Authy got hacked, and 33 million user phone numbers were stolen

Bell curve meme:

Grug: A file on my computer (/Desktop/passwords.txt) Matty Midwit: Cloud connectivity! Phone numbers! Biometrics! Just install the app! Less than a cup coffee per month! Backed by FAGMAN^TM! The monk: A file on my computer (KPXC)

Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.

The problem is so many services requiring SMS to be that second factor. From what I've heard it's easy enough to steal a sim that if you're being explicitly targeted it's basically the same as no second factor. Yet even if using an authenticator app most services require you to still have SMS/phone as another option for the 2FA.

For Authy specifically they'd need to guess your master password and then hijack your phone number, and for users of Authy I suspect their passwords are not easily guessed as it's already a step above the standard SMS only 2FA most services require.

did they have 2fa on?

Of course. It was on the office phone that gets passed around to whichever tech is on call. The on-call tech left it at Mcdonalds accidentally.

I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave

You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file
- People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?
  
  You're gonna leave Authy a copy of your seeds? That defeats the purpose.
  
  Re-key your MFA codes on the way out. Security isn't necessarily convenient.
- Do you know what it's called? I'd like to do this if possible.
then i found you can't export your data from Authy

Exporting data from a 2FA app sounds like the opposite of secure. Not to mention you don't want your 2FA codes on Authy (or any other 2FA app) to remain valid if you're not using it.

When I switched from Google Authenticator to Authy years ago, I went through each 2FA-enabled account one by one to disable 2FA and then re-enable it using Authy. It's a long process depending on how many accounts you have 2FA enabled on, but it's worth it.

Reading the OP, looks like it's time to generate new keys for all my 2FA accounts.
- If you can't export / save / transfer codes then you need to regenerate all your 2fa codes every time you switch to a new device.
  
  2FA doesn't need to be infallible, it just needs to be a second factor.
~~I used this method to export my twitch 2FA to Aegis. although I did this a few years ago, I think it still works~~

Edit: reading though comments made me realise Authy's desktop app doesnt seem to be a thing anymore, so sadly I dont think it works anymore
- Wow, that was one of the things that drew it to me in the first place. I break phones too frequently to feel comfortable leaving everything to them.
So what did you do?
- On Android, I replaced Authy with the open-source Aegis app. It's just as functional, allows exporting, and doesn't tie your data to your phone number (nor store it on a central system--not sure if Authy does this or not).
- Use TOTP wherever possible. It's standardized, and typically can be found somewhere if you keep digging hard enough.
  
  Plenty of services push their own proprietary systems hard though. Looking at you M$

Weren't they hacked last time? Is this old news or a new hack they never learned from?

Red Shazam

Wow, it's literally the shazam logo, flipped horizontally and red.

Wonder who got paid to make that logo?
- Intern

'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.
- i'm in
- Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
  
  It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.
  
  Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended. Right-clicking a webpage and viewing the source code isn't hacking - even if the website you're looking at doesn't want you looking at the source.
- With due respect, you are wrong.
  
  hack
  
  ...
  
  (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
  
  Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
  
  Wiktionary
That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.
This isn't about being pedantic but sure, mate.

Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.

You know it's bad when people recommend something made by Google over it.
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
- Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
  
  If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
- GA now backups your codes in your Google account, so this doesn't happen anymore.
- This isn't about you and your silly follies
- I've started putting mine into my Bitwarden vault as well as Google auth, mainly because I'm a bit paranoid I'll wind up locked out of something by trusting a second factor too much
Call my job and tell them this please. I have to use this shite everyday and it sucks.
I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.

I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.

Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.

What do you use now?
- Check out Aegis if you're on Android. (See my other comment).
- Use google authenticator

lol. I am glad I became privacy conscious before this happened.

Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?

Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?

Bitwarden would be my vote
- Just out of curiosity: is it wise to keep you MFA within your password safe? Like is that not the opposite of multi factor? I'm no troll, I'm seriously uninformed.
- I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.
- This
KeePassXC does have this functionality on desktop as well as on SOME android apps (no idea for iOS). For android I like KeePass2Android Offline, iirc it was recommended on the official KeePassXC website (you may want to check it out).
Aegis
I like 1Password's built in MFA support, if it's a really sensitive account I use Google Authenticator because I haven't bothered researching better local alternative

Edit: Going to try Aegis for the more sensitive logins, looks like what I'm looking for
- You are not any more secure with google authenticator for 2fa, are you?
Buy a few (at least 2 for a backup) yubikeys.

