Companies need to stop using Authy. It’s stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
Authy got hacked, and 33 million user phone numbers were stolen
Submitted 4 months ago by SandbagTiara2816@lemmy.dbzer0.com to technology@lemmy.world
Comments
Scrollone@feddit.it 4 months ago
TheEighthDoctor@lemmy.world 4 months ago
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
Lem453@lemmy.ca 4 months ago
Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
dev_null@lemmy.ml 4 months ago
GA now backups your codes in your Google account, so this doesn’t happen anymore.
I_Clean_Here@lemmy.world 4 months ago
This isn’t about you and your silly follies
laurelraven@lemmy.blahaj.zone 4 months ago
I’ve started putting mine into my Bitwarden vault as well as Google auth, mainly because I’m a bit paranoid I’ll wind up locked out of something by trusting a second factor too much
iamericandre@lemmy.world 4 months ago
Call my job and tell them this please. I have to use this shite everyday and it sucks.
lazynooblet@lazysoci.al 4 months ago
I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.
I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.
Blackmist@feddit.uk 4 months ago
You know it’s bad when people recommend something made by Google over it.
CombatWombat1212@lemmy.ml 4 months ago
Red Shazam
Mr_Dr_Oink@lemmy.world 4 months ago
Wow, it’s literally the shazam logo, flipped horizontally and red.
Wonder who got paid to make that logo?
ugjka@lemmy.world 4 months ago
I realized long time ago that I don’t want my 2FA be tied to my phone number. And then i found you can’t export your data from Authy because they know they are scummy fucks and don’t want to anyone to leave
maryjayjay@lemmy.world 4 months ago
You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.
todd_bonzalez@lemm.ee 4 months ago
People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?
You’re gonna leave Authy a copy of your seeds? That defeats the purpose.
Re-key your MFA codes on the way out. Security isn’t necessarily convenient.
aliceblossom@lemmy.world 4 months ago
Do you know what it’s called? I’d like to do this if possible.
Gestrid@lemmy.ca 4 months ago
then i found you can’t export your data from Authy
Exporting data from a 2FA app sounds like the opposite of secure. Not to mention you don’t want your 2FA codes on Authy (or any other 2FA app) to remain valid if you’re not using it.
When I switched from Google Authenticator to Authy years ago, I went through each 2FA-enabled account one by one to disable 2FA and then re-enable it using Authy. It’s a long process depending on how many accounts you have 2FA enabled on, but it’s worth it.
fine_sandy_bottom@discuss.tchncs.de 4 months ago
If you can’t export / save / transfer codes then you need to regenerate all your 2fa codes every time you switch to a new device.
2FA doesn’t need to be infallible, it just needs to be a second factor.
can@sh.itjust.works 4 months ago
So what did you do?
canadaduane@lemmy.ca 4 months ago
On Android, I replaced Authy with open-source Aegis app. It’s just as functional, allows exporting, and doesn’t tie your data to your phone number (or store it on a central system–not sure if Authy does this or not).
Contravariant@lemmy.world 4 months ago
Use TOTP wherever possible. It’s standardized, and typically can be found somewhere if you keep digging hard enough.
Plenty of services push their own proprietary systems hard though. Looking at you M$
Srootus@sh.itjust.works 4 months ago
I used This method to export my twitch 2FA to Aegis. although I did this a few years ago, I think it still works
can@sh.itjust.works 4 months ago
Wow, that was one of the things that drew it to me in the first place. I break phones too frequently to feel comfortable leaving everything to them.
net00@lemm.ee 4 months ago
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can’t use aegis on iOS/windows, does keepass have this functionality?
CaptPretentious@lemmy.world 4 months ago
Bitwarden would be my vote
kahdbrixk@feddit.de 4 months ago
Just out of curiosity: is it wise to keep you MFA within your password safe? Like is that not the opposite of multi factor? I’m no troll, I’m seriously uninformed.
riplin@lemm.ee 4 months ago
I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.
geography082@lemm.ee 4 months ago
This
foremanguy92_@lemmy.ml 4 months ago
Aegis
snek_boi@lemmy.ml 4 months ago
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
lud@lemm.ee 4 months ago
Doesn’t synced solutions completely defeat the purpose of MFA?
Natanael@slrpnk.net 4 months ago
Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC
AbsoluteAggressor@lemmy.dbzer0.com 4 months ago
padge@lemmy.zip 4 months ago
I like 1Password’s built in MFA support, if it’s a really sensitive account I use Google Authenticator because I haven’t bothered researching better local alternatives
mint_tamas@lemmy.world 4 months ago
You are not any more secure with google authenticator for 2fa, are you?
