[HN Gopher] End of Life for Twilio Authy Desktop App
___________________________________________________________________
End of Life for Twilio Authy Desktop App
Author : tempestn
Score : 181 points
Date : 2024-02-13 17:48 UTC (5 hours ago)
(HTM) web link (help.twilio.com)
(TXT) w3m dump (help.twilio.com)
| latchkey wrote:
| They intentionally make it really hard to migrate your data off
| their app under the premise of "security". Now, they are EOL'ing
| desktop apps, which are extremely convenient to use, despite the
| terrible UX.
|
| https://support.authy.com/hc/en-us/articles/1260805179070-Ex...
|
| The process for exporting is doable, but requires fairly deep
| technical knowledge and it isn't 100% clean. In order to do so,
| you need that desktop app and a specific version at that.
|
| https://www.reddit.com/r/Bitwarden/comments/116kpvf/export_a...
|
| I stopped using it ages ago because of these reasons, this should
| be your heads up to do the same.
| polyvisual wrote:
| I use Authy. I've read a few comments about how migrating away
| is difficult. What do you use instead?
|
| I also use bitwarden, but not sure how I feel about passwords
| and totp being in the same app.
| drpossum wrote:
| I've moved over to Proton Pass (you can do TOTP on the
| desktop through a browser, I figured if I'm authenticating
| into a site I must have internet) but KeepassXC was a strong
| contender. Both have excellent mobile support and Keepass has
| native desktop clients.
|
| Proton Pass isn't free, though, but I already had their
| services.
| latchkey wrote:
| > _not sure how I feel about passwords and totp being in the
| same app_
|
| I felt the same way and I've come to realize that it is not a
| big deal. One advantage is that with a shared password
| manager account, you can also share the TOTP along with it.
| Very convenient for a bunch of usecases.
| gukov wrote:
| Is it really multifactor then, with everything in
| Bitwarden?
| latchkey wrote:
| The way I see it, your password manager becomes the
| central point of failure. Therefore, secure your password
| manager with a hardware security key (yubi). Not all
| accounts stored in a password manager are created
| equal... some need more security than others. If there
| are accounts that you want additional 2FA security on,
| just use a separate TOTP app. It doesn't have to be an
| all or none option.
| mksybr wrote:
| Aegis & KeepassXC. KeepassXC could do it all alone and
| seperate TOTPs under a seperate database secured to a
| different password if you please.
| toomuchtodo wrote:
| I use Bitwarden, but have moved as many 2FA/MFA accounts to
| Passkeys as possible to avoid needing MFA.
| gregmac wrote:
| > I also use bitwarden, but not sure how I feel about
| passwords and totp being in the same app.
|
| I guess this depends on your threat model. In what cases
| would your password vault be compromised, but your TOTP vault
| still be secure?
|
| If someone gets access to your unlocked PC/phone, don't they
| then have access to both? Do you store your TOTP vault
| password in your password vault (obvious)?
|
| If someone gets into your password vault, why wouldn't the
| same mechanism also let them get into your TOTP vault? (This
| applies whether it's brute force, keylogger, hardware
| exploit, or $5 wrench.)
| fauigerzigerk wrote:
| _> In what cases would your password vault be compromised,
| but your TOTP vault still be secure?_
|
| If the password vault is on one device and the TOTP app on
| another then it would be harder for an attacker to get into
| both.
|
| I have the same concerns about passkeys. How is it secure
| if the only thing an attacker needs is a single method of
| accessing a single device?
| lamontcg wrote:
| Generally the threat model that TOTP protects against is
| not someone breaking into your device. The threat model
| that it protects against is someone compromising your
| other credentials. So, although not recommended, you
| could post your login credentials on twitter and still
| nobody would be able to get into your account. An
| attacker hacking into your laptop/desktop/phone with
| access to install keyloggers and hijack connections is
| not really what it protects against.
| fauigerzigerk wrote:
| _> Generally the threat model that TOTP protects against
| is not someone breaking into your device._
|
| And yet, in some realistic scenarios TOTP does protect me
| against that, if the second factor is on a different
| device, kind of like a poor man's yubikey.
