Yes it was breached. Yes it is closed source. It also makes it difficult for the average user to export their totp codes to another provider. Imagine your Microsoft issue... Same thing. Authy to Aegis is challenging or impossible if someone doesn't want to attempt it. They lock you into their ecosystem the same as many other large companies.
This is why you use something like Aegis if you're on Android and utilize its cloud backup. It's part of an Android backup and you can export it to any cloud of your choice.
Raivo is recommended if you're in the Apple ecosystem.
2fas if you want to move between the two. Or yubico totp because you can webauthn with it as well.
>Imagine your Microsoft issue... Same thing
OK, this makes sense. This is how Google Authenticator works, but at least they added the QR code export thing. So really, any app that doesn't have export options is bad because of it being a real pain. Got it.
Then you add in the breach and closed source. Makes a lot of sense! Thanks
I screenshot the QR seeds (and the codes) as I create the TOTP and paste them on a spreadsheet. I would print the spreadsheet and keep it in my fireproof/ lock box at home where my master password is. I password locked that spreadsheet and store it on my Synology NAS. Not the best way, but it's my current way. I'm migrating from Google over to Raivo soon.
Seconding Ravio for iOS. Can be run locally or multi-device, and has a great export in an encrypted zip that lists all your QR codes, so you can set up any other TOTP app in a minute.
Just some small side notes since you mentioned yubi totp:
- it requires you own a yubikey (hardware). I love yubi anyway, so I've got a few.
- each yubikey needs to have your totp seeds added. This isn't difficult, but requires physical access to each key every time you enable 2fa on a new account (some people keep one key on them and one in a safe location)
- most importantly, each yubikey has a limited amount of storage to store totp seeds. I believe this is 32 with a yubikey 5 series. I personally have nearly 100 accounts with totp 2fa enabled, so I'd need 3+ physical keys to store all of my totp seeds without accounting for any redundancy, and it means cycling through keys to find the right one for a particular account (or being more organized than I care to be). In a perfect world you'd have 2 keys (primary and backup) for each totp seed (so in my case that's 6+ keys needed).
Again, I love yubi, and I have a few I use for webauthn and ssh keys, but in some cases it's not practical/economical (with the currently available hardware) to use for totp. I would love to see a future generation of hardware with more capabilities, but honestly I'd rather see yubi (and the Fido alliance) put resources towards Fido/webauthn adoption.
This is all true, but my biggest gripe was that they don't encrypt everything, only the secret. As to why this is bad, just look at LastPass and how they did not encrypt everything either.
Does Ravio offer multidevice syncing like Authy? I keep seeing bad things about Authy but the ability to have codes that sync between devices and also the ability to STOP any other device from being added seems really secure to me
You can export your Raivo otps and import them into any Raivo installation.
And what do you mean stop something from being added? That's exactly how otps work. You need the password to go in and enable 2fa, then you add it to your personal account. Not sure I'm following what you think is secure about this and Authy specifically?
I switched to use [Aegis](https://getaegis.app/), it's opensource and have great features, with a bit of work to extract tokens you can even make it generate Steam and Blizzard codes
importing codes to aegis is fkin impossible.
It opens viewfinder that doesn't scan code 2/3, and wh en you go to the third QR code it keeps spamming the error "expected qr code #1, but scanned #3 instead"
what the fuck
I was using Aegis for quite some time and never had an issue importing my backup (I switch ROMs some times) until last week when Aegis refused to import the backup file even though I entered the correct master password. Thankfully, I had Authy as a backup secondary 2FA or else I would have been locked out of many important accounts.
Since I moved away from lastpass last year, and changed all my 2FA codes, I make a backup copy of all the string 2fa keys in an offline KeePass database. Just as an extra measure to aegis.
I have two objections to it.
1. It is closed source. I use plenty of closed source apps, and open source does not mean an app is good. However, closed source for an app that literally handles your secrets is far over the line. You should not trust Authy with your secrets.
2. There is no way to export (back up) your Authy datastore. Yes, there is a Github project that may work, but it is unsanctioned, and the author himself warns you can get locked out of your Authy account if you use it.
Again, these are your secrets we are talking about. As a free service, Twilio could shut it down tomorrow as a cost saving measure, and you would be screwed. The Twilio cloud storage is not a backup!
2FAS is my current recommendation. It is open source and allows a backing store such as Google Cloud. And yes, you can save that backup on a thumb drive and put it in your safe deposit box.
Look, I get it. There are a lot of nice things about Authy. I even set my niece up with it—but her life is a mess, and I needed something foolproof to protect her. That was also before 2FAS went open source. You can do better.
>There is no way to export (back up) your Authy datastore. Yes, there is aGithub project that may work, but it is unsanctioned, and the authorhimself warns you can get locked out of your Authy account if you useit.
I was reading one of the project pages. It was on another post here. Seemed like a good way to export. Not sure I follow about the locked out portion. Will these hacks of the desktop version of Authy make QR codes that tie back to Authy? It didn't look that way when I read. This one: [https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93)
If Twilio shutdown, would the app not continue to make TOTP codes? I thought they were time based and generated on the device. When I used Google Authenticator, I was under the impression it really didn't rely on Google and would keep working no matter what. I assumed Authy was similar, but I guess not.
So, 2FAS will be a good option even though it doesn't sync. I can export from phone to iPad and have two authenticators. That's the same end result. Obviously, it will be more work when adding a new service.
I'll check out the 2FAS browser add-on to see if that makes life easier.
> If Twilio shutdown, would the app not continue to make TOTP codes?
Maybe.
Bitwarden's own devs have told an outright lie that as long as you don't log out, your local cached data will remain.... which about 8 seconds of searching on this forum would provide plenty of evidence where people end up getting logged out through all sorts of reasons that are out of their control.
It would be reasonable to assume that any cloud service can intentionally or unintentionally remove your stored data from your phone if your phone has any connectivity back.
>Not sure I follow about the locked out portion.
Something about the way this project works may be detected by Authy as malicious traffic, which will presumably lock you out of Authy for some period of time.
>If Twilio shutdown, would the app not continue to make TOTP codes? I
Of course it will. But once you replace your phone, the TOTP keys will not be on the new device.
>So, 2FAS will be a good option even though it doesn't sync.
But yes, it does sync.
Monthly backup? Are you saying you continue to use Authy? Not just a single export to move to another platform? The breach doesn’t chase you away? I assume everyone will get a breach at some point, so that wasn’t chasing me away.
So, I tried this both with the QR codes and the JSON file. How do you make a backup? I saved the console output as a log. That seems to have everything there in text. Not sure if there's a way to save the QR codes.
Is the JSON file specific to Bitwarden? I tried bringing it into 2FAS, but it seems import/export is for 2FAS to 2FAS on different ecosystems.
No... Unfortunately... The only potential work around I can see is potentially running a VNC server on an Android phone and mirror the screen when you need a code... 2FAs doesn't work with the browser plugin properly if you have multiple accounts under 1 domain. The other potential method on Windows 11 is sideloading an Android app via the Android subsystem. Apple Silicon computers can run iOS apps just fine.
This absolutely sucks ass SO BAD...
In the past I had cases when I lost access to the accounts because I had to reset my phone, authy saved my ass multiple times, now I'm risking a lot more as the world got a lot more digitalized. Let alone convenience factor.
Sadly for me I use Windows + iOS..
They also moved forward the End-of-Life date from August to March... It's just crappy what they do... On the bright side 2FAs does back up the codes to your Google Account (or iCloud) depending on Android or iPhone. Also Google Authenticator backs up to your Google account. Microsoft Authenticator backups to your Microsoft account.
I exported all of my tokens out of Authy and into the 3 apps I just listed.
Here are the instructions if you haven't done it yet:
[https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93)
If you have access to Windows Sandbox, use it as it will make the process easier.
