In the space of the afternoon after reading this article, I removed SMS 2FA from all my accounts, installed Authy, added all my accounts to it, found out Authy is also insecure[0], reconfigured it to be less insecure, and basically despaired.
My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
A lock on your door is obviously insecure, but can work because it introduces friction for the burglar, while there are other targets around. It's a similar principle at work for online security. Some amount of protection coupled with the statistical likelihood of being targeted already goes a long way.
After reading a similar article on HN a year ago, I too decided to use Authy but the realized that it was vulnerable to the same methods. I eventually decided to use andOTP[1].
While it doesn't automatically sync across devices, it does allow you to create backups[2] which can be encrypted with AES or your PGP key. Just store this in Dropbox/Drive/Box and offline storage and you're good to go.
> My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
[0] https://medium.com/p/1367f296ef4d#681f