[HN Gopher] Twilio confirms data breach after hackers leak 33M A...
___________________________________________________________________
Twilio confirms data breach after hackers leak 33M Authy user phone
numbers
Author : mindracer
Score : 377 points
Date : 2024-07-04 12:26 UTC (10 hours ago)
(HTM) web link (www.securityweek.com)
(TXT) w3m dump (www.securityweek.com)
| infecto wrote:
| Good motivation to stop using Authy.
| fauigerzigerk wrote:
| What is a good alternative?
| infecto wrote:
| Most likely whatever password app you use supports these now.
| I know for myself, I started using Authy long long ago when
| there were not really many options.
|
| In my case, 1 Password can do this now. I believe the same is
| true for Bitwarden and Apple passwords.
| fauigerzigerk wrote:
| I hesitate to use the same app for both authentication
| factors.
|
| The reason why I started using Authy a long time ago is
| that it supports multiple devices and isn't linked to any
| other account (such as Google or Microsoft).
| lozf wrote:
| Also KeePassXC -- if you don't like the idea of 2FA codes
| being in the same db as passwords, it's straightforward to
| use a separate db for 2FA only.
|
| Manage your own sync between devices with syncthing,
| dropbox or whatever you prefer.
| sofixa wrote:
| Personally I dislike the idea of putting the other
| factor(TOTP) alongside the main two ones (email/password).
| Kind of ruins most of the purpose of TOTP and MFA in
| general.
| imrehg wrote:
| Besides all the other advice of using the password manager as
| a 2FA store as well, on the stand-alone side there is Aegis.
| I have good experience with it, and allows better
| interoperability than Authy as well.
| haswell wrote:
| On iOS, I've been using "OTP Auth".
|
| While it's nice that password managers can handle this as
| others have mentioned, the whole point of a 2nd factor is to
| ensure an attacker can't get in if they somehow get your
| password. Storing the second factor along with the 1st factor
| doesn't make much sense to me.
| attendant3446 wrote:
| Aegis (Android), supports automatic backups. There is also
| Ente Auth (it's been mentioned on this site), but I haven't
| used it much.
| cess11 wrote:
| I'll join the choir and recommend Aegis. It's slick, got
| features, code on Github.
| rvz wrote:
| My goodness, for the 100,000th time, just stop using phone
| numbers for 2FA. (I know you won't anyway)
|
| There are no more excuses other than asking for your phone to be
| sim-swapped and your bank accounts or your wallets to be drained
| by call centers.
|
| If this breach doesn't scare you from using phone number for 2FA,
| then maybe nothing ever will and AI and deep fakes will make this
| even worse.
| AceyMan wrote:
| Authy doesn't implement SMS 2FA (how could it). A phone number
| is part of your user profile for registered mobile devices
| hosting the app.
| Justin_K wrote:
| Even worse... Sounds like phone number is irrelevant, yet
| they collect it.
| oldmariner wrote:
| How else are they going to track people with a hard-to-
| change identifier?
| Terretta wrote:
| > _How else are they going to track people with a hard-
| to-change identifier?_
|
| Using the device advertisee ID that the user is entitled
| to change.
|
| // Sorry, for a moment I thought you were serious.
| prng2021 wrote:
| I just did some quick research on these IDs. Correct me
| if I'm wrong, but it seems like each user account would
| be tied to one device. It also seems like the user, at
| least on Apple devices, has to opt into advertising
| tracking in order for your app to even get access to
| this.
|
| Ignoring the security pitfalls of phone numbers, it
| really doesn't seem like these advertising IDs are a drop
| in replacement for using phone numbers.
| jokethrowaway wrote:
| It's used to store and retrieve your 2fa secrets in case
| you lose your device
| Terretta wrote:
| > > _Even worse... Sounds like phone number is
| irrelevant, yet they collect it._
|
| > _It 's used to store and retrieve your 2fa secrets in
| case you lose your device_
|
| The _phone number_ doesn 't store anything?
|
| But if somehow knowing that phone number is a key to
| getting your 2FA secrets, you'd have a bigger problem.
|
| Except it often is, and that's the problem.
| ezekg wrote:
| Do what I do and turn off "allow multi-device." Problem
| solved -- even if your phone number is stolen, they can't
| recover your 2FA because it's locked to the device too.
| FabHK wrote:
| You can enable multi device, and have it on multiple
| devices, then disable it.