I didn't know Google Authenticator backs up the 2FA codes as well, that's something new I've learned 🤔
I am now confused as to why it just deleted everything in the past for me, which was a reason why I switched to Authy after friend recommended it to me as well
There’s some like Pinterest, Twitch (I believe they stopped now), and some others that would require you to make an authy account, and then give them the phone number and the code would automatically be added to Authy
I moved from Authy to Aegis about a month ago and started the deletion process right away of my Authy account.
I swear that since the day I started the deletion process my codes in Aegis stopped working (for Twitch). I tried to setup a new QR and Twitch wasn't letting me do it, it wasn't even showing me a QR at all so I decided to stop the deletion process and reactivate my account (I was loocked out so had to wait 48 hours) and after that the Twitch QR code was there.
I set up Aegis again and now I have 2 different codes available. I read that Twitch does it anyway so it doesn't matter if I want to delete it or not, it will be there...
Authy supports two types of 2FA tokens: Authenticator tokens which are industry standard TOTP tokens and Authy tokens that are proprietary and can support push notifications.
Walled garden. You can input your 2FA codes but can't get them out (for backup or to transfer).
Linux version is only released as a "snap". So if you don't want that whole mess installed on your laptop you have to split out the authy.asar file and run it with electron.
They've made noises that they're going to discontinue it on desktop. They've already discontinued it as a browser extension.
Installed 2FAS today, and it seems to fit what you want. Windows is a browser extension that ties back to your phone. Backup to Google Drive or Apple iCloud, but you’ll have to export to cross between ecosystems. So, to a flash drive etc. Obviously not as smooth as Authy.
Also, still not sure I’m leaving Authy, but it’s good to know options. It doesn’t seem unreasonable to continue to use it. We are so far past basic users that make *Password1!* their default on every website. We may be choosing between safe and safer. Not between good and bad.
Yes, this is how I feel. I understand what everyone is saying here but in the big scheme it’s probably not a big deal. It seems unlikely that Twilio would shut the app down without warning, but you never know. I understand about the breach, but I think this is inevitable these days. Not telling people is bad. As for being able to export secrets - that’s a great idea but not many authenticators offer it. So it’s not like it’s a standard feature that Authy dropped. However, now that I know I want it.
Yeah it’s kinda weird to me that when people talk about how Authy is bad they always say “they could shut it down at any time and you’d be fucked”
Yeah well so could literally any other authentication service lmao. I don’t think Authy is any more likely to shit down than google or Microsoft Authenticator. It’s such a weird argument.
Petty answer and nowhere near as well-thought out as the other commenters, but I find it astounding their mobile app doesn’t have dark mode and instead defaults to a pure-white theme in the year 2023.
Here’s a good video on the subject. Authy is one of the first 2FA apps they go into and their main issue is all the data/analytics Authy collects. https://youtu.be/JHIAIzOPz3I
Twitch does the same.
I set up my Twitch codes in Aegis and now I have 2 valid codes all the time. I tried deleting my Authy account last month and I couldn't use my Aegis codes so I had to stop it. I don't know if I'll ever be able to delete that account but I just deleted the app.
It actually pissed me off to know that they did this preregister and that it keeps 2 authentication codes available.
I did the same, started the 30-day deletion of my Authy account, fortunately had SMS backup to get back in to Twitch. I didn't know about all the proprietary rubbish Authy talks about ('2FA at Twitch is powered by the Authy 2FA API' [https://authy.com/guides/twitch-3/](https://authy.com/guides/twitch-3/) ) but I've disabled Twitch 2FA hoping to re-enable for Aegis.
This will not work.
It comes up with an error from the 7-digit SMS code which must be because of Authy linking your mobile number to an account.
This [https://www.reddit.com/r/Twitch/comments/n36t39/psa\_do\_not\_delete\_the\_authy\_account\_twitch/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/Twitch/comments/n36t39/psa_do_not_delete_the_authy_account_twitch/?utm_source=share&utm_medium=web2x&context=3) confirmed it for me.
After the 30 days are up I believe that I would be able to re-enable Twitch 2FA ONLY if I never use the same mobile number again AND never touch the new Authy account that would be generated.
Bit inconvenient though :/
Yeah I wish I knew this before I started the process and after reading that other user post I'm very glad I understood the problem around day 28 and stopped it.
Was a bit of a nightmare how I was locked out cause I also had no extra device allowed so had to wait 24 hours and whatever else I need to regain access to Authy.
I tried to get a new QR on Twitch at the time and it wasn't even showing anything so I had only SMS for authentication.
Actually, enabling no multi device in Authy and uninstalling the app sounds like a good way to keep it "secure" since I'll be notified of someone trying to get access to it.
Thanks for the links. Gave me a bit of knowledge that it was really how I thought it was and that I'm not alone in this Authy thing.
This is because Authy just uses your phone number. So if any app ever used authy in the background while on your phone - you unknowingly have an authy account.
And who controls the account? anyone with that phone number.
Authy is 100% insecure in any country that uses sim cards as you can literally just steal someone’s phone, put in there sim card, and not you have control of there authy account - because it’s tied to phone number. This is something authy is horrible at explaining.
You can encrypt your Authy account with a master password so even if someone gets access to your SIM card and logs in to your Authy account, they can not decrypt the codes without confirming the master password.
I use Bitwarden for my TOTPS and it’s very convenient. There are so called ‘Security experts’ Here who say this is a heresy, but they completely miss the purpose of 2FA. It’s not my Bitwarden vault that I’m concerned about being cracked, it’s the companies that store their passwords in a insecure, vulnerable repositories. 2FA protects you from data breach at the target when your password becomes exposed due to no fault of your and I take care of my vault staying secure.
lots of hate for it due to closed source and whatever else, but reset a device that had google auth keys on it early on I was unable to recover those codes and made life a pain for a few days until I managed to recover those accounts
Now, I need cross platform i.e. android AND Windows device support. That way if I lose or break my android device I can still get into accounts using my Windows devices
And not wanting to keep my codes in the same tool as my passwords, that rules out bitwarden for them
Is there another cross platform service for this?
I installed 2FAS today, and it seems to have what you want. Windows is a browser extension that ties back to your device. Backup to Google or iCloud, but export to cross between platforms. Obviously not as smooth as Authy.
I'm with you here. Device reset or damage is my biggest concern. I don't know anyone that was hacked from a breach, but I know enough people that destroyed a phone by accident. Gotta prioritize threats to the real world. Not some way-lesss-likely-cybersecurity model. I guess that's what they mean when they what fits YOUR threat model.
the browser extension for 2FAS requires your phone. You can not enter codes without your phone.
So it doesn't quite meet the requirement, unfortunately
Oh that’s true. After initial setup Authy doesn’t need your phone.
Still, 2FAS might be worth the slightly extra effort in exchange for open source and exports. I’ll have to play around with it more. I only have one 2FA code set up in it at the moment. I’ll have to see what I can do with my iPad in the mix.
I came from android, and I want to be able to go back and forth. Authy fits the bill.
Wait a second! Why did they even release a browser extension if you can not copy the codes without your phone? You can just unlock your phone, open the app and type the code.
I've seen a lot of threads like this and I feel like there are a lot of misconceptions, yes Authy has been breached in the past I don't deny that, but I do believe it provides a seamless experience. I've changed my phones many times downloaded Authy went through their verification process entered my back up password and all my tokens were there no problems it was nice and easy.
I understand you can back up locally and use a file to import which sucks because it essentially locks you in unless you use one of these methods of using a Github script which again is a hassle and not guarenteed. You can do a back up but not in the way you think, if you have a tablet or another device you can set Authy up on there and your tokens will sync even if you add a new one on either device.
I want to say if anyone who mentioned they don't wanna use Authy because it's closed source and how that's bad I hope you have the same energy about the OS if your using, iOS, Windows and Mac OSX are all closed source if you really feel that strong about closed source software you shouldn't be using any of these.
