I may be dense but if you back up the tokens and protect that online backup with a password, don't you eliminate the second factor?<p>Now the attacker just needs to get two passwords (to the backup at Authy and to whatever account) so it's reduced to just something you (may) know.
Looks like the someone from Authy is reading this thread so here goes...<p>Feedback:<p>* Registration is a bit complex; all texts to my phone (with the exception of the registration code) are completely useless as the <i>real</i> info is sent to my email address<p>* Why is my backup encryption key in plain text? A dual-password field with sameness-checks would be better.<p>* Restoring from backup is... painful.<p>- I cannot just reregister my phone, I have to go through a reset process online. Ok, fine. I got texts to my phone instantly but the reset email took almost 15 minutes to reach me.<p>- The app crashes tapping any "GA" item other than the first one.<p>- I have to type in my encryption key for each "GA" item and the app crashes each and every time.<p>- The <i>first</i> time I tried to restore authy, after typing in my encryption key to recover the first "GA" item, the app crashed and wouldn't let me recover any of the other items... I had to do the whole process all over again.<p>* Aside from the above, the app <i>looks and works</i> so much better than Google Authenticator on my iPhone (5). Especially considering I'll be able to recover my tokens when switching phones -- Google Authenticator completely screws this up (broken phone? Get a replacement phone from Apple? Upgrade? All your tokens in Google Authenticator are lost, even if you recover from backup).
You better replace your development error pages with proper 404
Take a look at <a href="http://blog.authy.com/feed" rel="nofollow">http://blog.authy.com/feed</a>
This is interesting, I've never considered using an alternative app for google 2fa tokens.. mostly because the app Just Works. It's literally one tap and it shows the token I need to type into the website, I'm not sure how it could get any simpler.<p>Since the authy guys seem to be around, if the only 2fa I have is on my Google accounts, what is the advantage of using Authy over the standard Google Authenticator app (on Android, fwiw)?
Is this "condoned" by Google or does Authy just emulate the algorithm that Google uses? If they are just implementing their own version, then what secret info do they need for the algorithm?
There is only one semi-reliable auth method: deep body scan + DNA + mitochondrial RNA + retina scan fuzzy match. Passwords and 2 factor auth suck. And so will embedded/mark IDs, which I will never, ever use.<p>This is a good idea- everyone worth their salt wants a third-party single auth service, perhaps one that we pay an annual fee for, however this ain't it yet. You should not piggyback. Don't.
What could possibly go wrong when using a device that is connected to the Internet as a 2nd form factor?<p>That's not just a criticism of this app: all the apps that advertize a device that is connected to the Internet as a "2nd form factor" is using deception to lure people in.<p>There's no way this is "Two-Factor" in the same way that a physical RSA token is "Two-Factor".
Can someone put a moratorium on startup names that end in "-y" or "-ly"? After a few of these it gets irritating. Maybe the next one will be called "obnoxiously".