enjoy the idea behind Authy. It is really nice that people are really trying to promote security.

On a note, you could make email based authentication very secure with PGP. Only people who are crypto geeks would do it this way.

But overall, I think Authy could be going down a slightly better path. But either way, I think it's better having Authy than no multiple factors of authentication.

Collapse
 
tarialfaro profile image
Tari R. Alfaro

Oh my god, I have no idea what happened to my comment. I fixed it though. I swear that wasn't there when I posted it.