These days, 2FA (Two-Factor Authentication) is all the rage.
Instead of securing your account with only a password, you have to enter a password and a secret code… But where to get this code?
The simple way is via an SMS to your phone, which means you also must provide your cell phone number to various sites.
Smartphones also have authentication apps, but the problem is that you must still have your smartphone on and connected to the cell network in order to log in to a simple web site!
That’s not very convenient…
Why you care
You may be thinking that you just won’t use 2FA, but think again. Until now, the security feature has been optional on most sites.
But PayPal recently notified me that accounts will require 2FA in the near future. Google is also starting to ‘encourage’ users to use 2FA if they use YouTube, Analytics, or many other Google services.
In short, you won’t have a choice soon.
And if you’re like me and you get absolute crap reception on your phone inside your house, then even a simple SMS-with-code to log in to web sites just isn’t going to work.
Besides, why should I have my phone on when I’m sitting at my puter?
What to do?!
Behold: Authy for Desktop
Authy is an authenticator app for doing 2FA. It’s available for smartphones, tablets, and also desktop OSes – Windows, Mac, and linux.
I use the desktop Windows version, and it works quite well.
The idea is that you download Authy, install it, and just fire it up anytime you need a secret 2FA code to log in to some web site.
Note that when you install Authy, it usually asks you to verify your account by sending an SMS to your phone – just once.
After that, you don’t need cell service ever again, and you certainly don’t need to have a smartphone!
How it works
First, run Authy:
You’ll see the services/web sites you have already configured for 2FA. To add a new site, click the + sign in the upper right corner.
You’ll see this screen:
When you enable 2FA for a given web site, they will give you your own secret setup code to set up 2FA in Authy.
You just paste that code into the box, and click Add Account. You do NOT need to save this ‘setup code’ anywhere.
On the next screen, you can give the site a name, like “PayPal” or “Gmail” or whatever you want.
Note that Authy can be used with all kinds of sites, including Google. You don’t have to use the Google Authenticator app if you don’t want to!
You can click here to see instructions on how to setup Authy with various sites and services, including PayPal, Google/Gmail, Amazon, Dropbox, and more.
Finally, when you want to log in to the site you just added, you click the site’s name from the main screen of Authy. You’ll see this:
Click the Copy button in the lower right corner, and just paste the code into your site.
TA-DA! You just verified your login with 2FA – no smartphone required.
Note that the code changes constantly, so don’t dawdle when you copy/paste it into your web site. Codes are time-sensitive for increased security.
For even more security…
It’s a good idea to set a Master Password for Authy. You just click Settings and then Enable:
That way, anybody who may get onto your puter needs your password to generate secret codes in Authy.
Of course, if you want even MORE security, you could use a hardware key like Google’s Titan Security Key.
Hardware security keys are even more secure, but not free and a bit harder to use.
But at least now you can have 2FA even if you haven’t joined the Smartphone Revolution…
And you won’t go mad when your SMS secret code arrives 10 minutes after you were trying to log in to PayPal!
Authy is great and provides that second layer of security from hackers but a Security Key is a MORE SECURE second layer of security than using an app like Authy. A Security Key is a USB hardware device for 2FA – same key if you like for more that one website – easy enough to use and on the websites that accept a Security Key (like googles Gmail) allow you to register more that one so I got 3 separate YubiKeys (https://www.yubico.com/) and I keep one with me and the other two in a safe place should I lose the first one. If you lose one it is unlikely it will be be usable since your name or what websites it is for are unlikely – also you can de-register that key if you lose it. YubiKey has several hardware security products – I use the one here – https://www.yubico.com/products/security-key/
Yeah, YubiKeys are quite popular, and better… but Authy is free and quick, which is nice for many people. I actually use both Authy and a hardware key (for different sites).
There is a 2fa App for kaiOS. (KaiAuth: https://kaiauth.zjyl1994.com). You can install it using the official kaiOS Web IDE. All you need to do is enable the phone’s developer mode.