|
| https://authy.com/blog/understanding-authys-multi-device-
| fea...
| ezekg wrote:
| Yep. I've done this. Lots of people I know use "burner"
| phones without cellular for 2FA.
| rvz wrote:
| That is brilliant news for SIM swappers and criminals now
| that they can gain access to your codes directly with your
| phone number!
|
| A terrific reason to avoid anything Twilio / Authy
| Ayesh wrote:
| In fairness, you cannot. It requires a backup password.
| ceejayoz wrote:
| > Authy doesn't implement SMS 2FA (how could it).
|
| https://www.authy.com/integrations/ssh/
|
| "Someone in your organization doesn't have a smartphone? We
| got you covered. Authy SSH can send them the token via SMS or
| a phone call."
| ezekg wrote:
| If you use Authy, turn off "allow multi-device" and SIM-
| swapping isn't an issue. This should be on regardless of the
| leak.
| SketchySeaBeast wrote:
| But one of the selling points for me was to allow multiple
| devices so that if one broke I'd still have access.
| greenchair wrote:
| people with this use case would need to be comfortable
| taking on the extra risk.
| FabHK wrote:
| You can enable multi device, and have it on multiple
| devices, then disable it (and keep it on multiple devices -
| it's just that then adding yet another device needs
| toggling multi-device on from an existing device, a
| confirmation SMS is not enough).
| SketchySeaBeast wrote:
| Perfect. I can just toggle it on when I add another
| device. Thank you, great solution.
| tamimio wrote:
| > for the 100,000th time, just stop using phone numbers for
| 2FA.
|
| I agree, and I say this to whoever asks me too, and I avoid any
| services that still use phone numbers as a way to associate it
| to you (Signal, I'm looking at ya!)
|
| However, easier said than done, some services still require you
| to use a phone number, like banks, some government agencies,
| insurance companies, etc., the services that actually matter if
| your data get leaked. I believe there should be a regulation to
| prevent using the phone in any way to confirm your ID, and
| never force you to provide one to access such services.
| k8sToGo wrote:
| It doesn't scare me because in Authy you also set a password
| which without you cannot access the codes.
|
| The phone number here just acts as a username.
| simcollect wrote:
| How come companies don't care about encrypting their users' data
| in their databases?
|
| It's been possible for a very long time now.
|
| Yet, companies keep leaking. And people keep sleeping.
| sethammons wrote:
| Why would that have helped? The endpoint was exposing the data,
| not the database. The endpoint would have simply decrypted.
|
| encryption of data at rest is for hard drives that walk off,
| not for access.
| Dma54rhs wrote:
| How to confirm if my number was one of the leaked ones?
| sofixa wrote:
| I suppose https://haveibeenpwned.com/ will add the information
| when it can be verified.
| blackeyeblitzar wrote:
| Authy makes it hard to migrate away. Anyone know how to get the
| seed of the 2FA codes? Is there really no export option?
| conception wrote:
| Maybe?
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| hypeatei wrote:
| Authy desktop is no longer available and you need a specific
| version.
| tamimio wrote:
| I had that exact needed version when I migrated, if you
| need it, I can look it up, but there's a slim chance that I
| deleted it.
| deegles wrote:
| You'll have to reset them one by one.
| drooopy wrote:
| I finished that process recently for 50+ accounts. It's
| something that I would definitely wish on my worst enemy.
| tamimio wrote:
| Ha! when I finished mine, I actually bought myself some
| treats and snacks for celebration.
| hipadev23 wrote:
| I slowly migrated away from Authy when they decided to shut
| down their desktop authenticator. You can painfully export
| codes, though I generated new 2FA codes at every vendor.
| slightwinder wrote:
| Some months ago, I used https://github.com/alexzorin/authy to
| export them. It basically creates a dummy-device to access the
| tokens, and then exports them to some format. But I have not
| figured out how to import them now into another app.
| hypeatei wrote:
| Use the plaintext export option on that project. Most TOTP
| apps should accept the URIs that are exported. Maybe not en-
| masse but individually for sure.
| slightwinder wrote:
| Ah, thank you, that worked in Aegis. I just missed the
| option for plaintext because of the long list of supported
| apps. So all it needs is a textfile with one
| otpauth://-entry per line and it imports them all at once.
| prevent6672 wrote:
| I thought I had a lot of totp codes to migrate but then it
| turned out I didn't use many of them. After deducting them,
| there remained 10 apps that I needed to migrate. It took me an
| hour to port them to bitwarden manually.