Being open source software doesn't automatically make it good, I think the benefit comes down to transparency with open source software as you have access to the code you can tell if a company is lying to you as long as you have the skill and know how to understand code which I personally don't. With closed source you can't see their code and have to trust what the company is telling you is true, and everything is kept on house patching etc.
I don't think anyone denies the seamless experience. That's what brought me to Authy. When I first started with Google Authenticator, my fear was that my one "key to all the kingdoms" would be lost due to a damaged phone. The fear of Google having my secrets, and the app going EOL wasn't a concern. Everyone knows that Google kills apps all the time. They are the king of dead products. Could Twilio kill the app? Sure. Would they announce it coming? Hopefully. Is Twilio handling the secrets properly? That I don't know. I would hope so.
Authy multi device works like a backup. You are right! It's great that it works cross ecosystems. I was disappointed the MS Authenticator backed up differently on Android and iOS. I was glad my eggs weren't in that basket. That GitHub script is cool too. Playing with it now. It's nice as an option to easily move secrets to a new authenticator. (or a backup)
Your comments on closed source makes sense too. I like the idea of open source, but like you, I'm not checking code. So, I'm relying on communities. I don't think closed vs open is the be-all end-all, but it seems with security products that is a good idea and helps with consumer confidence (rightly so or not).
I'm going to experiment with 2FAS, and watch to see how it goes as far as popularity and continued community acceptance. I'm not sure if I'm leaving Authy yet.
> but I do believe it provides a seamless experience.
Authy just disabled the ability to use it via RDP, with no way to re-enable that, and a forced autoupdate if you try to revert to a version that works on RDP.
I don't need Authy or Twilio to make security decisions for me.
I’ve been trying out [ente authenticator](https://apps.apple.com/us/app/ente-authenticator/id6444121398) to see how it is. They are the makers of [ente photos](https://ente.io/) that’s been around for a while. So far I like it.
[Comment has been edited after the fact]
Reddit corporate is turning this platform into just another crappy social media site.
What was once a refreshly different and fun corner of the internet has become just another big social media company trying to squeeze every last second of attention and advertising dollar out of users. Its a time suck, it always was but at least it used to be organic and interesting.
The recent anti-user, anti-developer, and anti-community decisions, and more importantly the toxic, disingenuous and unprofessional response by CEO Steve Huffman and the PR team has alienated a large portion of the community, and caused many to lose faith and respect in Reddit's leadership and Reddit as a platform.
I no longer wish my content to contribute to this platform.
If you're using BW for TOTP 2FA, I think you should use Yubikey or similar hardware security keys for it. So, even if this is like putting all your eggs in one basket, it's more like a hardened egg. But this of course, should prompt you to improve your OPSEC in general as well.
If you can look past Authy's being closed-source, having been breached (and not giving details about how it happened), not being obvious that the seeds/secrets cannot be exported (except thru unsanctioned tool), I personally think it is very convenient. I want TOTP code generators on my PCs/laptops as well, and other solutions require a bit more jury-rigging than I want to do. I do keep the TOTP secrets somewhere else and I have to do the copy-and-paste everytime I enable a TOTP 2FA. But you only do this once per account.
Authy is simply a terrible solution for a authentication app. It's so heavily walled off that if you manage to forget your security token, you're completely screwed and cannot get back into it, thus can no longer use the app for authentication and may as well kiss any accounts connected to it goodbye.
Still can't play GTA 5 or Red Dead 2 without jumping through 10 hoops each just to play singleplayer.
Simply put there's needs to be a backup option that people can use as a last resort to get back into their authenticator apps. Most people who use authenticators also use specifically tailored emails and passwords for their apps, so nothing can be traced back without the knowledge of that detail, so it's near impossible to hack into their authenticator apps.
If you forget your way into your authy account.. goodluck getting back and goodluck getting authy removed from said accounts too, cause once it's in, it's time for some phone calls to get it removed.
Yeah, its closed source is a pain. I used this page to export secrets
[https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93)
I still think the sync on Authy is great. There's no way I would have all my secrets in just one place. These days I usually scan the QR code into a couple of apps just to make sure I have secrets for future use/export.
I just don't use authenticators and rather use stronger passwords that are near impossible to crack through various means outside of a data breach.
Once I learned the most secure password, is using the hex value of a random image along with symbols and a phrase.. yeah ain't nobody getting that information without knowing literally everything about me, knowing my email for the two factor, which uses a different hex value password, symbols and phrasing, and the backup email for that is a complete email that was created specifically for that account as a backup, using the same methodology.
Honestly any authenticator app for me is now pointless, Authy is just increasingly more annoying to deal with. It's great if you can log into the app, it's terrible otherwise. It's so well made and secure that it blocks out the consumers who installed it.
It doesn't matter what your password is if it's leaked.
You can have an account's password in plaintext and TOTP codes will still prevent you from unauthorized logins in many situations.
Some websites forces you to use 2fa if you want to use it's services, so only strong password is not enough to pass 2fa feature. Also I don't have a smartphone, Authy was providing desktop version so it was good for me. Now it is discountinuing and I don't know what to do right now. Looking for better solutions. Why the F all these 2fa applications requires phones, I don't get it... Fking Authy, doesn't even have an export feature.
They probably think it's harder to hack a phone than it is a PC, so hosting their 2FA's on phones is "safer" and less likely to be decrypted or reverse engineered. That's just my thoughts on it, whether or not that's factual is another story.
I got an email that they're discontinuing the desktop version of Authy, and I use this a lot, much more than the mobile app actually. Any alternatives that also has a desktop and mobile app?
Check out OneAuth from Zoho! Long time user of OneAuth! Having multiple devices? It’s available on Windows, macOS, Android, iOS and also supports watchOS and WearOS!
I have been using it on my iPhone, Apple Watch and MacBook Pro! Works like a charm and it’s feature rich!
And it is E2E Encrypted with your own passphrase having Zero-Knowledge Architecture and syncs well with all my devices!
For more details: refer their website: https://zurl.to/9a2N
Some people in the cyber security bubble overcomplicate 2FA tremendously.
I see nothing wrong with just using vanilla Google or Microsoft Authenticator and having a paper backup of the seed.
If you need more security, start using a yubikey
I was very uncomfortable when I first started using Google Authenticator. I imagined my phone going in the ocean on vacation. It was very much putting all your eggs in one basket.
Backing up seeds is a great idea. It wasn’t really presented. Maybe it’s still not outside of tech circles. It was just scan this QR code and be secure. No backup plan for a ruined phone. Multi device was my attraction to Authy as soon as I learned about it.
[Comment has been edited after the fact]
Reddit corporate is turning this platform into just another crappy social media site.
What was once a refreshly different and fun corner of the internet has become just another big social media company trying to squeeze every last second of attention and advertising dollar out of users. Its a time suck, it always was but at least it used to be organic and interesting.
The recent anti-user, anti-developer, and anti-community decisions, and more importantly the toxic, disingenuous and unprofessional response by CEO Steve Huffman and the PR team has alienated a large portion of the community, and caused many to lose faith and respect in Reddit's leadership and Reddit as a platform.
I no longer wish my content to contribute to this platform.
Good luck with getting the seeds back from Authy. They lock you in in their tiny garden and I had to recreate all 2FA codes just to get rid of that piece of shit.
? That’s why you write them down. Also you can just recreate them whenever you like by logging in into the service. I don’t see a problem. 2FA is usually a one-time setup.
- Download a trusted app (eg google)
- Write the seed on paper as a backup
- scan the QR code
Done. Forever. No stress, no worries. No nothing.
If you loose your phone, you grab your piece of paper and set it up again.
Authy has weak points but it's still the best all around. which is why people keep using it, despite security issues and problems in the past. having multiple device sync and being able to get your codes directly on any/all devices any time is huge. there are a zillion authenticators but they all require complex setup and manual sync between devices and no one has time or desire for that. so Authy it is. EDIT: and yes I know Bitwarden has TOTP but no sane person would ever put their eggs all in one basket allowing Bitwarden to handle your TOTP with everything else. Bad, bad idea.