The question I have is why, in addition to the little generation program for those without the GSM leash isn’t there also a campaign to tell providers that many things don’t warrant such fuss. I couldn’t care less if someone spoofs my youdoob account, many could but not I. Therefore i shouldn’t have to mess around with the extra stuff I use for financial transactions, there should be the freedom to tell them where to put it.
The real reason for 2FA, of course, is to require you to give your cellphone number so they can track you even better. For example, if you have to use 2FA to log in to Amazon, now your Google account is associated with your Amazon account. That was not so hard to do before, but now it’s concrete and automated.
Thanks very much for this.
Here are some common scenarios that I face when travelling:
I am in a country (outside the EU) where my phone no longer roams for free, so I use a local SIM… or
I am in a country where there might be some internet but very poor phone signal (and I’m also perhaps using a local SIM)… or
I am in a country where they disable your foreign bought phone (using its IMEA) after 120 days. Yes, Turkey, I am looking at you! But to be fair, there may be other offenders.
In any one of these situations it can be a serious impediment to purchases/travel if needing to receive an SMS on my home phone number. So any move to eliminate SMS is to be welcomed.
However a critical part that may not be avoidable is the Visa/MasterCard authentication that sometimes (not universally) appears when using a Credit Card. These are always SMS codes sent to a phone and there seems to be no avoiding them. Do you know a workaround for this? It might be bank specific, or card specific.
One further question about time related codes: What is the effect (if any) of using a VPN?
I may be physically in one country, digitally in another and using a service based in a third.
Do I just need to have my smartphone/laptop on the local network time or in the timezone in which I appear to be?
Thanks for any guidance.
Sometimes, you need to do the SMS thing once – and then you’ll be given the option to use a 2FA app like Authy instead. The point being, it seems, that they REALLY want your phone number. Even to use Authy, you must set it up with a one-time SMS. After that, you should be fine. VPNs shouldn’t make a difference.
In the headline – … ‘WITHOUT’ a smartphone
In the text – Authy asks you to verify your account by sending an SMS to your phone.
Clickbait really does work.
Yes, once. The idea is that you don’t need to receive an SMS or use a smartphone every single time you log in to 2FA sites. Google won’t even let you use a hardware key for 2FA until you’ve added a mobile phone number (smart or not).
The only site I know of that doesn’t require all this nonsense is PayPal: they will actually call your home phone and give you a code you have to type in online – every single time you log in. It’s really annoying.
My bank won’t even allow online payments without a smartphone app to verify it. And before the app will work, I have to log in to my online banking AND receive an SMS.
The unfortunate truth is that very soon, you won’t be able to survive without a mobile phone of some description – and most likely it will have to be a smartphone.
Please could you answer the question that presumably drew a lot of people to this page in the first place? Is it possible to do two-factor authentication without a mobile phone?
That’s just not an acceptable response: no one needs to stalk me, not even once.
I agree. I’m of the opinion that if you MUST use these systems – and many of us have no choice depending on where we live – then I’d rather do it once than every single time. If that’s the best ‘protest’ I can mount at the moment, then that’s what I’m gonna do. That doesn’t mean I LIKE it…
Yes, I echo Clickbait Victim’s Comment. I don’t own a mobile phone so I can’t receive an SMS even once. What’s the answer to that Scottie?
My answer is: Soon, you won’t be able to do anything. Everyone I know who held out and refused to get even a dumbphone to receive an SMS ended up getting one in the end. The reason is that you can’t even make a purchase on Amazon with a new card without first doing “3D Secure” or one of those types of things, and banks won’t allow that without their own 2FA – which often includes using their specific app, which requires a smartphone. It’s getting worse and worse, and soon you will either do what they ask, or you won’t eat. That’s not my fault; that’s the fault of the system that exists.
As for my clickbait title: People read clickbait titles every day about real events that have real effects on millions of lives (and brains), and nobody complains… I would say that unfortunately the majority of people still don’t even realize the BS they’re being fed. But you want to be mad at me because you’re pissed off that everything requires 2FA these days? Seriously? At least my article gives a solution to the problem that I intended it to solve, which (as I stated in the article) is to avoid having to use a smartphone or SMS at your computer for every single transaction you make online.
