Clef v Google Authenticator v Authy

If any of you have a Google/GMail account I am sure you have seen the prompts to setup 2 factor authentication (2FA). The way 2FA works is that not only do you enter a password, but a pin is sent to you via SMS and you have to enter that, too in order to login. When I first saw it I was tempted but then I thought (like any sensible person would) that if my mobile phone runs out of battery or if I am out of network coverage, I won’t be able to access my emails. So I left it at that.

Clef

Then a few days ago whilst I was attending the WordCamp San Francisco (remotely, via streaming) during one of the presentations somebody mentioned ClefClef is a combination of a mobile phone app and software that lets you login to websites without even entering a password. So, when you want to login you see some vertical lines moving up and down on your screen, you open the Clef app on your mobile phone and you point the camera to the screen. The app reads the lines and sends a coded message to the Clef server. The Clef server confirms with the site that the coded message is correct and the server sends a message back to the app where you choose for how long you want to be left logged-in into the website; you can even choose infinite time. And that’s it! You are logged in and ready to work. There is a Chrome extension, called Waltz, that allows you to use Clef even on the websites that don’t have the Clef technology installed. I am quite happy with it, the only complain is that you cannot be logged in one computer and login to another, too. You will have to log out from the first one to login to the second. A nice feature is that you can logout remotely through the mobile app.

Pros:

  • Super quick & easy to login.
  • No need to remember passwords.
  • Can use password if mobile phone is not available.
  • For apps/integrations, up to 1000 logins per month are free.
  • Chrome extension (Waltz) that allows you to login to any website.
  • Plugins/integrations for the majority of CMSs and frameworks.
  • Remote logout through the mobile app.

Cons:

  • You don’t know where and how the passwords get saved.
  • You need your mobile phone to login.
  • You need to pay if you have more than 1000 logins per month.
  • Cannot use it on multiple PCs simultaneously.

Google Authenticator

So after using Clef for a couple of weeks, I decided to give Google another go. I setup 2FA to see how it works. You enable it and then you choose if you want the codes sent to you via SMS or you can download a mobile app that generates auth codes; much like the RSA SecurID tokens. You can also have a USB FIDO U2F security key. You plug the U2F in a USB port of any computer and once you have entered the username and password it instructs you to use the key. You touch the key and it logs you in. Now, if you loose your key you can you can use a one-time-only code that you have kept on a piece of paper or in USB flash drive. You can even have a backup phone. Finally, the Google Authenticator app works on multiple PCs, unlike Clef.

Pros:

  • It can be used on Google services and other sites that allow you to login with your Google account.
  • It can be used on multiple PCs.
  • You can use a USB FIDO U2F security key for ease and speed.
  • You have one-time-only backup codes.
  • Plenty backup options for worst-case scenarios.
  • Many implementations/plugins available for CMSs/frameworks for free.

Cons:

  • You still need to remember passwords.
  • It makes the login process longer.
  • Google Authenticator mobile app does not have a pin/password.

Authy

Looking into the whole 2FA thing I came across Authy. Authy is very similar to Google Authenticator and it gives you the options to create your own integration with your WordPress, Joumla, Drupal installation, etc. The only problem is that then you need to pay in order to create your own integration/app. For Gmail, other Google services and sites that you can login with your Google account it’s free.

Pros:

  • Mobile app has pin protection.
  • It can be used with Google Authentication.
  • Many implementations/plugins available for CMSs/frameworks.
  • You can create your own integrations.
  • You can use Authy mobile app for Google Authenticator.
  • You can save codes/passwords on Authy’s cloud.

Cons:

  • You still need to remember passwords.
  • Login process is long.
  • You have to pay for server-side plugins/integrations.
  • You don’t know how secure are the codes/passwords saved on Authy’s cloud.

Verdict

I really like the ease and simplicity of Clef. On the other hand, Google’s Authenticator is widely used and I have a few Google accounts (GMail, Google Apps, etc.). The Google Authenticator app does not have a pin/password but neither the RSA SecurID tokens do. Authy costs if you want to implement it on your website/blog.

I already use Clef and it suits me. I like the many backup solutions of Google Authenticator (U2F security key, one-use-codes, mobile app, SMS, voice-call, backup telephone number). So a combination of Clef and Google Authenitcator with the Authy app (for the extra security of the pin) I think is the best solution. My main 2FA login app is Clef. If I don’t have signal on my mobile phone I can use Authy for Google Authenitcator. If the phone is not available/lost, I Can use the FIDO U2F key. If I don’t have the key on me, then I can use one of the one-time-only backup codes. Until somebody else comes with the simplicity of Clef and the flexibility of Google Authenticator, I think this is my setup of choice.