| EVa5I7bHFq9mnYK wrote:
| Just write down any key before you store it in the Authy.
| snowwrestler wrote:
| I use Authy's iOS app to generate 2FA tokens for a few accounts.
| I cannot remember ever entering my phone number into it, or
| establishing an Authy account of any kind. Is there some other
| way they would have acquired my phone number?
|
| I'm trying see if the issue is some unanticipated issue with the
| iOS client app itself, or if it is only affecting people who
| created online accounts with Authy to sync their 2FA credentials
| across devices.
| inhumantsar wrote:
| Authy is both a SaaS and a consumer-facing authenticator app.
|
| When companies integrate Authy into their system, they can use
| it for SMS OTP (also deliverable by phone call + TTS iirc) as
| well as regular TOTP, Authy's proprietary TOTP, and others.
|
| Your phone number would only be at risk if you used a service
| which used Authy for SMS 2FA
| ffsm8 wrote:
| The consumer app also wants your phone number... It prompts
| you to "backup" your codes, so that they're not gone if you
| reinstall the app or switch devices
|
| you probably gave them your phone number at some point if
| youve got authy on multiple devices.
|
| /Edit: just checked on a clean install. It prompts for a
| phone number instantly and won't let you scan codes without
| creating an account. Not sure when that happened, as I
| haven't really used it in years.
| inhumantsar wrote:
| Figures. I stand corrected then.
|
| We used Authy for 2FA at my last company and migrated off
| it to use a complete auth platform. The amount of user
| (consumer and business) hostile shit we found in the
| process was astounding.
|
| Twilio was nice to work with way back when it was the only
| decent API-driven POTS connection service out there.
| They've steadily gotten worse over the years and
| acquisitions though. Wouldn't recommend them to my worst
| enemy these days.
| razakel wrote:
| You know, one thing I learned from my patients... they
| all hate the phone company. It's interesting; even the
| stock holders of the phone company hate the phone
| company!
| inhumantsar wrote:
| As a former telco employee and current telco shareholder,
| can confirm.
| stogot wrote:
| What do you recommend now
| inhumantsar wrote:
| For authentication services to integrate into
| apps/services, Zitadel.
|
| For consumer password/2FA management, Bitwarden and
| Yubikey.
| jordigh wrote:
| What's Authy's proprietary TOTP protocol? Is it just in fact
| HOTP, like Duo?
|
| https://news.ycombinator.com/item?id=20936222
| slightwinder wrote:
| Have you looked into the settings? On android you can see a
| cellphone-number and e-mail there. If they are missing, I guess
| it's not known to them.
| snowwrestler wrote:
| Nothing in the iOS Settings app for Authy, but tapping the
| little gear icon in the app UI shows my phone number and
| email! I guess I did enter them at some point and forgot.
| Thanks.
| k8sToGo wrote:
| If you use cloud sync I think it requires your phone number
| toomuchtodo wrote:
| Cloudflare should probably deprecate their Authy provider,
| considering they support other more secure MFA options
| (hardware and virtual WebAuthN). I believe Wise (ex
| TransferWise) and Plastiq also use Authy natively for SMS OTP
| server side, but provide no mechanism to disable SMS 2FA (boo).
|
| https://authy.com/guides/cloudflare/
| jgrahamc wrote:
| There's no "Use Authy" option any more in Cloudflare. It just
| says: Mobile App Authentication
| Secure your account with TOTP two-factor authentication.
|
| And clicking the button gives you a generic QR code to use
| with app of your choice.
| toomuchtodo wrote:
| Thank you for correcting me, Cloudflare was presented as an
| Authy token that would be destroyed when I deleted my Authy
| account and some of the docs I found led me to believe this
| was still actively in use. I retract the Cloudflare part of
| my above comment.
| jgrahamc wrote:
| No need to apologize. We did use Authy for a long time
| but allowed more general TOTP solutions from 2017 and
| have really pushed hard for people to use hardware keys.
| ayewo wrote:
| > I cannot remember ever entering my phone number into it, or
| establishing an Authy account of any kind. Is there some other
| way they would have acquired my phone number?
|
| Entering your phone number was mandatory. This was what turned
| me away [1] from Authy to Duo Mobile on my Apple devices.
