Hope @Leo might chime in on this one, as I started using Authy when hearing him recommend it.
After discussion about SMS 2FA on Lastpass, got to thinking about Authy.
Authy uses mobile phone number as user name. On the desktop app (Mac), you enter your mobile number, then it gives you a dropdown menu offering 2FA options of;
Existing Device option is great. I have enabled Face ID on iPhone Authy App, so not only do I have to have access to the phone, it also has to pass the Face ID feature.
But if I choose the SMS option, I get the normal 6 digit code sent via SMS, and when I enter it on desktop, I get immediate access to the authenticator codes.
Am I missing something here? Seems as insecure as any other SMS 2FA option, and puts all my Authenticator codes at risk.
Anything that uses SMS is theoretically insecure. It is an unencrypted standard and the providers have proven themselves to be untrustworthy with our telephone numbers, just handing out replacement SIMs to anybody who can’t even identify themselves - at least in the USA.
It is also reltatively easy to hack and the firmware of the modems in nearly all smartphones (Apple and Android), as well as dumb phones has many known, and unpatched / unpatchable security flaws.
I always use a Yubikey, if possible, and an Authenticator app if not.
Problem is Authy is a “universal” Authenticator app that Leo has recommended at times. A bit disconcerting it uses ones mobile number as user name, and authenticates using the same number.
Nothing is perfect but isn’t the real problem only if you use SMS? If there is nothing to intercept (you don’t use SMS) then it would seem reasonably secure.
In Germany, you can redirect voice calls to another number, so that isn’t secure either.
For example, if I’m on call, I should take the company phone with me, but I just forward it to my private number. If a hacker could do that through a hijack, then I wouldn’t even know about it.
I do not want to leave this subject with question of Authy security hanging in the wind. I contemplated reverting to Google Authenticator and removing Authy, but did a bit more research and testing.
The Authy mobile app includes a selection for multi-device use. If selected, you can use Authy on multiple devices, including your desktop, where you can login using your mobile number, and a code sent to that number by SMS. If not selected, trying to get an additional device to login requires enabling multi device access on the original device, or a call to support, with a caveat it could take up to 2 days to authorise the request.
My decision to use Authy was specifically made based on the authenticator code backup to the cloud capability, which makes it so you do not have to go through recovery steps when you get a new phone if you do not save copies of the QR code or alpha-numerical code used to set up each account.
I like the capabilities of Authy. I specifically like the Face ID and PIN code access. I believe the setup of security and multi device access can be confusing.
I choose to go back to the more secure, more difficult way, only because I tend to be a bit anal-retentive.
I just can’t bring myself to back up my 2FA to the cloud. The ‘something you know’ (your password) and ‘something you have’ (your 2FA) mantra doesn’t work any more as you’ve just given the something you have part of it away.
As usual it’s a trade off for convenience Vs security but for me I will use a hardware key where I can or print out the 2FA code and keep it hidden.
I don’t know how authy protects your 2fa backups so maybe they have good enough security for this not to be an issue.
I had heard Leo talk about Authy on occasion for about 2 years. Each time I considered switching to it, I convinced myself I really did not want to trust 2FA codes to the cloud. Then, when I got a new iPhone last year, and found I had lost access to the codes, I broke down and started using Authy.
Moral is trust my first impressions.
Chose 1Password about 10 years ago for the same reason. They offered an option to maintain sync across devices strictly on your own network. Did that for at least 5 years, Until I started carrying a smartphone, and now thinking seriously about going back to it. Using their cloud based sync is very convenient, but the paranoia keeps peeking over my shoulder.
Steve Gibson has recommended the app OTP Auth (iOS) a number of times. It’s made by an indie developer. Great features.
Authy, like most consumer security software is trying to make it convenient. Certainly using Authy w/ cloud backup & recovery is better than no 2FA, just as SMS 2FA is better than nothing. I never liked Authy’s cloud backup, but you can disable that in-app.
Regarding trust and 2FA-token apps, I don’t think they merit the same scrutiny as a password store. Time-based tokens used to be on an LCD display people carried on a lanyard. Obtaining access to the time-based code can’t compromise your account, can it? Face ID and pins on 2FA app seems like belt-and-suspenders (unless you’re on a muti-user device).