| lamontcg wrote:
| Not if I'm on your device and hijacking your already-
| authenticated connection. I just need to be careful
| enough to do it in the background in such a way that you
| don't notice.
| patrakov wrote:
| In a corporate setup, it also somewhat protects against
| intentional policy-violating password sharing between
| employees.
| Fishkins wrote:
| > I guess this depends on your threat model. In what cases
| would your password vault be compromised, but your TOTP
| vault still be secure?
|
| If Bitwarden is compromised, like LastPass was. Of course
| the vault should still be encrypted, but I don't want to
| rely on a single company managing everything correctly. It
| seems much less likely that two different companies will be
| compromised at the same time.
| EasyMark wrote:
| that's been my attitude, both are keyed to my face id,
| otherwise encrypted. my phone times out really quickly if
| i'm not typing away on it. I feel relatively safe. I
| wonder though how much longer they will maintain the
| phone apps. All my desktop versions are verified from my
| phone, so them dropping the desktop sucks but isn't
| catastrophic.
| jdeibele wrote:
| I use iCloud Keychain because I use a Mac, iPad, and
| iPhone.
|
| I use Authy with Face ID protecting the entire app on my
| phone. I don't use the Desktop app because it won't use
| Touch ID, meaning I have to type in a long master password.
|
| I don't see an attack as likely to happen (I own no
| Bitcoin, not a billionaire, not in charge of anyone else's
| secrets) but if there was a flaw that let somebody access
| the passwords on my Mac or iPhone, they'd still need the
| 2FA codes from my phone. I think that's more likely to
| happen on the Mac because I do have apps downloaded from
| somewhere else besides Apple's App Store.
|
| My guess is that most of the people who worked on Authy
| have fallen by the wayside after the Twilio acquisition.
| It's annoying every time I have to search the boxes on my
| phone or the list on my watch: can't we please have
| alphabetization?
| nucleardog wrote:
| > I guess this depends on your threat model. In what cases
| would your password vault be compromised, but your TOTP
| vault still be secure?
|
| Key logger?
|
| I unlock my password vault frequently. I only unlock my
| TOTP vault to:
|
| 1. Add a new secret 2. Recover access to an account if my
| authenticator has died.
|
| Since I unlock my TOTP vault so infrequently, the number of
| hashing rounds/etc are tuned to be _much_ slower and
| require _much_ more memory. It uses an entirely separate
| set of credentials from my main vault. And you're unlikely
| to snag the password unless you're watching me for a long
| time or get very lucky.
| thesuitonym wrote:
| It does feel bad, but your password manager is already
| protected by MFA, right?
|
| It does mean you're putting _a lot_ of trust in your password
| manager, but on the other had, you already kind of were,
| weren 't you?
| ivandenysov wrote:
| I use Raivo for TOTP on iOS. It is open source and makes it
| easy to migrate to another app
| latchkey wrote:
| I used to use it, but the author refuses to publish a
| desktop app. I actually was able to install the iOS app on
| my desktop, but if I ever remove it, it is gone forever
| because he revoked it from the appstore. He only wants you
| to use the desktop receiver.
|
| It is also buggy af and doesn't sync properly. He's pretty
| much not doing any more updates of the app either.
|
| That experience pushed me off it forever.
|
| Edit: The app has been acquired by a third party. I'd move
| off it.
|
| https://www.reddit.com/r/privacy/comments/158ihxd/raivo_aut
| h...
| politelemon wrote:
| And they try to lock you in to their own ecosystem. If you use
| sendgrid, it requires an authy specific 2fa code that can only
| be generated in their app.
| ing33k wrote:
| Yeah. I have always wondered what they gain by doing this.
| i386 wrote:
| "Security"
| gunapologist99 wrote:
| Lock-in by forcing you to use another Twilio product.
| aftbit wrote:
| I installed Authy on a rooted phone just to yoink the
| SendGrid token out and put it in our usual shared
| authentication service. Such a pain in the ass. I would
| highly recommend against SendGrid in basically all
| circumstances fwiw.