|
| https://news.ycombinator.com/item?id=33244324
| MenhirMike wrote:
| Does anyone have a recommendation for an Open Source 2FA OTP app?
| That's the only thing I use Authy for, to scan the QR Codes into
| the App and generate the 2FA tokens, but in a way that allows me
| to migrate to another phone without having to re-set all the 2FA
| tokens on the vendor side.
| WanderPanda wrote:
| I'm using Raivo. It hasn't let me down, yet
| pxeger1 wrote:
| Raivo was bought by a shady developer last year and is no
| longer open source. If that wasn't enough, a few weeks ago
| they released an update which deleted all your codes -
| failing at literally the one job a 2FA app has!
| mm263 wrote:
| The same Raivo that was sold to some shady dev who proceeded
| to delete all of the OTPs that I had in the app?
|
| https://www.reddit.com/r/privacy/comments/1d3zqvv/raivo_auth.
| ..
| TheBozzCL wrote:
| I use a YubiKey with their Authenticator app.
| notatworkbro wrote:
| I've implanted my 2FA token in my arm and just hope it never
| breaks :D
| fragmede wrote:
| Which one did you get? Did you get the Apex Flex from
| Dangerous Things? How do you like it/how was the process?
|
| https://dangerousthings.com/product/apex-flex/
| MaxMatti wrote:
| I used Aegis for a while and really liked it, switched to
| Bitwarden now but the UX was better
| hypeatei wrote:
| I use both and make offline backups regularly.
| bobbylarrybobby wrote:
| I'm of the opinion that it's basically fine yo store them in
| your password manager. Yes if your password manager is broken
| into you lose everything (same as having no 2fa in that case),
| but you still prevent people from guessing your password and
| often avoid having to deal with email- or text-based 2fa. And
| if your password manager is broken into, there's a good chance
| your device has been broken into, in which case it doesn't
| matter where you store your 2fa.
| brightball wrote:
| I mix it up and store some 2FA on different apps.
|
| When it's not a system I'm deeply concerned about I will just
| use the 2FA on the password manager.
| nwhale wrote:
| If you do not need QR codes, _oathtool_ is great. You can
| protect your tokens, recovery codes etc. with _gpg -c_ or
| similar, so the encryption is entirely separate from the
| authentication mechanism.
|
| And you actually know what is going on. Works for GitHub.
|
| https://www.nongnu.org/oath-toolkit/
| SushiHippie wrote:
| For Android I'd recommend Aegis
|
| https://f-droid.org/packages/com.beemdevelopment.aegis/
|
| Or if you have a YubiKey you could also use it for TOTPs
|
| Windows, Linux, Android: https://github.com/Yubico/yubioath-
| flutter
|
| iOs: https://github.com/Yubico/yubioath-ios
|
| I personally use Bitwarden for TOTPs (with a self hosted
| vaultwarden instance), it's by far not the most secure way to
| store your passwords and TOTPs next to each other, but it saves
| so much time.
| alias_neo wrote:
| This.
|
| I migrated to Aegis a while back because I wasn't happy with
| how hard it is to get secrets out of Authy, or that someone
| else is managing them, and they they need my phone number
| (guess I was right, again).
|
| I use Folder Sync on my Android to sync the Aegis auto-
| backups to a MinIO bucket I host at home.
| mrb wrote:
| I use andOTP https://github.com/andOTP/andOTP and my favorite
| feature is the database of 2FA can be backed up PGP-encrypted
| and reimported on another device. But sadly it is no longer
| maintained. The latest version on Google Play Store is from
| 2021 and can still be installed and works fine on Android 14.
| tamimio wrote:
| Ente Auth or bitwarden builtin one or keepassXC builtin one.
|
| Migrating from Authy is a headache, though you don't have to
| reset the tokens. I found a way to do it (1), but I had to do
| it manually because Authy only exported the email/user and the
| token. Now, if you are like how I used to be, having the same
| email for different accounts, the exported JSON will be
| confusing and there's no way to tell which account is for which
| service. Only in the Authy UI can you tell. I had to follow the
| order of the JSON and the app, one by one, for my 700+
| accounts, and verify that it works by going to the service site
| and testing the generated code from the new app, and also
| changing the email to a unique one. It took a whole week!
|
| Edit: to add, I wouldn't recommend using Yubico or hardware-
| based ones unless you will have two or more replicas, losing
| them is easy compared to having your tokens backed up in an
| encrypted KeepassXC db for example.
