They intentionally make it really hard to migrate your data off their app under the premise of "security". Now, they are EOL'ing desktop apps, which are extremely convenient to use, despite the terrible UX.
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
Important point out of that reddit Bitwarden thread:
If you migrate to another app and then delete your authy account, you risk having 2FA removed for some integrated accounts if they're set up to directly use the Authy backend. Twitch in some cases was pointed out.
Twitch refused to return me access to one of my accounts for this exact reason (the account that had subscriptions on it was returned, the one without was not).
I've abandoned a twitch account because of 2FA nonsense. If you set a phone number as your 2FA and then lose access to it you're screwed. They don't care.
In case anyone is looking for a desktop app to replace Authy, the authy-migration tool from token2 supports exporting TOTP seeds in WinAuth compatible format (use .wa.txt for export file name). Then in WinAuth (https://winauth.github.io/winauth/index.html) , just import that file.
I have a rooted Android phone and with a simple su and cp I copied the Authy XML to another folder which you can import into the app Aegis directly (from there you can export further if you don't like Aegis). I'm currently looking at Ente Auth because it's end2end encrypted and also provides a web UI for viewing the codes. Or I use another Keepass file.
I used this and it worked very well. Not perfectly.
Because Authy doesn't have icons for a lot of services, I stored info as twitter:username, google:username, etc. The script dropped about the service name on about 10 of those, just showing the username.
I "imported" the list of QR codes into 2FAS by using my iPhone's camera. Where there wasn't a service, it would say "Service 1", "Service 2", etc.
I then went back through with 2FAS on one device and Authy on another, matching the "Service 1" to "Bubble", for example, because the TOTP codes were the same.
The one service that didn't seem to transfer was Facebook, which I have in Authy but didn't show up in the QR code list.
Several codes in Authy were duplicates, meaning that service:username was the same. 2FAS asked if I wanted to overwrite them. #1, I don't think Authy should allow the same string more than once and #2, again, a simple alphabetization would make maintaining and using Authy more agreeable.
Actually, it looks like Authy will show "twitter:username" in the compact list but doesn't show that (just "username") on the icon view unless I'd manually added them. So it wasn't stripping service names, I hadn't added them.
Still puzzled about why Facebook wasn't transferred.
I have found Authy to be reliable and I like having the TOTP codes on multiple devices. I have a powered-off iPhone at a friend's as one way to access my codes. I don't like the apathy that Twilio has shown it and I don't like the inability to export.
And they try to lock you in to their own ecosystem. If you use sendgrid, it requires an authy specific 2fa code that can only be generated in their app.
I installed Authy on a rooted phone just to yoink the SendGrid token out and put it in our usual shared authentication service. Such a pain in the ass. I would highly recommend against SendGrid in basically all circumstances fwiw.
Yes, and, if you create a SendGrid account and therefore an Authy account, this may immediately enroll other accounts of yours on entirely unrelated websites/services/platforms into Authy, presumably by correlating your phone number. (Even if the email address is different!) This includes big sites like Twitch, and also includes sites where you had selected the "only allow 2FA via security keys" option. Of course some of the blame here probably falls on those platforms, but both the fact that this is possible and the fact that Twilio encourages these patterns are reprehensible.
> I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.
I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?
If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If Bitwarden is compromised, like LastPass was. Of course the vault should still be encrypted, but I don't want to rely on a single company managing everything correctly. It seems much less likely that two different companies will be compromised at the same time.
that's been my attitude, both are keyed to my face id, otherwise encrypted. my phone times out really quickly if i'm not typing away on it. I feel relatively safe. I wonder though how much longer they will maintain the phone apps. All my desktop versions are verified from my phone, so them dropping the desktop sucks but isn't catastrophic.
Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.
>Generally the threat model that TOTP protects against is not someone breaking into your device.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
> How is it secure if the only thing an attacker needs is a single method of accessing a single device?
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
Key logger?
I unlock my password vault frequently. I only unlock my TOTP vault to:
1. Add a new secret
2. Recover access to an account if my authenticator has died.
Since I unlock my TOTP vault so infrequently, the number of hashing rounds/etc are tuned to be _much_ slower and require _much_ more memory. It uses an entirely separate set of credentials from my main vault. And you're unlikely to snag the password unless you're watching me for a long time or get very lucky.
Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.
I use iCloud Keychain because I use a Mac, iPad, and iPhone.
I use Authy with Face ID protecting the entire app on my phone. I don't use the Desktop app because it won't use Touch ID, meaning I have to type in a long master password.
I don't see an attack as likely to happen (I own no Bitcoin, not a billionaire, not in charge of anyone else's secrets) but if there was a flaw that let somebody access the passwords on my Mac or iPhone, they'd still need the 2FA codes from my phone. I think that's more likely to happen on the Mac because I do have apps downloaded from somewhere else besides Apple's App Store.
My guess is that most of the people who worked on Authy have fallen by the wayside after the Twilio acquisition. It's annoying every time I have to search the boxes on my phone or the list on my watch: can't we please have alphabetization?
I had the same problem and didn't want to keep all of my eggs in the same basket, plus I lost faith in these backup apps after Google Auth lost user codes at some point.
I decided to create a private backup which I control and so I built a client-side web app that encrypts QR codes (like 2FA codes). It was inspired by a similar CLI based project I saw here on HN. I still use Authy (for now) but now I have encrypted images that I can decrypt and rescan easily. And since they're just images I saved them in various places and even printed out copies should I lose my phone or Authy access.
To 'migrate' my codes out of Authy I just went through each site and regenerated the codes (plus encrypted them). It's annoying that they force you to do this but doesn't take too long.
I'm still polishing it up but it works well and I would love some feedback if there's anyone who finds it useful - https://encrypt-qr-codes.netlify.app/
> not sure how I feel about passwords and totp being in the same app
I felt the same way and I've come to realize that it is not a big deal. One advantage is that with a shared password manager account, you can also share the TOTP along with it. Very convenient for a bunch of usecases.
The way I see it, your password manager becomes the central point of failure. Therefore, secure your password manager with a hardware security key (yubi). Not all accounts stored in a password manager are created equal... some need more security than others. If there are accounts that you want additional 2FA security on, just use a separate TOTP app. It doesn't have to be an all or none option.
The second factor is not meant or designed to safe you against a compromised PC or phone (your session or cookies could be probably more easily stolen even when second factor on another device). Many people have passwords and totp on the same phone too. The second factor is more meant to verify that you are really you to a web site and safeguard your account on that web site.
I've moved over to Proton Pass (you can do TOTP on the desktop through a browser, I figured if I'm authenticating into a site I must have internet) but KeepassXC was a strong contender. Both have excellent mobile support and Keepass has native desktop clients.
Proton Pass isn't free, though, but I already had their services.
I used to use it, but the author refuses to publish a desktop app. I actually was able to install the iOS app on my desktop, but if I ever remove it, it is gone forever because he revoked it from the appstore. He only wants you to use the desktop receiver.
It is also buggy af and doesn't sync properly. He's pretty much not doing any more updates of the app either.
That experience pushed me off it forever.
Edit: The app has been acquired by a third party. I'd move off it.
I'd say password managers are a (slightly weaker) form of 2FA by design: it's something you have (a device with your password database installed) plus something you know (if using a master password) or something you are (if using biometrics).
Adding TOTP on top of that helps guard a bit more against some kinds of attacks. You can make it even stronger by not storing those keys in the same place and only using your phone, for example, but for some people (myself included) it's one bit too inconvenient. The good thing about using TOTP for 2FA is that you can find your own balance between convenience and security.
KeePass databases with KeepassXC. I like to use Strongbox on macOS/iOS though (still save to Keepass databases though so I don't have to depend on Strongbox).
Getting a user to install software on a desktop is probably one of the hardest things for a company to ask for in 2024. It's wild that you would have built up a userbase of ... tens of thousands? ... of technically knowledgeable people who want your product, get them to install and rely on your product on their actual 2024 desktop computer where they do actual work, then have some decision makers determine "ok time to pull the plug" and you actually follow through with that. It's just incomprehensible.
I agree, seems short-sighted - they could have even just started charging a bit for it to keep it alive if necessary.