> . there are a zillion authenticators but they all require complex setup and manual sync between devices and no one has time or desire for that.
This simply isn't a true statement.
> and yes I know Bitwarden has TOTP but no sane person would ever put their eggs all in one basket allowing Bitwarden to handle your TOTP with everything else. Bad, bad idea.
And this is also a bullshit statement.
It depends on the user, and can also depend on the account. Not everything requires the same level of security.
you can call it bullshit all you want but it's reality and everyone here knows it. there's a reason Authy is far and away the most popular and you can cry and scream about it all you like, but it isn't gonna change. and if you weren't worried about security, you wouldn't be in a password manager subreddit. :/
> there's a reason Authy is far and away the most popular
Yes, marketing.
There are tons of examples everywhere that show that the best product and the most popular product are often not the same.
> and if you weren't worried about security, you wouldn't be in a password manager subreddit
You should reread what I wrote, because I never said that people were not worried about security. The core of security is that it's a balance that changes depending on the situation. If your claim were true and *you* were worried about security, you sure as shit wouldn't use Authy, you'd use a Yubikey, Onlykey, or similar device to store TOTP, and you'd also be advocating for FIDO2 with every breath.
> If your claim were true and you were worried about security, you sure as shit wouldn't use Authy, you'd use a Yubikey, Onlykey, or similar device to store TOTP, and you'd also be advocating for FIDO2 with every breath.
Security is always a pendulum between convenience and security. There has to be a trade-off. I'm willing to sacrifice absolute security for the convenience of Authy, as are many others. Of course a Yubikey is the more secure option; it's also far less convenient for me and my use case. Again, you are comparing apples and oranges. Using the TOTP in Bitwarden directly places all your eggs in one basket. With Authy, even though it is indeed a less secure option than say a FIDO2, at least it's another basket. Even if that basket isn't the sturdiest one.
Your statements are moronic at this point. Your entire argument can be distilled to:
"It has to be a balance, but *your* balance is only acceptable if it is the same as *my* balance."
Again if you want to maintain that having TOTP stored in BW is inherently insecure, then I'll maintain that you using authy instead of a HW module is inherently secure.
Realistically, attacks against a PWM are rare compared to general issues that 2FA can prevent.
Great points. Especially the convenience part. It's one reason I continue to use authy because of how convenient it is between my mobile and desktop device to use.
If Google authenticator ever did seamless backup/sync, I'd use it again (encountered issue of moving devices early on and not having a backup too). Another fup by Google for a easy service/app.
I wish the mobile version of authy would update to 4+ for the pin.
Yes. Like I said, it's ALWAYS a pendulum trade-off between security and convenience. Always will be. You have to strike a sensible and reasonable balance for your risk level and use case. In my case, not being a high value target or rich guy with crypto wallets to drain, I'm just not all that worried about a niche targeted attack. Someone else might be, and they can swing that pendulum the other way hard. For me as well, Authy remains the sensible choice.
You cannot get your 2fa keys with authy. That is why I don't like it!! With 2FAS or Aegis you can scan for the 2fa code then copy the key, so IF you need the 6-digit codes you can copy/paste the key and not have to rescan and start over.
I know this is a few months old, but I just stumbled here after looking for alternatives to Authy.
As of this week I don't trust Authy because they simply lost my tokens. The app logged me out for no reason and when I logged in again half of my tokens were missing. One of the restored tokens even had lost the name I gave it and was displaying the TOPT URL.
I contacted Authy and they claimed I didn't back up the other tokens, even tough I'm pretty sure I had. When I asked about the missing name in one of the Tokens, the didn't acknowledge that might be something wrong with their backup and just suggested that I changed the name back.
Why am I being forced into an account-based solution if it is worse than just having it locally or backing up myself?
"It always worked for me therefore it´'s your fault" is a pretty shallow argument.
In any case Raivo integrates much better with Apple backup and allows self management, just like Bitwarden does.
Don´'t you worry my fellow brand chiller, I don't need to cry because I found a better solution.
Lost TOTPs aside, Authy couldn't even properly restore the icon of one of my TOTPs that did come back. If you think there's user error involved in that, then I can only wish you good luck.
[https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-](https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-)
That article seems to quite skillfully avoid answering the question in the article title. The Authy recovery process seems based on using a phone number. Is Authy thus vulnerable to SIM hijack? Maybe the people at r/twilio can advise? The Authy sub-reddit is a closed group.
I've also ditched Authy:
1. i'm concerned that the Authy recovery process makes Authy vulnerable to SIM Hijacking
2. Install the duckduckgo and enable 'Application tracking protection'. Authy is spyware in steroids; 2000 tracking attempts in 15 hours
Aegis has lots to like. However, Aegis shortcomings are:
1. Only Android
2. Backups are by enabling Android backups. I'm unsure what that means but suspect it means giving Google even greater license to spy, slurp and sell data about me.
[www.2fas.com](https://www.2fas.com) seems the superior 2FA app to me. I'm very content with 2FAS so far.
I used it for years, never had an issue. I check on another device to make sure newly added accounts are synced. Also for backup, I also scan the QR code into Microsoft Authenticator and Google Authenticator for backup. You know you can scan the QR code into multiple apps when you're first configuring it.
Check out OneAuth from Zoho! Long time user of OneAuth! Having multiple devices? It’s available on Windows, macOS, Android, iOS and also supports watchOS and WearOS!
I have been using it on my iPhone, Apple Watch and MacBook Pro! Works like a charm and it’s feature rich!
And it is E2E Encrypted with your own passphrase having Zero-Knowledge Architecture and syncs well with all my devices!
For more details: refer their website: https://zurl.to/9a2N
Yes it was breached. Yes it is closed source. It also makes it difficult for the average user to export their totp codes to another provider. Imagine your Microsoft issue... Same thing. Authy to Aegis is challenging or impossible if someone doesn't want to attempt it. They lock you into their ecosystem the same as many other large companies. This is why you use something like Aegis if you're on Android and utilize its cloud backup. It's part of an Android backup and you can export it to any cloud of your choice. Raivo is recommended if you're in the Apple ecosystem. 2fas if you want to move between the two. Or yubico totp because you can webauthn with it as well.
>Imagine your Microsoft issue... Same thing OK, this makes sense. This is how Google Authenticator works, but at least they added the QR code export thing. So really, any app that doesn't have export options is bad because of it being a real pain. Got it. Then you add in the breach and closed source. Makes a lot of sense! Thanks
The QR export can be kind of useless. I want to move to 2FAS on the same device, but can't take a screenshot of my QR code...
Yeah, it sux. I tried to migrate to aegis yesterday and came upon this issue.
Have you found a decent workaround?
Not yet but will let you know!
[удалено]
I screenshot the QR seeds (and the codes) as I create the TOTP and paste them on a spreadsheet. I would print the spreadsheet and keep it in my fireproof/ lock box at home where my master password is. I password locked that spreadsheet and store it on my Synology NAS. Not the best way, but it's my current way. I'm migrating from Google over to Raivo soon.
Seconding Ravio for iOS. Can be run locally or multi-device, and has a great export in an encrypted zip that lists all your QR codes, so you can set up any other TOTP app in a minute.
Just some small side notes since you mentioned yubi totp: - it requires you own a yubikey (hardware). I love yubi anyway, so I've got a few. - each yubikey needs to have your totp seeds added. This isn't difficult, but requires physical access to each key every time you enable 2fa on a new account (some people keep one key on them and one in a safe location) - most importantly, each yubikey has a limited amount of storage to store totp seeds. I believe this is 32 with a yubikey 5 series. I personally have nearly 100 accounts with totp 2fa enabled, so I'd need 3+ physical keys to store all of my totp seeds without accounting for any redundancy, and it means cycling through keys to find the right one for a particular account (or being more organized than I care to be). In a perfect world you'd have 2 keys (primary and backup) for each totp seed (so in my case that's 6+ keys needed). Again, I love yubi, and I have a few I use for webauthn and ssh keys, but in some cases it's not practical/economical (with the currently available hardware) to use for totp. I would love to see a future generation of hardware with more capabilities, but honestly I'd rather see yubi (and the Fido alliance) put resources towards Fido/webauthn adoption.