| nicoburns wrote:
| > I would highly recommend against SendGrid in basically
| all circumstances fwiw.
|
| To add another reason: their API will return an error if
| you send it more than one simultaneous request.
| mattferderer wrote:
| Sendgrid was my go to email provider for clients pre-
| acquisition.
|
| Once they got bought out & forced their poorly implemented
| 2fa with mobile phone requirements, I had no choice but to
| find different providers.
| djbusby wrote:
| Postmark FTW
| tczMUFlmoNk wrote:
| Yes, _and_ , if you create a SendGrid account and therefore
| an Authy account, this may immediately enroll other accounts
| of yours on _entirely unrelated_ websites /services/platforms
| into Authy, presumably by correlating your phone number.
| (Even if the email address is different!) This includes big
| sites like Twitch, and also includes sites where you had
| selected the "only allow 2FA via security keys" option. Of
| course some of the blame here probably falls on those
| platforms, but both the fact that this is possible and the
| fact that Twilio encourages these patterns are reprehensible.
| drpossum wrote:
| Important point out of that reddit Bitwarden thread:
|
| If you migrate to another app and then delete your authy
| account, you risk having 2FA removed for some integrated
| accounts if they're set up to directly use the Authy backend.
| Twitch in some cases was pointed out.
| RockRobotRock wrote:
| At some point Cloudflare also used their weird OTP variant
| tareqak wrote:
| Twitch refused to return me access to one of my accounts for
| this exact reason (the account that had subscriptions on it
| was returned, the one without was not).
| metadat wrote:
| What should I replace it with? Any recommendations for a
| functionally equivalent cross-device 2FA app?
| dstroot wrote:
| I migrated to 2FAS, which is open source, free and has a nice
| UI. Used Authy for ages and just switched. Recommended...
|
| https://2fas.com/
| AaronMT wrote:
| How was the migration?
| yumraj wrote:
| But it also only has mobile apps. Authy is only killing the
| desktop app, not the mobile ones - at least not yet.
|
| What does 2FAS give, genuinely curious in case I'm missing
| something..
| badpenny wrote:
| There's a browser extension: https://2fas.com/browser-
| extension/.
| James_Kirk wrote:
| it still requires you to reach your phone
| notpushkin wrote:
| Password Store works fine for me:
| https://www.passwordstore.org/
|
| https://github.com/tadfisher/pass-otp
|
| Others have also said Bitwarden isn't too bad:
| https://bitwarden.com/
| tadfisher wrote:
| > https://github.com/tadfisher/pass-otp
|
| Seconded. The jerk maintainer needs to cut a release
| though. And maybe port it to something other than bash.
| figassis wrote:
| 1Password
| yumraj wrote:
| I just tried adding to KeePass XC - worked well, generates
| the same OTPs.
| PenguinCoder wrote:
| Aegis 2FA
| lotsofpulp wrote:
| KeePass databases with KeepassXC. I like to use Strongbox on
| macOS/iOS though (still save to Keepass databases though so I
| don't have to depend on Strongbox).
| rsync wrote:
| The easiest thing to do is set up a 2FA mule.
| egwynn wrote:
| I had some good luck with https://github.com/token2/authy-
| migration
| latchkey wrote:
| Nice find!
| drhuseynov wrote:
| In case anyone is looking for a desktop app to replace Authy,
| the authy-migration tool from token2 supports exporting TOTP
| seeds in WinAuth compatible format (use .wa.txt for export
| file name). Then in WinAuth
| (https://winauth.github.io/winauth/index.html) , just import
| that file.
| ChrisArchitect wrote:
| More previous discussion:
| https://news.ycombinator.com/item?id=38921618
| rc_kas wrote:
| Is sad because that one got posted too early and probably won't
| reach the top of the feed and fewer people will see it.
|
| .. and mods will probably delete this one.
| ChrisArchitect wrote:
| That one was just another discussion a month ago, might have
| some extra tips for alternatives etc. This one is fine,
| official, and was first for today.