Veraxus@lemmy.world 4 months ago
Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.
ruse8145@lemmy.sdf.org 4 months ago
I use this on my windows machines, offline , has biometrics, supports export and import from aegis.
Clandestine@lemmy.zip 4 months ago
I’d recommend 2FAS Auth
azalty@jlai.lu 4 months ago
Yup it’s pretty good, although I would’ve liked it better if they provided a good way to export the data to another app
NotMyOldRedditName@lemmy.world 4 months ago
Buy a few (at least 2 for a backup) yubikeys.
Much more secure.
You can store the TOPT codes on them, but then you can also do all the higher security things too.
Cyberjin@lemmy.world 4 months ago
I’m using aegis, but maybe Proton Pass could be good?
sem@lemmy.blahaj.zone 4 months ago
It’s good
HEXN3T@lemmy.blahaj.zone 4 months ago
USB keys. Good luck getting one of those hacked.
krash@lemmy.ml 4 months ago
To be more concrete: security keys can communicate over USB or NFC. Just make sure it supports the protocol you want to use it for.
But there is also passkeys which is both software- and hardware based and is almost equally secure.
Mothproof3007@programming.dev 4 months ago
KeePassXC does have this functionality on desktop as well as on SOME android apps (no idea for iOS). For android I like KeePass2Android Offline, iirc it was recommended on the official KeePassXC website (you may want to check it out).
Interstellar_1@lemmy.blahaj.zone 4 months ago
welp
mobsenpai@lemmy.world 4 months ago
lol. I am glad I became privacy conscious before this happened.
snailfact@infosec.pub 4 months ago
did they have 2fa on?
Agent641@lemmy.world 4 months ago
Of course. It was on the office phone that gets passed around to whichever tech is on call. The on-call tech left it at Mcdonalds accidentally.
FlavoredButtHair@lemmy.world 4 months ago
Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.
can@sh.itjust.works 4 months ago
What do you use now?
canadaduane@lemmy.ca 4 months ago
Check out Aegis if you’re on Android. (See my other comment).
9point6@lemmy.world 4 months ago
Does anyone have a suggested alternative for authy?
I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:
Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.
At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.
I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
beerclue@lemmy.world 4 months ago
I use Aegis, which I periodically back up manually off phone.
9point6@lemmy.world 4 months ago
(reposted from another comment mentioning aegis)
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
ryannathans@aussie.zone 4 months ago
Sames, aegis ftw
ikidd@lemmy.world 4 months ago
Bitwarden has 2FA built in, and you can host it yourself if you want.
9point6@lemmy.world 4 months ago
I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
Matth78@lemm.ee 4 months ago
9point6@lemmy.world 4 months ago
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
notabot@lemm.ee 4 months ago
If you’re talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.
That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.
Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn’t need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn’t need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with
gpgsymmetric encryption so you don’t have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend’s address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you’ll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they’re sure it’s you. To be more secure, split each code into two halves and have each held by a different person.
narc0tic_bird@lemm.ee 4 months ago
Why does it require a phone number to use?!
___@lemm.ee 4 months ago
Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.
bleistift2@sopuli.xyz 4 months ago
I hate, hate, hate that companies force 2FA on me just because goddamn Susans use ‘password’ as their password on every goddamn fucking app. My password is safe. It’s long and it contains ALL THE CHARACTER CLASSES. Fuck off with your fucking 2fa!
pineapplelover@lemm.ee 4 months ago
Weren’t they hacked last time? Is this old news or a new hack they never learned from?
Tregetour@lemdro.id 4 months ago
Bell curve meme:
Grug: A file on my computer (/Desktop/passwords.txt) Zoomer-looking midwit: Cloud connectivity! Phone numbers! Biometrics! Just install the app! Less than a cup coffee per month! Backed by FAGMAN! The monk: A file on my computer (KPXC)
Mio@feddit.nu 4 months ago
I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.
Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.
kitnaht@lemmy.world 4 months ago
‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
just_another_person@lemmy.world 4 months ago
Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.
kitnaht@lemmy.world 4 months ago
Exploit. The system worked as intended, just without a rate limit.
downpunxx@fedia.io 4 months ago
i'm in
NateNate60@lemmy.world 4 months ago
With due respect, you are wrong.
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Wiktionary
NateNate60@lemmy.world 4 months ago
With due respect, you are wrong.
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Wiktionary
Cornelius_Wangenheim@lemmy.world 4 months ago
Yeah, that’s what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn’t be able to do.
I_Clean_Here@lemmy.world 4 months ago
This isn’t about being pedantic but sure, mate.