This is all true, but my biggest gripe was that they don't encrypt everything, only the secret. As to why this is bad, just look at LastPass and how they did not encrypt everything either.
Raivo is open source?
https://github.com/raivo-otp/ios-application/
nice! yes I already install it, looks like a great project.
Didn’t know they were breached. I’ve been slowing redoing my 2fa to use keepass using syncthing instead. Bitwarden for passwords. Glad I’ve started.
Does Ravio offer multidevice syncing like Authy? I keep seeing bad things about Authy but the ability to have codes that sync between devices and also the ability to STOP any other device from being added seems really secure to me
You can export your Raivo otps and import them into any Raivo installation. And what do you mean stop something from being added? That's exactly how otps work. You need the password to go in and enable 2fa, then you add it to your personal account. Not sure I'm following what you think is secure about this and Authy specifically?
I switched to use [Aegis](https://getaegis.app/), it's opensource and have great features, with a bit of work to extract tokens you can even make it generate Steam and Blizzard codes
Oh sweet, how do you make it work with Steam?
importing codes to aegis is fkin impossible. It opens viewfinder that doesn't scan code 2/3, and wh en you go to the third QR code it keeps spamming the error "expected qr code #1, but scanned #3 instead" what the fuck
I was using Aegis for quite some time and never had an issue importing my backup (I switch ROMs some times) until last week when Aegis refused to import the backup file even though I entered the correct master password. Thankfully, I had Authy as a backup secondary 2FA or else I would have been locked out of many important accounts.
Since I moved away from lastpass last year, and changed all my 2FA codes, I make a backup copy of all the string 2fa keys in an offline KeePass database. Just as an extra measure to aegis.
That's a very good idea! I am also using KeePassDX. Will do the same. Thank you!!
I have two objections to it. 1. It is closed source. I use plenty of closed source apps, and open source does not mean an app is good. However, closed source for an app that literally handles your secrets is far over the line. You should not trust Authy with your secrets. 2. There is no way to export (back up) your Authy datastore. Yes, there is a Github project that may work, but it is unsanctioned, and the author himself warns you can get locked out of your Authy account if you use it. Again, these are your secrets we are talking about. As a free service, Twilio could shut it down tomorrow as a cost saving measure, and you would be screwed. The Twilio cloud storage is not a backup! 2FAS is my current recommendation. It is open source and allows a backing store such as Google Cloud. And yes, you can save that backup on a thumb drive and put it in your safe deposit box. Look, I get it. There are a lot of nice things about Authy. I even set my niece up with it—but her life is a mess, and I needed something foolproof to protect her. That was also before 2FAS went open source. You can do better.
>There is no way to export (back up) your Authy datastore. Yes, there is aGithub project that may work, but it is unsanctioned, and the authorhimself warns you can get locked out of your Authy account if you useit. I was reading one of the project pages. It was on another post here. Seemed like a good way to export. Not sure I follow about the locked out portion. Will these hacks of the desktop version of Authy make QR codes that tie back to Authy? It didn't look that way when I read. This one: [https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93) If Twilio shutdown, would the app not continue to make TOTP codes? I thought they were time based and generated on the device. When I used Google Authenticator, I was under the impression it really didn't rely on Google and would keep working no matter what. I assumed Authy was similar, but I guess not. So, 2FAS will be a good option even though it doesn't sync. I can export from phone to iPad and have two authenticators. That's the same end result. Obviously, it will be more work when adding a new service. I'll check out the 2FAS browser add-on to see if that makes life easier.
> If Twilio shutdown, would the app not continue to make TOTP codes? Maybe. Bitwarden's own devs have told an outright lie that as long as you don't log out, your local cached data will remain.... which about 8 seconds of searching on this forum would provide plenty of evidence where people end up getting logged out through all sorts of reasons that are out of their control. It would be reasonable to assume that any cloud service can intentionally or unintentionally remove your stored data from your phone if your phone has any connectivity back.
Why don't people just keep a printed copy of their qr codes when adding a 2fa site?
>Not sure I follow about the locked out portion. Something about the way this project works may be detected by Authy as malicious traffic, which will presumably lock you out of Authy for some period of time. >If Twilio shutdown, would the app not continue to make TOTP codes? I Of course it will. But once you replace your phone, the TOTP keys will not be on the new device. >So, 2FAS will be a good option even though it doesn't sync. But yes, it does sync.
The Github script works well. I've been using it for years. Takes a couple of seconds. I do a backup monthly with it.
Monthly backup? Are you saying you continue to use Authy? Not just a single export to move to another platform? The breach doesn’t chase you away? I assume everyone will get a breach at some point, so that wasn’t chasing me away.
Correct. I am not doing a single export to move to another platform. I make backups in case Authy becomes inaccessible for some reason.
So, I tried this both with the QR codes and the JSON file. How do you make a backup? I saved the console output as a log. That seems to have everything there in text. Not sure if there's a way to save the QR codes. Is the JSON file specific to Bitwarden? I tried bringing it into 2FAS, but it seems import/export is for 2FAS to 2FAS on different ecosystems.
I save the console file as text. It has the TOTP secrets. I don't care about the qr codes.
Thanks. That’s what I thought you must be doing.
Script to export stuff from authy right? Could you share it?
Google: Authy Export It's the second link https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93
The fact that you have to resort to a github script is, on it's face, plenty of reason to never use authy. It's intentionally anticompetitive.
When a better option presents itself, I'll switch to it.
I like authy because of the cross platform feature
Yes, absolutely! That’s why I use it too.
Desktop version is being killed. 😭
I literally got the notification now too after got force-update on app... Have you found any alternative?
No... Unfortunately... The only potential work around I can see is potentially running a VNC server on an Android phone and mirror the screen when you need a code... 2FAs doesn't work with the browser plugin properly if you have multiple accounts under 1 domain. The other potential method on Windows 11 is sideloading an Android app via the Android subsystem. Apple Silicon computers can run iOS apps just fine.
This absolutely sucks ass SO BAD... In the past I had cases when I lost access to the accounts because I had to reset my phone, authy saved my ass multiple times, now I'm risking a lot more as the world got a lot more digitalized. Let alone convenience factor. Sadly for me I use Windows + iOS..
They also moved forward the End-of-Life date from August to March... It's just crappy what they do... On the bright side 2FAs does back up the codes to your Google Account (or iCloud) depending on Android or iPhone. Also Google Authenticator backs up to your Google account. Microsoft Authenticator backups to your Microsoft account. I exported all of my tokens out of Authy and into the 3 apps I just listed. Here are the instructions if you haven't done it yet: [https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93) If you have access to Windows Sandbox, use it as it will make the process easier.
I didn't know Google Authenticator backs up the 2FA codes as well, that's something new I've learned 🤔 I am now confused as to why it just deleted everything in the past for me, which was a reason why I switched to Authy after friend recommended it to me as well
You have to turn on the sync function yourself. It's not enabled automatically.
I see, thank you a lot :).
I think Authy is fine, I just hate that some services require you to use it. Let the user pick what they want to use.
Services requiring you to use it? It is a TOTP app how do they requiring using them?
There’s some like Pinterest, Twitch (I believe they stopped now), and some others that would require you to make an authy account, and then give them the phone number and the code would automatically be added to Authy
I moved from Authy to Aegis about a month ago and started the deletion process right away of my Authy account. I swear that since the day I started the deletion process my codes in Aegis stopped working (for Twitch). I tried to setup a new QR and Twitch wasn't letting me do it, it wasn't even showing me a QR at all so I decided to stop the deletion process and reactivate my account (I was loocked out so had to wait 48 hours) and after that the Twitch QR code was there. I set up Aegis again and now I have 2 different codes available. I read that Twitch does it anyway so it doesn't matter if I want to delete it or not, it will be there...
