IMHO the Authy app is nicer than Google Authenticator.

https://play.google.com/store/apps/details?id=com.authy.auth...

http://itunes.apple.com/us/app/authy/id494168017?mt=8

Maybe the UI is nicer, but the permissions on Android are unnecessarily intrusive, which—to me—is a dealbreaker with a 2FA manager.

  Device & app history
      read sensitive log data
  
  Identity
      find accounts on the device
  
  Camera/Microphone
      take pictures and videos
  
  Wi-Fi connection information
      view Wi-Fi connections
  
  Other
      receive data from Internet
      access Bluetooth settings
      pair with Bluetooth devices
      full network access
      view network connections
      control vibration
      prevent device from sleeping
      send sticky broadcast

Contrast this with Google Authenticator:

  Identity
      find accounts on the device
  
  Other
      control vibration
      full network access
      use accounts on the device
      create accounts and set passwords
      close other apps

https://play.google.com/store/apps/details?id=com.google.and...

Well, each of those permissions they request ties to a very obvious and useful feature.

Camera/Photo for QR code-based 2FA, Bluetooth permissions and Internet Data to handle local connection to trusted machines and callbacks from sites like Coinbase (when I log into coinbase, I get a handy 2fa notification from authy that leads me right to the code)

Log data is the most questionable, but it really makes debugging so much easier when you can see what's going on, and is a pattern/permission they share with Evernote, foursquare, fring, Netflix, Rdio, Dolphin Browser, AccuWeather.com, Hotmail, doubleTwist Player, MOG, Handcent SMS, Bump, TweetCaster, etc.

Wait, Google Authenticator lets you provision accounts by scanning a barcode, how does it not list "take pictures and videos" in its permissions manifest ?

IIRC Google Authenticator uses a third-party barcode scanner via an intent.

Having used DuoMobile, very quickly looked at Authy and heard about Google Authenticator from colleagues, I'm pretty happy to have found http://cooperrs.de/otpauth.html.

It does one thing, and does it well. It doesn't keep trying to get me to use a service where I hand over all my 2FA secrets to some company, and whats more the developer responds pretty quickly when there are support issues (e.g. some QR codes are weird sizes and there was a trick pre-iOS8 to make them scan) or even bugs.

redhat also makes a prettier version (https://play.google.com/store/apps/details?id=org.fedorahost...). not as pretty as authy, but less sketchy w/ the pointless permissions. Also, authy cloud syncs your accounts which seems like a bad idea.

It enables http://blog.authy.com/multi-device , which is either very handy or stupid depending on how paranoid you are.

> Now, a NFC-based token where I don't have to type anything in, or an iWatch/FitBit/whatever type wearable as a token would be pretty cool.

The YubiKey NEO http://www.amazon.com/dp/B00LX8KZZ8 supports NFC, there's a picture of it sitting on top of what appears to be a Nexus 5 on the linked Amazon page. There's nothing stopping Google from making mobile Chrome work with it over NFC.

Don't keep it on the same keychain as your car keys. I don't–that would be terribly impractical. Instead, it lives in my laptop slipcase.

Even better, get the nano version and leave it in your USB slot permanently: http://www.amazon.com/dp/B00O8ST7MM

Isn't this kind of counterproductive? A key use case of 2FA is to keep your accounts secure if your computer is simply stolen.

Unless you don't click "Remember this computer for 30 days" and log in every time, 2FA isn't protecting you from stolen computers.

Security key protects you from phishing and someone on the Internet guessing your password.

(Many security keys are designed to be permanently installed in your computer, like this one: http://www.amazon.com/Yubico-Y-110-YubiKey-NEO-n/dp/B00O8ST7...)

It's not even 30 days necessarily. I use 2FA on gmail with "remember this device" checked, and I haven't had to sign in for a year or more.

Is this on Android? That works a little differently than desktop logins.

Nope, desktop browser. As long as I use it regularly, I never get signed out.

You can revoke that key if your computer is stolen.

Note that this solution will exactly replace OTP in some cases (e.g. when the browser supports it), but you always have the option to revert to "normal" OTP at any time for authentication (which you will still have to do when authenticating from mobile, for instance).

rtfa: "As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported."

First, where would I carry this key? My phone is always with me, while my keys are not. (Yes, I know I could use the exercise to go get them when I am home, etc.). I also am not fond of attaching my entire keychain to the USB port of my laptop: I have broken several USB ports on older laptops this way. Taking the USB key off the keychain will inevitably result in me losing this small item (that's knowing me, not the same for everyone obviously).

Second, the GA-style 2FA works great because it's so easy to support and so many things support it. TFA mentions more browser support. Well, I use 2FA for more than just the web. For example, ssh supports it. I am all for this becoming a standard and being more widely adopted, but the security vs usability tradeoff for me here is just not worth it. With these physical tokens I get marginally better security than with the GA app, while giving me a much worse experience.

Unlike usb drives though you don't need to leave this plugged in for more than a couple seconds, which greatly limits the danger of damaging your usb port.

In my experience USB ports break when you insert/remove plugs, not from static strain. You insert something too large, or too awkward, an suddenly you need a new motherboard.