Much more secure.

You can store the TOPT codes on them, but then you can also do all the higher security things too.

No one's breaking into your Google account if you secure it with those keys and remove the sms backup method unless they've physically stolen the yubikey
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
- Doesn't synced solutions completely defeat the purpose of MFA?
Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.
https://news.itsfoss.com/ente-auth/

I use this on my windows machines, offline , has biometrics, supports export and import from aegis. Is new and untested but past few months have been solid.
Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC
I'd recommend 2FAS Auth
- Yup it’s pretty good, although I would’ve liked it better if they provided a good way to export the data to another app
I'm using aegis, but maybe Proton Pass could be good?
- It's good
USB keys. Good luck getting one of those hacked.
- To be more concrete: security keys can communicate over USB or NFC. Just make sure it supports the protocol you want to use it for.
  
  But there is also passkeys which is both software- and hardware based and is almost equally secure.

welp

I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.

Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.

This is why I switched to Bitwarden, will probably move it to self hosted at some point as well

Does anyone have a suggested alternative for authy? (Please read the whole post before responding)

I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:

Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.

At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.

I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

Edit: added emphasis

I use Aegis, which I periodically back up manually off phone.
- (reposted from another comment mentioning aegis)
  
  Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
- Sames, aegis ftw
Bitwarden has 2FA built in, and you can host it yourself if you want.
- I've looked into this before and unfortunately it doesn't support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
- Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
If you're talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.

That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.

Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn't need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn't need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with gpg symmetric encryption so you don't have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend's address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you'll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.

The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they're sure it's you. To be more secure, split each code into two halves and have each held by a different person.
Aegis. Make an encrypted backup. Store the backup safely. Done
Ente auth is new, but open and cross-plat, unlike aegis. Aegis still wins on Android but ente can import aegis encrypted backups.
Like many others in this thread I love Aegis, I regularly back it up to my nas and it hasn't failed me yet, but I also selfhost Vaultwarden. Recently I've found myself copying a lot of my secrets over so if I don't have my phone, I still have a way to use TOTP.
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source
2FAS
- This. Superior in any way to authy.
- This is a new one to me, but a quick look at their homepage doesn't seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?
I highly recommend 1Password. It's cross platform, including Linux, and it's not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.

Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
I use Aegis

Why does it require a phone number to use?!

They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.

Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
- Also, Google Authenticator now supports backup. Aegis is another free alternative.

I hate, hate, hate that companies force 2FA on me just because goddamn Susans use ‘password’ as their password on every goddamn fucking app. My passwords are safe. They’re long and they contain ALL THE CHARACTER CLASSES. Fuck off with your fucking 2fa!

My passwords are safe.

No, they're really not. No matter how good your password is, it can absolutely be compromised. If you use a password manager, just look at how often sites tell you that you "forgot" your password, despite knowing you haven't.

Use 2fa for things that are absolutely vital. Whether you use it for your Blizzard account or Steam account is less important. (Though I'm pretty sure Blizzard has leaked passwords at least once, many years ago.)
- just look at how often sites tell you that you "forgot" your password, despite knowing you haven't
  
  wtf are you talking about?
I hate 2FA tied to a phone number. It makes it really hard to change your phone number when you’ve got 150 random accounts tied to it. Let me put that TOTP in my password manager.

Stop. Trusting. Cloud/SAAS. Security. Apps.

Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.

Don't give them your personal details, they don't care about protecting user anonymity.

Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create ~~honeypots~~ catnip for hackers, and making you pay them for the privilege of being an easy target.

Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.

"What if I lose my phone?"

I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.

A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.

This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)
- Syncthing across all of your devices. Use your desktop or other home PC to sync to a secure cloud service using rsync or freefilesync on a schedule. If you know all the words I just said it's like an hour of work, if not it's probably 4-6 (piecemeal, not a block).
- Who said you shouldn't be able to access your backups remotely?
  
  A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it's better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).
  
  The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can't open your storage alone, etc).