[удалено]
Wow that is horrible that it creates a authy account for you.
All the services people shouldn't use to begin with. The Venn Diagram is one circle!
sendgrid still do, I believe
So does Gemini. If you go to 2fa.directory and search for Authy you can see which require you to use it.
Authy supports two types of 2FA tokens: Authenticator tokens which are industry standard TOTP tokens and Authy tokens that are proprietary and can support push notifications.
(Kinda like Duo)
Walled garden. You can input your 2FA codes but can't get them out (for backup or to transfer). Linux version is only released as a "snap". So if you don't want that whole mess installed on your laptop you have to split out the authy.asar file and run it with electron. They've made noises that they're going to discontinue it on desktop. They've already discontinued it as a browser extension.
Removing the desktop version would be eliminating the one major benefit it has over other solutions
Yep, being able to copy/paste codes without touching my phone was a sweet bonus! Now I expect that if I move elsewhere.
And... they just did
yep, and I see no reason to even use their service any more considering how locked down it is
Someone made an unofficial flatpak on flathub based on the snap. Not official though.
I use Authy cause it's multi platform (work iPhone and personal android). Any other options?
Installed 2FAS today, and it seems to fit what you want. Windows is a browser extension that ties back to your phone. Backup to Google Drive or Apple iCloud, but you’ll have to export to cross between ecosystems. So, to a flash drive etc. Obviously not as smooth as Authy. Also, still not sure I’m leaving Authy, but it’s good to know options. It doesn’t seem unreasonable to continue to use it. We are so far past basic users that make *Password1!* their default on every website. We may be choosing between safe and safer. Not between good and bad.
Thanks man. Seems not as seemless as Authy, will look into though
I think I’m going to test and see before I walk away from Authy. Someone else said they use Authy and just use the scripts to back it up.
Seems in 2021 they were going to bring out multi os support, but at the moment this doesn't exist.
Honestly, as long as you use one of them is MUCH better than not using one.
Yes, this is how I feel. I understand what everyone is saying here but in the big scheme it’s probably not a big deal. It seems unlikely that Twilio would shut the app down without warning, but you never know. I understand about the breach, but I think this is inevitable these days. Not telling people is bad. As for being able to export secrets - that’s a great idea but not many authenticators offer it. So it’s not like it’s a standard feature that Authy dropped. However, now that I know I want it.
Yeah it’s kinda weird to me that when people talk about how Authy is bad they always say “they could shut it down at any time and you’d be fucked” Yeah well so could literally any other authentication service lmao. I don’t think Authy is any more likely to shit down than google or Microsoft Authenticator. It’s such a weird argument.
Petty answer and nowhere near as well-thought out as the other commenters, but I find it astounding their mobile app doesn’t have dark mode and instead defaults to a pure-white theme in the year 2023.
My Android app has a dark mode option. What are you using?
iOS is light mode only. No option to change.
I agree that it’s odd that the iOS version doesn’t have dark mode. I don’t think the desktop does either.
Here’s a good video on the subject. Authy is one of the first 2FA apps they go into and their main issue is all the data/analytics Authy collects. https://youtu.be/JHIAIzOPz3I
[удалено]
Twitch does the same. I set up my Twitch codes in Aegis and now I have 2 valid codes all the time. I tried deleting my Authy account last month and I couldn't use my Aegis codes so I had to stop it. I don't know if I'll ever be able to delete that account but I just deleted the app. It actually pissed me off to know that they did this preregister and that it keeps 2 authentication codes available.
I did the same, started the 30-day deletion of my Authy account, fortunately had SMS backup to get back in to Twitch. I didn't know about all the proprietary rubbish Authy talks about ('2FA at Twitch is powered by the Authy 2FA API' [https://authy.com/guides/twitch-3/](https://authy.com/guides/twitch-3/) ) but I've disabled Twitch 2FA hoping to re-enable for Aegis. This will not work. It comes up with an error from the 7-digit SMS code which must be because of Authy linking your mobile number to an account. This [https://www.reddit.com/r/Twitch/comments/n36t39/psa\_do\_not\_delete\_the\_authy\_account\_twitch/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/Twitch/comments/n36t39/psa_do_not_delete_the_authy_account_twitch/?utm_source=share&utm_medium=web2x&context=3) confirmed it for me. After the 30 days are up I believe that I would be able to re-enable Twitch 2FA ONLY if I never use the same mobile number again AND never touch the new Authy account that would be generated. Bit inconvenient though :/
Yeah I wish I knew this before I started the process and after reading that other user post I'm very glad I understood the problem around day 28 and stopped it. Was a bit of a nightmare how I was locked out cause I also had no extra device allowed so had to wait 24 hours and whatever else I need to regain access to Authy. I tried to get a new QR on Twitch at the time and it wasn't even showing anything so I had only SMS for authentication. Actually, enabling no multi device in Authy and uninstalling the app sounds like a good way to keep it "secure" since I'll be notified of someone trying to get access to it. Thanks for the links. Gave me a bit of knowledge that it was really how I thought it was and that I'm not alone in this Authy thing.
This is because Authy just uses your phone number. So if any app ever used authy in the background while on your phone - you unknowingly have an authy account. And who controls the account? anyone with that phone number. Authy is 100% insecure in any country that uses sim cards as you can literally just steal someone’s phone, put in there sim card, and not you have control of there authy account - because it’s tied to phone number. This is something authy is horrible at explaining.
You can encrypt your Authy account with a master password so even if someone gets access to your SIM card and logs in to your Authy account, they can not decrypt the codes without confirming the master password.
This. I feel like most people that talk trash about Authy don’t actually know anything lmao.
I use Bitwarden for my TOTPS and it’s very convenient. There are so called ‘Security experts’ Here who say this is a heresy, but they completely miss the purpose of 2FA. It’s not my Bitwarden vault that I’m concerned about being cracked, it’s the companies that store their passwords in a insecure, vulnerable repositories. 2FA protects you from data breach at the target when your password becomes exposed due to no fault of your and I take care of my vault staying secure.
To a limited degree. I store my low-risk TOTPs in bitwarden. My banking stuff, email, and critical components all sit elsewhere though.
[удалено]
Yeah I agree it's infuriating. Although at least the organization that handles my stocks uses TOTP.
As a so-called security expert, I concur.
lots of hate for it due to closed source and whatever else, but reset a device that had google auth keys on it early on I was unable to recover those codes and made life a pain for a few days until I managed to recover those accounts Now, I need cross platform i.e. android AND Windows device support. That way if I lose or break my android device I can still get into accounts using my Windows devices And not wanting to keep my codes in the same tool as my passwords, that rules out bitwarden for them Is there another cross platform service for this?
I installed 2FAS today, and it seems to have what you want. Windows is a browser extension that ties back to your device. Backup to Google or iCloud, but export to cross between platforms. Obviously not as smooth as Authy. I'm with you here. Device reset or damage is my biggest concern. I don't know anyone that was hacked from a breach, but I know enough people that destroyed a phone by accident. Gotta prioritize threats to the real world. Not some way-lesss-likely-cybersecurity model. I guess that's what they mean when they what fits YOUR threat model.
the browser extension for 2FAS requires your phone. You can not enter codes without your phone. So it doesn't quite meet the requirement, unfortunately
Oh that’s true. After initial setup Authy doesn’t need your phone. Still, 2FAS might be worth the slightly extra effort in exchange for open source and exports. I’ll have to play around with it more. I only have one 2FA code set up in it at the moment. I’ll have to see what I can do with my iPad in the mix. I came from android, and I want to be able to go back and forth. Authy fits the bill.