| drpossum wrote:
| Interestingly, due to how Apple has developed its app ecosystem,
| it looks like you can still have it on a Mac Apple silicon
| desktop if you install it via the app store.
|
| https://support.authy.com/hc/en-us/articles/17592416719003-A...
|
| > Note: The iOS app will still be available to download on M1/M2
| powered Apple Mac devices.
|
| It does work, but it's not first class support, though. You have
| to enable alternative touch settings if you want do the "drag to
| the left to delete a token"
| mayneack wrote:
| How do folks use two factor auth for 1password logins? It feels
| wrong to me to use 1password as the second factor for 1password
| itself. My last remaining authy second factors are for primary
| email and 1password. All other second factors are in 1password.
| redrove wrote:
| I use a YubiKey.
| lxgr wrote:
| Does 1Password allow multiple/backup hardware authenticators?
| redrove wrote:
| Yup, I technically use 3.
| vanilla_nut wrote:
| Two ways:
|
| - a Yubikey - a sparingly used email account with no 2FA, just
| a very long password
|
| 2FA through the sort-of-secret email account lets me get back
| into Bitwarden (and thus everything else) even if my house
| burns down and I lose access to all of my yubikeys. And auth on
| a device that doesn't easily support yubikeys, like older
| iPhones.
|
| 2FA is very useful, but highly overrated. If you have a
| sufficiently long and complex memorized password (and the email
| platform actually lets you create one that's properly long, 40+
| characters), it's unlikely that you'll have any problems unless
| you accidentally share the password somewhere.
|
| Of course I feel like all my my precautions are moot when my
| bank and CC company force SMS 2FA. But I haven't found any with
| superior security schemes anwyway.
| lambence wrote:
| Small side tangent - I'm on Mint Mobile and enabled 2FA for
| my account there, which is required for all customer calls.
| This would stop SIM swapping attacks which are the main
| failure point for SMS 2FA, right?
| jabroni_salad wrote:
| that depends entirely on Mint's 'lost 2fa' recovery
| process.
|
| https://www.reddit.com/r/mintmobile/comments/104h7p2/locked
| _...
|
| seems like some senior CSRs can still get you bypassed.
| TurningCanadian wrote:
| Passwords don't protect against spoofed login pages.
| jorvi wrote:
| > 2FA is very useful, but highly overrated.
|
| What a bizarre statement. It protects you from _any_ password
| leak.
|
| If you have 2FA, even if you get keylogged or phished or
| breached or shoulder peeked, your intruder still does not
| gain access.
| throwaway918274 wrote:
| I used to use Authy (lol) as my second factor for 1Password and
| then 1Password for everything else. After migrating off of
| 1password, I just use Authy for everything...
| jamesponddotco wrote:
| For 1Password I use a Yubikey, but for 2FA in general, I have a
| backup phone running Aegis[1].
|
| [1] https://getaegis.app/
| zedpm wrote:
| I use Authy on my phone and watch, but not Authy on the desktop
| for exactly this reason; if my computer is compromised and
| 1password is accessible, they still don't have access to my
| TOTP codes. Having it on both my watch and phone means I can
| break a device and not lose access.
| nu11ptr wrote:
| Ugh. I used this for redundancy. In case I lost my phone I wasn't
| locked out of everything.
| Eric_WVGG wrote:
| Worth noting that you can install the Authy iPad app on ARM
| Macs (unsure about Intel, but I'm skeptical)
|
| but seriously, what a terrible app, another great reason to get
| off that platform
| jedberg wrote:
| /mindblown
|
| Hadn't even thought of this, thank you!
|
| (And it works!)
| therealmarv wrote:
| This literally saved me some years ago when my phone gave up
| and I was travelling.
| kevinsky wrote:
| I migrated to 2FS as I wanted to keep my MFA secrets separate
| from my BitWarden passwords. It does require some technical
| knowledge but the how to was thorough and is found here
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
|
| Best to get it done quickly before they prevent you from
| downloading the older version that had the debug console
| secabeen wrote:
| Yeah, super-ugh. Every 2FA vendor wants to lock you in. I was
| able to export secrets from GAuthenticator on a rooted phone with
| sqlite, it looks like that is still possible on Authy too.