There is a simple solution: buy a cheap dumbphone or smartphone with a cheap plan or pay-as-you-go, use it to validate the Authy install, use Authy from then on, and never turn on or use the phone for anything else. Obviously, that’s not ideal and should be unnecessary, but that’s the world we live in. If you don’t like it, join the club. Then do something to make it better instead of directing your anger at me.
Thanks very much Scottie for your helpfull reply. I appear to have given you the completely wrong impression for which I am sorry. I was trying to find out if there was any “workaround”. I was not being in any way critical and I was merely looking to see if there was a solution to the problem where a person does not own a mobile phone. Your first paragraph gives me the simple answer I was looking for which, as you rightly say, is not your fault but is the system. Thanks again for clarifying that there is no workaround for people in my position other than to buy a mobile phone. Please don’t think I was being mad at you as I wasn’t but I was confident you would know if there was a solution to my problem which was not explicit in your original Article. Thanks again.
I wasn’t being mad at you.
Great info. My wife and I are seniors. We, still, have flip phones (Alcatel). My wife is NEVER going to “graduate” to any kind of Smartphone. We, rarely, have our phones on and use them only when necessary. But our Alcatels do get text messages. (Yes, we don’t text either and are not on any kind of “plan,” just add minutes/money yearly through T-Mobile). My question: since our flip-phones do receive texts, can we use Authy with Alcatel? If I read the info above correctly, you only need to get 1 text to set it up. Now, we want to use it for Facebook but plan on adding other sites. We have tried another 2FA on FB but aren’t comfortable with it. Can it be deleted/removed and substitute Authy instead? Waiting for a response…thanks. Have subscribed to your blog.
On my FB account, I went here:
It seems you can either use just an SMS to your dumbphone for 2FA, or you can use an Authentication App (like Authy).
You should be able to set up any new 2FA settings on FB, and then just delete the old one.
Thank you for responding. Have subscribed to your site. All seems to have worked out. Have one issue. I’ve installed the Authy app on my desktop, laptop and iPad. Clicking on the app, there are 3 Facebook accounts listed. I just have 1 Facebook account. How did that happen?? Is the solution to delete 2 of them? How do I do that as I’m not sure which one to keep.
Ah, yes… If you enable sync in Authy on all devices, you’ll only need 1 account. If you don’t and you actually set up 2FA on each device, then you end up with 3 accounts.
So the thing to do would be: delete 2 of the accounts. Then enable “backup sync” on your main device. That will sync it to the Authy Cloud (which is not very safe, but annoying if you don’t use it). Then on the other 2 devices, delete all 3 accounts, make sure you’re logged in to Authy with the same login, and enable sync on those 2.
The other trick if you DON’T want to use their cloud backup is to save the Top Secret Code, and manually enter on all devices. But most people just use the backup sync feature, and you’re done.
I explicitly looked for a way to use 2FA without a phone. This is how I came accross this side. It suggested it is an app that works without phone, so I installed it. But the first thing it then does is asking me for a freaking phone number. Total waste of time!
See my reply to Paul Langley. As far as I know, this is the best you can do. And it’s getting worse by the day. I have several friends who HAD to get a phone to at least receive SMSes or their bank would close their account. Another guy had no choice but to get a smartphone because his bank said Banking App to get their own secret codes, or nothing! This is the wonderful new high-tech world we live in, I’m afraid…
A pure desktop solutions which do not require any phone would be:
⁕ Authenticator for Linux: https://apps.gnome.org/app/com.belmoussaoui.Authenticator/
⁕ 2fast for Windows: https://github.com/2fast-team/2fast
⁕ Another Authenticator, different from the previous one, in the form of a browser extension therefore working on Mac: https://authenticator.cc/
⁕ Excellent cross-platform password manager KeepassXC also offers the possibility of generating 2FA, but it is generally advisable to separate passwords and authentication codes by using different apps for each purpose: https://keepassxc.org/