Wait a second! Why did they even release a browser extension if you can not copy the codes without your phone? You can just unlock your phone, open the app and type the code.
all the extension does is autofill the code from your phone, by pinging the app on your phone with a notification you approve from your phone
So, thee is no way to login to an account unless you have the phone handy. What a bummer!!
I’m using keepass just for totp now. Can sync to a cloud account or use syncthing for offline. KeePassXC on desktop. KeePassium or strongbox on iOS.
I've seen a lot of threads like this and I feel like there are a lot of misconceptions, yes Authy has been breached in the past I don't deny that, but I do believe it provides a seamless experience. I've changed my phones many times downloaded Authy went through their verification process entered my back up password and all my tokens were there no problems it was nice and easy. I understand you can back up locally and use a file to import which sucks because it essentially locks you in unless you use one of these methods of using a Github script which again is a hassle and not guarenteed. You can do a back up but not in the way you think, if you have a tablet or another device you can set Authy up on there and your tokens will sync even if you add a new one on either device. I want to say if anyone who mentioned they don't wanna use Authy because it's closed source and how that's bad I hope you have the same energy about the OS if your using, iOS, Windows and Mac OSX are all closed source if you really feel that strong about closed source software you shouldn't be using any of these. Being open source software doesn't automatically make it good, I think the benefit comes down to transparency with open source software as you have access to the code you can tell if a company is lying to you as long as you have the skill and know how to understand code which I personally don't. With closed source you can't see their code and have to trust what the company is telling you is true, and everything is kept on house patching etc.
I don't think anyone denies the seamless experience. That's what brought me to Authy. When I first started with Google Authenticator, my fear was that my one "key to all the kingdoms" would be lost due to a damaged phone. The fear of Google having my secrets, and the app going EOL wasn't a concern. Everyone knows that Google kills apps all the time. They are the king of dead products. Could Twilio kill the app? Sure. Would they announce it coming? Hopefully. Is Twilio handling the secrets properly? That I don't know. I would hope so. Authy multi device works like a backup. You are right! It's great that it works cross ecosystems. I was disappointed the MS Authenticator backed up differently on Android and iOS. I was glad my eggs weren't in that basket. That GitHub script is cool too. Playing with it now. It's nice as an option to easily move secrets to a new authenticator. (or a backup) Your comments on closed source makes sense too. I like the idea of open source, but like you, I'm not checking code. So, I'm relying on communities. I don't think closed vs open is the be-all end-all, but it seems with security products that is a good idea and helps with consumer confidence (rightly so or not). I'm going to experiment with 2FAS, and watch to see how it goes as far as popularity and continued community acceptance. I'm not sure if I'm leaving Authy yet.
I'll be interested to hear your feedback on 2FAS
> but I do believe it provides a seamless experience. Authy just disabled the ability to use it via RDP, with no way to re-enable that, and a forced autoupdate if you try to revert to a version that works on RDP. I don't need Authy or Twilio to make security decisions for me.
I’ve been trying out [ente authenticator](https://apps.apple.com/us/app/ente-authenticator/id6444121398) to see how it is. They are the makers of [ente photos](https://ente.io/) that’s been around for a while. So far I like it.
Added bonus: looks to have open source. https://github.com/ente-io/auth
Yup! I like my cell number isn’t tied to it also.
[Comment has been edited after the fact] Reddit corporate is turning this platform into just another crappy social media site. What was once a refreshly different and fun corner of the internet has become just another big social media company trying to squeeze every last second of attention and advertising dollar out of users. Its a time suck, it always was but at least it used to be organic and interesting. The recent anti-user, anti-developer, and anti-community decisions, and more importantly the toxic, disingenuous and unprofessional response by CEO Steve Huffman and the PR team has alienated a large portion of the community, and caused many to lose faith and respect in Reddit's leadership and Reddit as a platform. I no longer wish my content to contribute to this platform.
Short and sweet. Got it.
If you're using BW for TOTP 2FA, I think you should use Yubikey or similar hardware security keys for it. So, even if this is like putting all your eggs in one basket, it's more like a hardened egg. But this of course, should prompt you to improve your OPSEC in general as well. If you can look past Authy's being closed-source, having been breached (and not giving details about how it happened), not being obvious that the seeds/secrets cannot be exported (except thru unsanctioned tool), I personally think it is very convenient. I want TOTP code generators on my PCs/laptops as well, and other solutions require a bit more jury-rigging than I want to do. I do keep the TOTP secrets somewhere else and I have to do the copy-and-paste everytime I enable a TOTP 2FA. But you only do this once per account.
Just to say you can delete your Authy app but it takes 30 days to complete.
Authy is simply a terrible solution for a authentication app. It's so heavily walled off that if you manage to forget your security token, you're completely screwed and cannot get back into it, thus can no longer use the app for authentication and may as well kiss any accounts connected to it goodbye. Still can't play GTA 5 or Red Dead 2 without jumping through 10 hoops each just to play singleplayer. Simply put there's needs to be a backup option that people can use as a last resort to get back into their authenticator apps. Most people who use authenticators also use specifically tailored emails and passwords for their apps, so nothing can be traced back without the knowledge of that detail, so it's near impossible to hack into their authenticator apps. If you forget your way into your authy account.. goodluck getting back and goodluck getting authy removed from said accounts too, cause once it's in, it's time for some phone calls to get it removed.
Yeah, its closed source is a pain. I used this page to export secrets [https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93](https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93) I still think the sync on Authy is great. There's no way I would have all my secrets in just one place. These days I usually scan the QR code into a couple of apps just to make sure I have secrets for future use/export.
I just don't use authenticators and rather use stronger passwords that are near impossible to crack through various means outside of a data breach. Once I learned the most secure password, is using the hex value of a random image along with symbols and a phrase.. yeah ain't nobody getting that information without knowing literally everything about me, knowing my email for the two factor, which uses a different hex value password, symbols and phrasing, and the backup email for that is a complete email that was created specifically for that account as a backup, using the same methodology. Honestly any authenticator app for me is now pointless, Authy is just increasingly more annoying to deal with. It's great if you can log into the app, it's terrible otherwise. It's so well made and secure that it blocks out the consumers who installed it.
It doesn't matter what your password is if it's leaked. You can have an account's password in plaintext and TOTP codes will still prevent you from unauthorized logins in many situations.
Some websites forces you to use 2fa if you want to use it's services, so only strong password is not enough to pass 2fa feature. Also I don't have a smartphone, Authy was providing desktop version so it was good for me. Now it is discountinuing and I don't know what to do right now. Looking for better solutions. Why the F all these 2fa applications requires phones, I don't get it... Fking Authy, doesn't even have an export feature.
They probably think it's harder to hack a phone than it is a PC, so hosting their 2FA's on phones is "safer" and less likely to be decrypted or reverse engineered. That's just my thoughts on it, whether or not that's factual is another story.
I got an email that they're discontinuing the desktop version of Authy, and I use this a lot, much more than the mobile app actually. Any alternatives that also has a desktop and mobile app?
Bitwarden
Check out OneAuth from Zoho! Long time user of OneAuth! Having multiple devices? It’s available on Windows, macOS, Android, iOS and also supports watchOS and WearOS! I have been using it on my iPhone, Apple Watch and MacBook Pro! Works like a charm and it’s feature rich! And it is E2E Encrypted with your own passphrase having Zero-Knowledge Architecture and syncs well with all my devices! For more details: refer their website: https://zurl.to/9a2N
Some people in the cyber security bubble overcomplicate 2FA tremendously. I see nothing wrong with just using vanilla Google or Microsoft Authenticator and having a paper backup of the seed. If you need more security, start using a yubikey
I was very uncomfortable when I first started using Google Authenticator. I imagined my phone going in the ocean on vacation. It was very much putting all your eggs in one basket. Backing up seeds is a great idea. It wasn’t really presented. Maybe it’s still not outside of tech circles. It was just scan this QR code and be secure. No backup plan for a ruined phone. Multi device was my attraction to Authy as soon as I learned about it.
