Just migrated in bulk from Authy to Aegis Authenticator (open-source with encryption and automatic backups/exports).<p>Instructions:<p><a href="https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93#file-authytootherauthenticator-md" rel="nofollow">https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...</a><p>Aegis-specific export:<p><a href="https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93?permalink_comment_id=4192581#gistcomment-4192581" rel="nofollow">https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...</a>
Coincidentally, I switched over to raivo just several weeks ago. There is a way to extract all of your 2fa keys using a deprecated chrome extension, which is what I did. It's quite easy, it spits out everything in a PDF web page with QR codes - I printed the whole page as a backup, then used my phone to add my 20+ accounts in about 5 minutes with the QR code. I have used authy for over 6 or 7 years, but for some reason I was getting uncomfortable with having it tied to my phone number.<p>There is an ipad app, which I installed on my M2 macbook air, so I can access it on my laptop as well. I also downloaded a version onto my old iphone 6 I keep in a drawer under my bed, just as a backup in case something gets stolen. And I have an ipad mini that I use on a daily nightly basis for reading and browsing. In addition to a ~5 year old windows desktop and a windows laptop form ~2015.<p>I've been resistant to using apps that only exist in the apple ecosystem, because I generally have only used windows laptops and android phones. But now I use an iphone, I have an m2 macbook air, and quite honestly the quality just blows everything on the windows / android side out of the water. I finally just admitted to myself that there is probably never going to be a scenario where if my phone breaks, I would go out and buy an android phone. It won't happen. The sheer connivence of just getting a new replacement phone, logging in, and having all your settings and files and (2FA codes! - encrypted in icloud!) automatically download is understated.<p>The price of an old iphone 6 or 6s is ~25-40 dollars on ebay. The price of a yubikey is 50 or 60 bucks.
After a lot of trouble, I was able to extract my private keys from Authy by installing their deprecated Chrome extension and using some hacky javascript found in a gist. Now, I'm on the search for something else to load my keys into.<p>All the other 2FA apps out there that I've looked at are lacking in some way or another. Ideally, I'd like as a basis: iOS and MacOS app (not electron) support, easy import/export, no requirement for a phone number, some sort of encrypted 'cloud' backup, open source, decent UX.<p>I'm half tempted to just import into Bitwarden (which I happily pay for) and call it a day, but I'd like to keep my password manager separate from my 2fa... just seems awkward to combine them.<p>Bueller? <a href="https://www.youtube.com/watch?v=KS6f1MKpLGM" rel="nofollow">https://www.youtube.com/watch?v=KS6f1MKpLGM</a>
Correct me if I’m wrong but U2F tokens are an antidote to TOTP seeds being leaked, right?<p>Edit: some reading: <a href="https://en.m.wikipedia.org/wiki/Universal_2nd_Factor" rel="nofollow">https://en.m.wikipedia.org/wiki/Universal_2nd_Factor</a> I have the advantages and disadvantages section a read and I believe I got it right. The one major disadvantage I’ve read about is that there is no backup. At a place I worked, we registered two keys and kept one as a backup. It seemed to work okay.<p>Also this: <a href="https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/" rel="nofollow">https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/</a><p>On OTP:<p>> The remaining issues, however, are phishing and man-in-the-middle attacks, the most infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.<p>Later, on FIDO U2F:<p>> Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.
Bloody Twilio, because of them I've lost access to my Twitch account.<p>For some historical reason, at my previous job the SendGrid account was connected to my phone number. When I quit, I migrated Authy, which was required to log into SendGrid, to another employee.<p>Now, months later, I find that Twitch has migrated its 2FA to Authy, and I am unable to get the codes anymore so I'm locked out. I'm pretty sure my codes are now being sent to this other employee, and neither Twitch nor Authy's support are keen to help.<p>I don't know if I should blame Twitch or Twilio but fuck this shit and I will not give either any more or business.<p>I use Bitwarden for password management and 2FA now. I recommend them instead.
Can someone explain the significance of this? Aren’t the secrets suppose to be encrypted on the device side before being sent to the Twilio servers? I don’t get how the attackers were able to get access to the MFA codes.<p>Thanks.
Due to this I wrote my own tool call bima <a href="https://github.com/yeo/bima" rel="nofollow">https://github.com/yeo/bima</a> which use SQLite, run locally, and can sync encrypted blob to server.
Tangential: I’ve seen Authy recommended around (including in an Ars Technica article about 2FA), but never understood why linking a phone number (subject to SIM jacking or other kinds of loss) was preferred or even thought of as a decent idea. Using 2FA for security but choosing SMS OTP as the authentication for the 2FA provider seems…weird.<p>There are many other apps that provide syncing (the accounts and seeds) across devices without needing a phone number and SMS OTP authentication. There your threats are primarily your phone and what service is used for the sync.
This is probably related to the fact that Authy has two modes — a traditional MFA mode using TOTP (6-digit codes) and another 2FA method using server-pushed secrets (used by Gemini, possibly Coinbase and others). The codes are longer than 6-digits, and aren’t encrypted. That’s when a service “enrolls” you in 2FA using Authy.<p>I don’t think they compromised the encrypted / non-Authy-issued codes.
I don't understand using 2FA for most things. My iCloud has its own 2FA, as it should. That relies on special systems to share keys between my devices. Everything else can use a randomly generated password that my Keychain stores. That's the same level of security as every site using 2FA with my one 2FA app (equally resistant to attackers with password databases and equally fallible to fully compromised sites) but far less of a hassle. If I were in Google's ecosystem, it'd be similar. If I want to switch ecosystems, I can export my passwords.
I have zero trust in Authy or RSA SecurID. As far as I am concerned, for a security product, one strike and you’re out. This is Authy’s second at least.<p>At this point I also won’t consider anything but U2F secure 2FA.
This is why we need hardened authentication services that can be selfhosted. Ory Kratos seems like its going in the right direction.<p>proprietary auth - not even once