Hackers Claim to Have Stolen Phone Numbers of 33 Million Authy Users

Originally published at: Hackers Claim to Have Stolen Phone Numbers of 33 Million Authy Users - TidBITS

If you published a two-factor authentication app, wouldn’t you require authenticated requests to all endpoints?

Time for a comparative survey perhaps and a review of current options. I don’t use Authy, work requires MS Authenticator and I also use OTP Auth, although I cannot recall what prompted me to take it up.

1 Like

I’m a but confused here, probably because I don’t use Authy. Why do they have your phone number in the first place? What is the Authy account used for?

I use Google Authenticator for my 2FA and although I do have a Google account, it is not needed to use Authenticator and my installations aren’t configured to use it (Google Authenticator is only used to sync keys between devices, which you can also do manually without any network communication).

You may want to look at: Comparison of OTP applications - Wikipedia

That having been said, I use three different packages:

  • Apple’s 2FA. As far as I know this is only for accessing various iCloud services. When a code is required, my iPhone, Mac and (I think) iPod touch all ask me, and if I accept, they present a code.

    As far as I know, Apple’s 2FA codes are generated on-device and the keys are synced via iCloud. A device not logged in to your iCloud account can not generate codes.

  • Google Authenticator. This is a pretty straightforward app running the industry standard TOTP algorithm (RFC 6238). It allows creation of new keys via manual entry or via a QR code that encodes the key using a standard URI schema.

    Google doesn’t provide an easy way to transfer keys to a different app running the same TOTP algorithm. They provide an export mechanism which generates a QR code containing many keys, but only other installations of Google Authenticator can import keys from the URI present in this code. But maybe this will change in the future, because there is at least one open source project that can extract keys from this URI (it’s basically a Base32 encoding of a Google Protobuf structure).

    Google also allows your to synchronize keys between devices automatically using a Google account. In which case, all devices logged in to the same account will see the same keys. This feature is optional. I don’t use it.

  • Okta Verify. This is for my employer, who uses the Okta system for remote authentication. After providing login credentials, the Verify app is a second factor, either providing numeric codes (like most 2FA systems) or via push notifications, where the server tells my installation to generate an on-device notification, so I have only to tap the “yes it’s me” button to authenticate.

    This is very similar to how Google’s 2FA works if you have an Android phone.

You ask an interesting question.

I can’t say that I find the answer to it on their help pages is satisfying:

I use the OTP feature within Strongbox.

I have OTP Auth on my mobile devices, though I’ve never used it so far. But it seemed the highest-quality and most trustworthy freestanding app I could find (and the Pro version is, as best I can tell, a one-time purchase of $3.99).

I’ve used Authy before (long ago) and I know when I installed it the first time on a new device it asked for the phone number - it was your way of logging in to get your stored codes. It’s part of the reason why I don’t use it anymore. Another is that the UX is not great compared with other solutions. At the time I was using it, I was using an Android phone and an iPad, so the cross-platform ability was a nice feature. After switching everything to an iCloud syncing platform, I don’t need it.

Now I use a solution that doesn’t sync; I have a way to recreate my login codes from the QR codes or the associated secret key when I set up on a new device. I know that I can use 1Password for this, but I really prefer not to have both my password and my 2FA in the same app/location.

Anyway, that said: since I once had an Authy account, I assume that my number was included in this as well. The last time I used Authy I deleted all of my 2FA codes from the app, made sure that it synced to another device empty, and then removed the app and recreated all of my 2FAs using my current storage method and app, so there should be nothing there of any use at all.

I agree, it’s not satisfying. If they’re tying your account to a phone number, then it means you are vulnerable to SIM-swap attacks. And if that’s the case, you’re no better off than using SMS for your 2FA.

IMO, they should use their own app (maybe via password and a non-removable 2FA code generated at account creation time) to authenticate your access. Yes, it means that if you uninstall your last copy of the app and never exported the code elsewhere, you won’t be able to log in again without getting their customer support people (assuming there are any) involved, but if you want actual security, that’s the kind of thing you should expect.

I personally like the fact that my Google Authenticator is just like that - no servers have the data. If I’m dumb enough to lose my last copy of the keys, then they’re gone forever. As I think it should be.

Just to clarify, Google Authenticator supports code sync across devices with your Google account if you so wish. Which is relatively new - when it first started on iOS several years ago there was no way to back up codes, sync them, etc.

Authy not only requires your phone number and pin code (or Face ID (touch ID) for authentication, but it will only work on devices you have previously authorized. To authorize it to work on a new device, you must, from an authorized device, topggle a switch to allow authorizing a new device. You then authorize the new device (getting confirmation using the current device) and turn the authorization switch off.

So, having a list of Authy users’ phone numbers doesn’t break the security of their 2FA process. You also need control of a device previously authorized by one of those users.

2 Likes