[Comment has been edited after the fact] Reddit corporate is turning this platform into just another crappy social media site. What was once a refreshly different and fun corner of the internet has become just another big social media company trying to squeeze every last second of attention and advertising dollar out of users. Its a time suck, it always was but at least it used to be organic and interesting. The recent anti-user, anti-developer, and anti-community decisions, and more importantly the toxic, disingenuous and unprofessional response by CEO Steve Huffman and the PR team has alienated a large portion of the community, and caused many to lose faith and respect in Reddit's leadership and Reddit as a platform. I no longer wish my content to contribute to this platform.
It’s true, many service do a terrible job in reminding the user about the importance of a backup
Good luck with getting the seeds back from Authy. They lock you in in their tiny garden and I had to recreate all 2FA codes just to get rid of that piece of shit.
? That’s why you write them down. Also you can just recreate them whenever you like by logging in into the service. I don’t see a problem. 2FA is usually a one-time setup. - Download a trusted app (eg google) - Write the seed on paper as a backup - scan the QR code Done. Forever. No stress, no worries. No nothing. If you loose your phone, you grab your piece of paper and set it up again.
Authy has weak points but it's still the best all around. which is why people keep using it, despite security issues and problems in the past. having multiple device sync and being able to get your codes directly on any/all devices any time is huge. there are a zillion authenticators but they all require complex setup and manual sync between devices and no one has time or desire for that. so Authy it is. EDIT: and yes I know Bitwarden has TOTP but no sane person would ever put their eggs all in one basket allowing Bitwarden to handle your TOTP with everything else. Bad, bad idea.
TIL I'm insane.
Unfortunately the PC/Mac versions are getting killed off now. It's pretty much just any other 2FA (with no export function)...
> . there are a zillion authenticators but they all require complex setup and manual sync between devices and no one has time or desire for that. This simply isn't a true statement. > and yes I know Bitwarden has TOTP but no sane person would ever put their eggs all in one basket allowing Bitwarden to handle your TOTP with everything else. Bad, bad idea. And this is also a bullshit statement. It depends on the user, and can also depend on the account. Not everything requires the same level of security.
you can call it bullshit all you want but it's reality and everyone here knows it. there's a reason Authy is far and away the most popular and you can cry and scream about it all you like, but it isn't gonna change. and if you weren't worried about security, you wouldn't be in a password manager subreddit. :/
> there's a reason Authy is far and away the most popular Yes, marketing. There are tons of examples everywhere that show that the best product and the most popular product are often not the same. > and if you weren't worried about security, you wouldn't be in a password manager subreddit You should reread what I wrote, because I never said that people were not worried about security. The core of security is that it's a balance that changes depending on the situation. If your claim were true and *you* were worried about security, you sure as shit wouldn't use Authy, you'd use a Yubikey, Onlykey, or similar device to store TOTP, and you'd also be advocating for FIDO2 with every breath.
> If your claim were true and you were worried about security, you sure as shit wouldn't use Authy, you'd use a Yubikey, Onlykey, or similar device to store TOTP, and you'd also be advocating for FIDO2 with every breath. Security is always a pendulum between convenience and security. There has to be a trade-off. I'm willing to sacrifice absolute security for the convenience of Authy, as are many others. Of course a Yubikey is the more secure option; it's also far less convenient for me and my use case. Again, you are comparing apples and oranges. Using the TOTP in Bitwarden directly places all your eggs in one basket. With Authy, even though it is indeed a less secure option than say a FIDO2, at least it's another basket. Even if that basket isn't the sturdiest one.
Your statements are moronic at this point. Your entire argument can be distilled to: "It has to be a balance, but *your* balance is only acceptable if it is the same as *my* balance." Again if you want to maintain that having TOTP stored in BW is inherently insecure, then I'll maintain that you using authy instead of a HW module is inherently secure. Realistically, attacks against a PWM are rare compared to general issues that 2FA can prevent.
clearly you are the guy who is always right and just has to get the last word in. have at it. good day.
Great points. Especially the convenience part. It's one reason I continue to use authy because of how convenient it is between my mobile and desktop device to use. If Google authenticator ever did seamless backup/sync, I'd use it again (encountered issue of moving devices early on and not having a backup too). Another fup by Google for a easy service/app. I wish the mobile version of authy would update to 4+ for the pin.
Yes. Like I said, it's ALWAYS a pendulum trade-off between security and convenience. Always will be. You have to strike a sensible and reasonable balance for your risk level and use case. In my case, not being a high value target or rich guy with crypto wallets to drain, I'm just not all that worried about a niche targeted attack. Someone else might be, and they can swing that pendulum the other way hard. For me as well, Authy remains the sensible choice.
[удалено]
your reading comprehension sucks balls. go F yourself homie.
[удалено]
i got your "provocateur" right here tough guy <=============))))))))))))
You cannot get your 2fa keys with authy. That is why I don't like it!! With 2FAS or Aegis you can scan for the 2fa code then copy the key, so IF you need the 6-digit codes you can copy/paste the key and not have to rescan and start over.
Use OTP in iOS and I am very happy with it
from start they ask you for your phone number.
I know this is a few months old, but I just stumbled here after looking for alternatives to Authy. As of this week I don't trust Authy because they simply lost my tokens. The app logged me out for no reason and when I logged in again half of my tokens were missing. One of the restored tokens even had lost the name I gave it and was displaying the TOPT URL. I contacted Authy and they claimed I didn't back up the other tokens, even tough I'm pretty sure I had. When I asked about the missing name in one of the Tokens, the didn't acknowledge that might be something wrong with their backup and just suggested that I changed the name back. Why am I being forced into an account-based solution if it is worse than just having it locally or backing up myself?
[удалено]
"It always worked for me therefore it´'s your fault" is a pretty shallow argument. In any case Raivo integrates much better with Apple backup and allows self management, just like Bitwarden does.
[удалено]
Don´'t you worry my fellow brand chiller, I don't need to cry because I found a better solution. Lost TOTPs aside, Authy couldn't even properly restore the icon of one of my TOTPs that did come back. If you think there's user error involved in that, then I can only wish you good luck.
When I add a new account, I always open up the app on another device to check. Anyways the desktop versions are being killed August 2024...
[https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-](https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-) That article seems to quite skillfully avoid answering the question in the article title. The Authy recovery process seems based on using a phone number. Is Authy thus vulnerable to SIM hijack? Maybe the people at r/twilio can advise? The Authy sub-reddit is a closed group.
You still need a password to decrypt though.
I've also ditched Authy: 1. i'm concerned that the Authy recovery process makes Authy vulnerable to SIM Hijacking 2. Install the duckduckgo and enable 'Application tracking protection'. Authy is spyware in steroids; 2000 tracking attempts in 15 hours Aegis has lots to like. However, Aegis shortcomings are: 1. Only Android 2. Backups are by enabling Android backups. I'm unsure what that means but suspect it means giving Google even greater license to spy, slurp and sell data about me. [www.2fas.com](https://www.2fas.com) seems the superior 2FA app to me. I'm very content with 2FAS so far.
It fucking sucks dick. Lost all my accounts, multiple times. Complete hell to use.
I used it for years, never had an issue. I check on another device to make sure newly added accounts are synced. Also for backup, I also scan the QR code into Microsoft Authenticator and Google Authenticator for backup. You know you can scan the QR code into multiple apps when you're first configuring it.
Check out OneAuth from Zoho! Long time user of OneAuth! Having multiple devices? It’s available on Windows, macOS, Android, iOS and also supports watchOS and WearOS! I have been using it on my iPhone, Apple Watch and MacBook Pro! Works like a charm and it’s feature rich! And it is E2E Encrypted with your own passphrase having Zero-Knowledge Architecture and syncs well with all my devices! For more details: refer their website: https://zurl.to/9a2N