| Another vote for rooting your phone.
| graphe wrote:
| I wish I knew this. I have a version of gauth that wasn't able
| to be exported on an old phone. I lost a bunch of crypto
| because of this.
| jasonjayr wrote:
| I _REALLY_ want to like passkeys, and all these other stronger
| vendor systems, but the lock in is real. Office365 defaults to
| their special authenticator, and you have to jump through hoops
| on the admin side to ensure TOTP is an option. It will be a
| very real improvement to security for non-tech users, but the
| refusal to let folks be 100% in control of their key material,
| and the lazy "it will be available in a later version, we're
| focusing on the most common use cases" just tells me that the
| implementers really don't want to do it in the first place:
| they're waiting for lockin with what's available, and then
| they'll just say "Well people adopted it w/o this feature, they
| must not really want it"
|
| There 100% has to be a way for the user to own + backup their
| own private key material, or these are all just paths for
| stronger lockin.
|
| Personally, I have a TOTP App (andOTP) with QRCodes on paper in
| cold storage, keepass-based tools for passwords across
| platforms, and Syncthing for syncing across these systems.
| lxgr wrote:
| Unfortunately there is no key exchange format specified in
| either FIDO or WebAuthN, which I view as a major downside as
| well.
|
| The closest you can currently get is an open-source
| authenticator implementation that lets you export its
| credentials, like e.g. Bitwarden does (it supposedly lets you
| export WebAuthN credentials via JSON, but I haven't tried it
| myself).
|
| I get that any UI way to let users export credentials is a
| potential phishing/social engineering avenue, but the lock-in
| danger is real, and I'm holding back on WebAuthN as my
| primary authentication method for now.
| lxgr wrote:
| The newest version of Google Authenticator just lets you
| display the setup QR code again, no rooting necessary!
| lxgr wrote:
| This is a great example for why it's a bad idea to tie
| authentication to a proprietary third-party service. Thank you
| for promoting open standards, Twilio!
| donkulous wrote:
| This was literally the only reason to use Authy.
| BHSPitMonkey wrote:
| I've only ever used it on mobile, so no. For me the reason was
| sharing TOTP between phones in case my primary gets lost or
| damaged.
| donkulous wrote:
| That's fair. I should say, it was my main reason for using
| Authy as there wasn't anything else out there that could do
| synced mobile and desktop easily for free.
| amanzi wrote:
| Maybe not the only reason, but this was definitely one of the
| main reasons I used Authy. Over time, the product has been
| getting progressively worse... When I first started using it
| there was a Chrome App you could install which was great
| because it could work on "corporate" machines where I wasn't
| able to install the desktop app. That went away a long time
| ago, but at least we had the desktop app on Windows, Mac,
| Linux. Although, at some point Authy was only available on
| Linux if using Snap, which ruled it out for me (although there
| is an unofficial Flatpak now). So now they are getting rid of
| all desktop apps which will be the end of my Authy journey and
| this will also be the last Twilio product I use, since I've had
| recent bad experiences with some of their other products.
| redeux wrote:
| I feel stupid because I've been recommending people use Authy
| for the past year "because it has a desktop and mobile app."
| truckerbill wrote:
| PSA: Keepass (XC?) and the iOS cousins work as a 2FA app and you
| can freely migrate your data from it.
| mr_sturd wrote:
| KeePassDX works with 2FA on Android, but I've had trouble with
| tokens synced to XC on desktop.
| therealmarv wrote:
| What is so hard to maintain an already finished Electron app?
| corytheboyd wrote:
| I can imagine a scenario where it needs dependency updates,
| engineers bring this up, bean counters say "well this doesn't
| make us money, spend time on things that make us money instead"
| until eventually the bean counters say "okay we are no longer
| doing this, shut it down"
| willcipriano wrote:
| More likely they want to get mobile data from desktop users.