No surprise though, after a fantastic start, twilio has turned into a sh*t company, unfortunately - I was a very early adaptor of many of their tools and services, and 1 by 1, they have all gone downhill.
They should have sold the company while it still had a decent reputation, at this rate there will be nothing of worth left.
The solution is to have a cheap phone that you sync with your authy. I had the trifecta with my desktop, now I just have one backup device because of this change.
The downside to this, is that you're tied into Apple's ecosystem. The nice thing about Authy was that I had the same access on Android, iOS, Windows, Mac, and Linux.
I regret immensely that I ever endorsed or recommended Authy.
My experience witnessing the regression and functional decline of this app over the years has utterly wrecked my opinion of Twilio. Although I still have a couple of operational Twilio integrations, I no longer have any desire to use any of their products or services ever again.
Maybe not the only reason, but this was definitely one of the main reasons I used Authy. Over time, the product has been getting progressively worse... When I first started using it there was a Chrome App you could install which was great because it could work on "corporate" machines where I wasn't able to install the desktop app. That went away a long time ago, but at least we had the desktop app on Windows, Mac, Linux. Although, at some point Authy was only available on Linux if using Snap, which ruled it out for me (although there is an unofficial Flatpak now). So now they are getting rid of all desktop apps which will be the end of my Authy journey and this will also be the last Twilio product I use, since I've had recent bad experiences with some of their other products.
That's fair. I should say, it was my main reason for using Authy as there wasn't anything else out there that could do synced mobile and desktop easily for free.
Interestingly, due to how Apple has developed its app ecosystem, it looks like you can still have it on a Mac Apple silicon desktop if you install it via the app store.
> Note: The iOS app will still be available to download on M1/M2 powered Apple Mac devices.
It does work, but it's not first class support, though. You have to enable alternative touch settings if you want do the "drag to the left to delete a token"
How do folks use two factor auth for 1password logins? It feels wrong to me to use 1password as the second factor for 1password itself. My last remaining authy second factors are for primary email and 1password. All other second factors are in 1password.
- a Yubikey
- a sparingly used email account with no 2FA, just a very long password
2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.
2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.
Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.
Sorry, but my Article and Walmart.com accounts do not need 2FA. I'm fine with OTP, but most places use SMS 2FA, which exposes a unique identifier for myself and -- due to SIM swapping, which is a risk on literally every major carrier due to horrible customer service operations -- often makes it easier for a malicious actor to hijack my account.
You're generally correct, though: GOOD 2FA is not overrated and I would welcome it on any account. But it's obnoxious that almost every account I have uses SMS as a singular point of failure. I'd welcome a move back to email 2FA with a backup email for account recovery.
Small side tangent - I’m on Mint Mobile and enabled 2FA for my account there, which is required for all customer calls. This would stop SIM swapping attacks which are the main failure point for SMS 2FA, right?
I use Authy on my phone and watch, but not Authy on the desktop for exactly this reason; if my computer is compromised and 1password is accessible, they still don't have access to my TOTP codes. Having it on both my watch and phone means I can break a device and not lose access.
I used to use Authy (lol) as my second factor for 1Password and then 1Password for everything else. After migrating off of 1password, I just use Authy for everything...
Yeah, super-ugh. Every 2FA vendor wants to lock you in. I was able to export secrets from GAuthenticator on a rooted phone with sqlite, it looks like that is still possible on Authy too. Another vote for rooting your phone.
I REALLY want to like passkeys, and all these other stronger vendor systems, but the lock in is real. Office365 defaults to their special authenticator, and you have to jump through hoops on the admin side to ensure TOTP is an option. It will be a very real improvement to security for non-tech users, but the refusal to let folks be 100% in control of their key material, and the lazy "it will be available in a later version, we're focusing on the most common use cases" just tells me that the implementers really don't want to do it in the first place: they're waiting for lockin with what's available, and then they'll just say "Well people adopted it w/o this feature, they must not really want it"
There 100% has to be a way for the user to own + backup their own private key material, or these are all just paths for stronger lockin.
Personally, I have a TOTP App (andOTP) with QRCodes on paper in cold storage, keepass-based tools for passwords across platforms, and Syncthing for syncing across these systems.
Unfortunately there is no key exchange format specified in either FIDO or WebAuthN, which I view as a major downside as well.
