When you open an account with an exchange you will be prompted to enable two factor authentication (2FA) and they usually suggest that you use Google Authenticator. 2FA increases the security of your account because logging in requires the user to have two things – your password and a magic number generated by your phone. If a hacker gets your password (perhaps by compromising your PC) it does not help them because they don’t have your phone.
You should always use two factor authentication but Google Authenticator is bound to your phone and if you lose your phone or reset it, you will lose ALL the Google Authenticator accounts. Some but not all exchanges prompt you to write down a key that will enable user support to reactivate your account if this happens.
I had assumed that Google backed up the accounts in the cloud but they do not. If you lose the phone you lose the accounts. What idiot designed this system…
Alternatives to Google Authenticator
Only enable 2FA using SMS (OK)
If you lose your phone you can get a new SIM with the same number and regain access to your accounts
- Most providers are quite good at mailing out replacement SIMS
- Some providers will provide web access to your SMS messages
- You will have to wait for a new SIM
- If you have SMS messages appearing in a web application there is a risk that a hacker might see them.
Use Authy (preferred)
Authy is 100% compatible with Google Authenticator and offers a backup capability. It owned and operated by Twilio who are well-respected service provider.
- Authy will backup your account allowing simple restore.
- Authy provides clients for desktop computers as well as phones giving you immediate redundancy.
- You can disable any device from any other device. So for example if your phone is stolen you can disable it from Chrome on your desktop computer.
- You have to trust Authy’s code and assume that they manage your tokens properly.
Authy have a blog post about their advantages over Google Authenticator here. Please note that I think it is necessary to enable “multi-device” to permit the full backup and restore function.
Use FIDO compatible hardware token (best)
Even though 2FA solutions on a phone are reasonably secure you are still running trusted software on an untrusted device. The best solution is to provide 2FA using a dedicated hardware device that cannot be compromised by an attacker.
The FIDO alliance have a specification for a hardware token that can be plugged into a USB port to provide 2FA. The Trezor hardware wallet claims to be FIDO compatible and this standard is supported by some exchanges.