| Probably with a plan to monetize it somehow later.
| Dalewyn wrote:
| As someone who just uses good old passwords managed with TXT
| files and sticky notes: Security engineers (marketers?) never
| seem to understand most people by far value convenience over
| security.
| nusl wrote:
| You're gonna get pwned, and you're gonna get pwned hard. Brace
| for it because it's coming sooner or later. It's convenient
| until you lose all of your passwords.
| nottorp wrote:
| > Brace for it because it's coming sooner or later.
|
| I wonder if it will be his passwords, or one of the providers
| of those impenetrable password replacement keys will be
| breached first, in a way that leaks everything.
| trey-jones wrote:
| The point still needs to be made.
|
| I always present security as a sliding scale with _secure_ on
| one side and _convenient_ on the other. Similar to low-cost
| and convenient streaming services reducing piracy, and then
| seeing the return of piracy as they become higher cost and
| less-convenient, any application needs to consider not only
| how to protect its users and their data, but also how to not
| drive away users with security measures that encroach into
| that _inconvenient_ zone.
|
| 2FA can definitely approach that zone in a few different ways
| eg. having to reauthenticate too often, or especially for
| technical users in situations where account sharing is a
| reality that isn't going away anytime soon: by not making
| your secret tokens readily available. It has been evident for
| years that Twilio was just trying to force vendor lock-in and
| I've always hated Authy. The desktop app at least gave you
| some agency (secrets on a device that you own and fully
| control), but I guess that was too much too ask in the long
| term.
|
| Aside: there are measures that increase security without
| affecting convenience (much). Take those first.
|
| Additional Aside to the text file password cowboy: since
| moving into password managers (first lastpass, now bitwarden)
| I've found it to be more convenient (usually) and I have a
| lot more peace of mind about it. Maybe try it?
| eviks wrote:
| Is there an alternative where you can sync tokens between your
| phone and your desktop computer? (which was Authy's main useful
| feature making the Electron bloat acceptable)
| wrs wrote:
| PSA: If you're in the Apple ecosystem, you can copy and paste
| between devices.
|
| https://support.apple.com/en-us/102430
| kube-system wrote:
| Also:
|
| > Note: The iOS app will also be available to download on M1/M2
| powered Apple Mac devices.
| jedberg wrote:
| This was mentioned below (HT to Eric_WVGG for pointing it out
| [0]) but I think it warrants a top level comment:
|
| If you have an ARM Mac you can install the Authy iPad app and use
| it just like the Desktop app.
|
| If you want to have a desktop backup but aren't ready to migrate
| yet, this is a fantastic stop-gap solution.
|
| [0] https://news.ycombinator.com/item?id=39360950
| jmbwell wrote:
| Of course, if you have an Apple product, you can also use the
| TOTP function built-in to Keychain. iPhone doc here:
|
| https://support.apple.com/guide/iphone/automatically-fill-in...
| donkulous wrote:
| The downside to this, is that you're tied into Apple's
| ecosystem. The nice thing about Authy was that I had the same
| access on Android, iOS, Windows, Mac, and Linux.
| rgovostes wrote:
| Apple makes an app for accessing passwords on Windows, but
| I would not put a lot of faith in them supporting it
| forever, as Twilio has reminded us.
|
| https://support.apple.com/guide/icloud-windows/set-up-
| icloud...
| adamors wrote:
| Dupe of https://news.ycombinator.com/item?id=39354045
| antisthenes wrote:
| I really really hate the trend of making desktop users into 2nd
| rate citizens.
|
| From endless scrolling to hamburger menus, to straight up giving
| a big middle finger to having a desktop app.
| donkulous wrote:
| RIP scroll bars.
| uses wrote:
| Getting a user to install software on a desktop is probably one
| of the hardest things for a company to ask for in 2024. It's wild
| that you would have built up a userbase of ... tens of thousands?