The closest you can currently get is an open-source authenticator implementation that lets you export its credentials, like e.g. Bitwarden does (it supposedly lets you export WebAuthN credentials via JSON, but I haven't tried it myself).
I get that any UI way to let users export credentials is a potential phishing/social engineering avenue, but the lock-in danger is real, and I'm holding back on WebAuthN as my primary authentication method for now.
I can imagine a scenario where it needs dependency updates, engineers bring this up, bean counters say “well this doesn’t make us money, spend time on things that make us money instead” until eventually the bean counters say “okay we are no longer doing this, shut it down”
For me, the desktop app always sucked (but it was still more convenient that going to my phone). The TOTP would often get completely out of sync unless I backed out of an app's section and went back in, and then waiting for the TOTP to flip.
I just got done moving all of my accounts over to Aegis. At the same time, I put the new TOTP key into Proton Pass. Aegis makes it easy to backup your keys and use more than one 2fa app for redundancy.
Is there an alternative where you can sync tokens between your phone and your desktop computer? (which was Authy's main useful feature making the Electron bloat acceptable)
I’m not sure why people who mainly used TOTP and mobile are saying they are going to migrate to something else. I also used the Desktop application, but I could have used my phone in those cases 99% of the time, and if you’re using the Backup feature, you should still be able to recover your account in case you lose your phone, no? Or am I missing something?
I migrated from Google Authenticator before it offered backups too precisely for the backups/restoration.
As has been mentioned, not all of us want to have our whole infrastructure relying on a single device (mobile). The desktop app was both convenient but also a backup plan for me.
The seemingly unnecessary depreciation of a tool we all use gives of dangerous vibes for the future.
It is not that I think that the Authy mobile app is going away, but rather that the design and features of it will slowly become worse over time. History backs me up on this.
And honestly, for something as fundamental as 2FA we should be using self hosted and open source tools without any corporate ties anyways.
This was just the push I needed to make that happen (Aegis).
I sent them a support request venting. Will this work? Unlikely, but it takes less than a minute once you move through their automated help flow clicking "no not helpful"
This is a great example for why it's a bad idea to tie authentication to a proprietary third-party service. Thank you for promoting open standards, Twilio!
Even though I only use their iOS version I'm not taking any chances with something as important as this, so decided to ditch Authy on the phone. I looked at a few alternatives, and was pleasantly surprised at the built-in option on iOS and MacOS (and they automatically stay synced between phone and Mac if you're on iCloud).
Instead of trying to extract the settings out of Authy, I simply visited each of the sites for which I have 2FA turned on, logged in with the Authy code (for the last time), went to the account config/profile section of the web page and chose "Setup new authenticator" (or similar). Then it shows you a new QR code. At this moment on your iPhone you switch to the Passwords app which is under Settings->Passwords and search for the website or enter a new record. Then click on "Set Up Verification Code", and choose the option to scan the QR code. That's all there's to it. From then on you can log in either from your iPhone or Mac, and doing the fingerprint/FaceId will enter the TOTP code.
Tip: After making the change on each website, open an incognito/private browsing window and log in again. That way old cookies can't mess things up. I found one site where the re-doing of the 2FA hadn't worked properly this way.
That one was just another discussion a month ago, might have some extra tips for alternatives etc.
This one is fine, official, and was first for today.
Naa, the official source was posted 36 days ago: [0], the one you reference was a more popular dupe posted 7 hours later from a lesser source that referenced the original.
Good job. In this case wasn't really looking for the src but rather pointing to the older discussion for ppl looking for next steps/solutions. Wherever the discussion was then.
Can anyone recommend an alternative with similar ux? I use it almost every day, it's very convenient for me! I don't always have my phone around, and also have used it more than once to prevent being locked out of a service
While I do not know whether its UX is similar, it does have a sync feature (but not cross-browser), an export feature, can backup its data to Google Drive, can store everything encrypted (but not by default), is recommended by at least one government website (SSS Employer Portal in the Philippines), and is there for a long time. Oh, and it also remembers which site each secret comes from, and hides others.
The downside is no automatic synchronization with the mobile phone.
