I’ve been using Step Two on my Mac along with Authy. But, I just deleted the 2FA from the few websites that I used Authy for and deleted Authy. I noticed a couple of new accounts in Authy today that I never set up. In a web search, I found out that there was a recent breach with Twilio, who owns Authy.
I also had Authy on my iPhone. I deleted that and downloaded Google Authenticator to resetup 2 important accounts. I deleted the other accounts.
It’s been a year and a half since authenticators were discussed in this forum.
I’m using Google Authenticator. But I do not have it configured to share keys with my Google cloud storage. I manually sync keys between my devices using its ability to export keys to a QR code and read that code from another device.
As an app, it works well and implements the TOTP algorithm without any proprietary changes (as far as I can tell).
There was an Authy breach a little more than a year ago, but it appeared that only around 250 individual users (out of 75 million users) were impacted to varying degrees, suggesting it was a highly targeted attack. That’s definitely bad news, but I am not sure there are many enterprise tools that can successfully withstand a highly targeted attack against a small number of specific users by a sophisticated, determined attacker, like a government.
I still keep Authy up to date, but I’ve transitioned nearly all my 2FA accounts to 1Password, which enters the code automatically for me. So, so much easier than fussing with a separate app and copy-and-paste or retyping.
On the iPhone I’m using Google’s Authenticator because on campus we’re a Google shop and that’s how I started with 2FA.
However, on my Macs I use Authenticator App (MAS link) instead because it’s very bare bones (at least the free tier is), MAS says no data linked to me, and it can live hidden in my menu bar where just clicking on its entries will simply copy the code to my clipboard which makes using 2FA such a breeze. I do not rely on any cloud syncing for these as work stipulates we can only do that using Google and I try to keep a healthy distance to Google and their cloud stuff when I can.
I’m using 1Password (7). It’s on all my Apple devices and always available. It would also be on Windows devices if I owned any at the moment (I’ve needed one or two for work in the past and 1PW was on them).
It’s going to be a long wait. FWIW, Amazon now supports passkeys, and I have one, but it didn’t remove passwords as an option - it asks each time you log in which you want to use - and it still uses the 2FA, even if you log in with the passkey.
Perhaps I’m misunderstanding that, but the account has no say in the matter. It just generates a key (a random number generator seed), which you enter in your authenticator app (usually by scanning a QR code). The account has no way of knowing whether you enter the key in multiple places or not.
Sorry, I wasn’t clear. A few (at least one, I think, though I can’t remember the details) accounts let you add another 2FA setup to the account, allowing you to enroll a second app without disabling the first one. But that’s unusual—most force you to reset the 2FA setup to switch from one authentication app to another.
I’ve always added the 2FA codes to both Authy and 1Password, just in case.
Yes, although even worse, the password option is the default, and choosing to use a passkey requires pointing and clicking a “Sign in with a passkey” button, then doing the same again when a “Sign in with a passkey” window with its own “Sign in” button pops up.
Apps and web sites that use TOTP generally provide no mechanism to export the key associated with your account. This is deliberate. So yes, if you tell it to register a new device, it will generate a new key (likely deleting the old one).
But that having been said, the QR codes used for installing these keys are simple URL links using a standard schema. Most authenticator apps can read these QR codes to import the corresponding keys. And if you use an app that lets you export your keys as a QR code (e.g. Google Authenticator), then any other app can import from that QR code.
So if your current app will let you export keys, you should have no problem importing them to another app. Which is how I can access my 2FA codes on all my mobile devices (Android phone, iPhone, iPod Touch).
Looks like Google Authenticator might have the ability to export accounts since that was how they got around the problem of not being able to bring along 2FA accounts when you got a new iPhone. But do any other apps provide that feature? Authy and 1Password don’t seem to, from what I can tell.
The iOS/iPadOS/MacOS app OTP Auth does allow this, by showing a QR code (or Base32 “secret”) that you can scan from another device (or enter with the secret).
Well, this is worrying. I have 4 authenticators on my phone and 2 of these on my desktop. They are Authy, Google, Microsoft, and one required by a financial company. I could switch all the 7 accounts in Authy to one of the other apps but it is neither obvious nor simple to do. As far as I can tell neither Google nor Microsoft provides a version for macOS. It can be argued that this adds an extra layer of protection as two devices are then required for logon from a desktop.
So I have two questions. (1) How serious is the Authy breach? I’ve seen various reports and it appears fewer than 300 users were affected but that is still 300 too many. (2) Should I switch to another app?