| ... of technically knowledgeable people who want your product,
| get them to install and rely on your product on their actual 2024
| desktop computer where they do actual work, then have some
| decision makers determine "ok time to pull the plug" and you
| actually follow through with that. It's just incomprehensible.
| ejb999 wrote:
| I agree, seems short-sighted - they could have even just
| started charging a bit for it to keep it alive if necessary.
|
| No surprise though, after a fantastic start, twilio has turned
| into a sh*t company, unfortunately - I was a very early adaptor
| of many of their tools and services, and 1 by 1, they have all
| gone downhill.
|
| They should have sold the company while it still had a decent
| reputation, at this rate there will be nothing of worth left.
| deletaylor wrote:
| I would have been happy to pay something to have Authy on
| desktop and mobile.
|
| I switched to them after my phone died and I saw how hard
| accessing my accounts was without a backup OTP device.
| httpz wrote:
| I assume many companies are using Twilio for their SMS OTP auth.
|
| Does that mean Twilio has a financial interest in steering users
| away from using Authy?
| yid wrote:
| Twilio owns Authy
| ncallaway wrote:
| Right. Which is why they were noting the implication that if
| Twilio earns a higher margin from an SMS 2FA vs an Authy 2FA,
| maybe the owners of Authy would discourage the use of Authy
| through actions like this.
| nusl wrote:
| I'm fairly sure they're going to kill the mobile applications
| too. Migrating is a pain though.
| justinzollars wrote:
| This sucks. Just creates work for me.
| ijustlovemath wrote:
| Can anyone recommend an alternative with similar ux? I use it
| almost every day, it's very convenient for me! I don't always
| have my phone around, and also have used it more than once to
| prevent being locked out of a service
| patrakov wrote:
| I use a browser extension from https://authenticator.cc/
|
| While I do not know whether its UX is similar, it does have a
| sync feature (but not cross-browser), an export feature, can
| backup its data to Google Drive, can store everything encrypted
| (but not by default), is recommended by at least one government
| website (SSS Employer Portal in the Philippines), and is there
| for a long time. Oh, and it also remembers which site each
| secret comes from, and hides others.
|
| The downside is no automatic synchronization with the mobile
| phone.
| rainbowzootsuit wrote:
| This is why I have a hard copy printed folder of all my TOTP
| seeds.
| tiffanyh wrote:
| Quickest way to scare someone into _not_ using MFA /2FA are
| stories like this.
| jjice wrote:
| For me, the desktop app always sucked (but it was still more
| convenient that going to my phone). The TOTP would often get
| completely out of sync unless I backed out of an app's section
| and went back in, and then waiting for the TOTP to flip.
| nikolay wrote:
| It's time to leave and entirely switch to 1Password and Microsoft
| Authenticator (for 1Password's 2FA).
| 1270018080 wrote:
| Great... I don't really want to switch off of authy but I don't
| have much of a choice now.
| systems wrote:
| did anyone try to install the android app on waydroid/linux does
| it work, is it safe?
| cwbriscoe wrote:
| I just got done moving all of my accounts over to Aegis. At the
| same time, I put the new TOTP key into Proton Pass. Aegis makes
| it easy to backup your keys and use more than one 2fa app for
| redundancy.
| EasyMark wrote:
| This is probably my next step as well. It was nice while authy
| worked though, never had a single issue with it, almost 0
| maintenance.
| captn3m0 wrote:
| If anyone has ideas on how to write the proper PURLs for this, I
| am gonna try to get this added to endoflife.date - will
| appreciate advice for PURLs/CPEs that apply.
| EasyMark wrote:
| Any word on how long before they will EOL the phone apps?
| anbotero wrote:
| I'm not sure why people who mainly used TOTP and mobile are
| saying they are going to migrate to something else. I also used
| the Desktop application, but I could have used my phone in those
| cases 99% of the time, and if you're using the Backup feature,
| you should still be able to recover your account in case you lose
| your phone, no? Or am I missing something?
|
| I migrated from Google Authenticator before it offered backups
| too precisely for the backups/restoration.
___________________________________________________________________
(page generated 2024-02-13 23:01 UTC)