As someone who just uses good old passwords managed with TXT files and sticky notes: Security engineers (marketers?) never seem to understand most people by far value convenience over security.
You're gonna get pwned, and you're gonna get pwned hard. Brace for it because it's coming sooner or later. It's convenient until you lose all of your passwords.
I always present security as a sliding scale with secure on one side and convenient on the other. Similar to low-cost and convenient streaming services reducing piracy, and then seeing the return of piracy as they become higher cost and less-convenient, any application needs to consider not only how to protect its users and their data, but also how to not drive away users with security measures that encroach into that inconvenient zone.
2FA can definitely approach that zone in a few different ways eg. having to reauthenticate too often, or especially for technical users in situations where account sharing is a reality that isn't going away anytime soon: by not making your secret tokens readily available. It has been evident for years that Twilio was just trying to force vendor lock-in and I've always hated Authy. The desktop app at least gave you some agency (secrets on a device that you own and fully control), but I guess that was too much too ask in the long term.
Aside: there are measures that increase security without affecting convenience (much). Take those first.
Additional Aside to the text file password cowboy: since moving into password managers (first lastpass, now bitwarden) I've found it to be more convenient (usually) and I have a lot more peace of mind about it. Maybe try it?
2FA definitely will protect you even if your passwords.txt is stolen, probably. I can’t imagine that trying to manage syncing and easy access to the passwords.txt is even remotely as secure or easy as something like 1Password.
Services, IMO, have a duty to do their utmost in protecting customer security and privacy. Fortunately Passkeys are becoming more common and I’m hoping more folks will choose them since they’re way better than plain passwords.
The problem with choosing convenience now is that you don’t know what the future holds, and a good chunk of security is stuff that people don’t know becoming known, sometimes very publicly so.
Eg a new 0day in Firefox is found, exploited, and the passwords.txt is gone before the user patches it (admittedly likely since I am unsure if the OP is up for the inconvenience of frequent browser or critical software updates).
If you’ve ever had anything important of yours being hacked you’ll probably understand how shitty it is and how it’s worth the inconvenience. Modern password managers are very convenient though. I love not knowing a single one of my service passwords. Plus, my laptop being stolen is probably gonna still protect my passwords since 1Password does protect them at rest, pending brute-forcing the (very long) master password. None of this is true or exists for a plaintext file.
Even then, say OP doesn’t care about getting hacked and someone gets into their email. Now, the hacker has their email and contact lists. They can use that info to target OP’s contacts with more-viable phishing or other attacks.
I can count the passwords truly critical to my livelihood on one hand (and those are unique). I couldn't care less about everything else (and they all more or less share the same or similar passwords), pwn away.
That’s the same for me. That being said, I don’t current me enough to make good security decisions for future me based on current knowledge, so I do what I can now instead. The overhead is extremely minimal if you use a password manager.
> Brace for it because it's coming sooner or later.
I wonder if it will be his passwords, or one of the providers of those impenetrable password replacement keys will be breached first, in a way that leaks everything.
Unsure though the OP’s laptop being stolen or a rogue program stealing their passwords.txt is a lot more likely. The providers being attacked will still require the keys themselves to be attacked since they hold the secrets.
... I can't comment on the tool in the article because I've never used it, but I'm pretty confident a good password manager is more convenient than text files or sticky notes, while being more secure.
But also I think you're being naïve if you think security(-adjacent) people don't understand that people often prefer convenience.
The entire concept of a password manager is about convenience. Why do you think most mobile devices default to asking for a PIN code rather than a password? Why do you think credit/debit cards use a PIN rather than a complex password?
Convenience. It's literally all to make things more convenient.
If anyone has ideas on how to write the proper PURLs for this, I am gonna try to get this added to endoflife.date - will appreciate advice for PURLs/CPEs that apply.
Right. Which is why they were noting the implication that if Twilio earns a higher margin from an SMS 2FA vs an Authy 2FA, maybe the owners of Authy would discourage the use of Authy through actions like this.
https://support.authy.com/hc/en-us/articles/1260805179070-Ex...
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
https://www.reddit.com/r/Bitwarden/comments/116kpvf/export_a...
I stopped using it ages ago because of these reasons, this should be your heads up to do the same.