|
| (1)
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| prophesi wrote:
| For Android, if you happen to use Keepass as your password
| manager, I really like KeePassDX[0]. If the camera app you use
| doesn't support QR scanning, though, you'd need an app for that
| (and I don't think any FOSS camera apps implement this, as for
| as I can tell).
|
| This one[1] seems the most up-to-date, by a German research
| group. You'd share the link as text to the KeePassDX app,
| search for the entry it's for, and it populates it with the
| HTOP/TOTP secret.
|
| There are iOS Keepass clients that support this as well, though
| from what I can tell there's some drama with source code[2][3]
| in the landscape.
|
| [0]
| https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
|
| [1]
| https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
|
| [2] https://github.com/MiniKeePass/MiniKeePass/issues/606
|
| [3] https://keepassium.com/articles/keepass-apps-for-
| ios/welcome...
|
| And other allegations under the ethics & transparency sections
| of KeePassium's list of iOS alternatives
| https://keepassium.com/articles/keepass-apps-for-ios/
| etoulas wrote:
| https://2fas.com/
| localfirst wrote:
| There really has to be steep repercussions for companies that
| fail to protect user data like this. At this point I can't help
| but feel that there is wilful neglect with the aim of
| exfiltrating data with unknowable aim.
|
| Our digital data must be recognized as human rights but lately
| the world has been vocal about it but silent when it comes to
| action and enforcement.
|
| More and more reason why people no longer trust cloud hosted
| solutions. Offline-first, local-first with optional data sync is
| the _only_ path forward to combat violation of our rights to our
| own digital data.
|
| Case in point, feeding haveibeenpwned with a bunch of HN user
| handles reveal a good chunk of you aren't even aware your data
| has been leaked, especially ironic since I see comments from
| those handles are very anti-regulation when it comes to user data
| ownership.
| cj wrote:
| I agree the US in particular should have better data protection
| laws and consequences.
|
| But phone numbers aren't something I'd consider confidential in
| most cases. Hell, we used to publish our phone numbers in
| physical books and give them to the whole town for free
| (literally).
|
| The data was even monetized with ads plastering every page. I
| guess the digital age isn't all that different from the analog
| age (in certain ways!)
| localfirst wrote:
| that was before internet now phone number leaks can be way
| more troublesome due to the way all of our data is connected
| to it via 2FA
| olyjohn wrote:
| We didn't use phone numbers to prove our identity back then.
| It was only used to call you. You often wanted it to be
| public so you could be reached. Now it's a critical piece of
| information required to access services online and prove who
| you say you are.
| duckmysick wrote:
| > Twilio has detected that threat actors were able to identify
| data associated with Authy accounts, including phone numbers, due
| to an unauthenticated endpoint. We have taken action to secure
| this endpoint and no longer allow unauthenticated requests
|
| How do I avoid such problems in my own app? Force authentication
| for all requests with row-level security? Rate limiting?
|
| Any testing frameworks that would catch this? Something like
| "given endpoint /user/phone-number-validate make sure only <user>
| can access it".
| jmvoodoo wrote:
| One step we have taken is to build an auth system that requires
| you as the developer to explicitly specify the security of an
| endpoint using a decorator. If no decorator is provided, then
| the endpoint is completely locked down even to admins
| (effectively disabled).
|
| If an endpoint is decorated with something that is considered
| dangerous (i.e. public access), that triggers additional review
| steps. In addition, the authentication forbids certain
| combinations of decorators and access patterns.
|
| It's not perfect, but it has saved us a few times from securing
| endpoints incorrectly in code.
| hypeatei wrote:
| .NET web apps / APIs have an option where you can require
| authorization on all controllers (and their actions) by
| default. If you need an anonymous controller/action, you can
| use the `[AllowAnonymous]` attribute on it.
| api_or_ipa wrote:
| You can easily do the same with most (all?) routers using
| middleware. Whether you get it slotted in your roadmap is a
| different story.
| brunoarueira wrote:
| It's a common problem. On a previous job, I'd found one
| unauthenticated endpoint just because I want to add some
| integration tests on it and my tests failed! After that, I'd
| created a script which lists all endpoints and curl each one
| with invalid credentials and expecting them to return 401.
| kardianos wrote:
| This is really, really, simple.
|
| 1. build a single endpoint handler that handles auth, then
| looks up the endpoint on the path. 2. Never create direct
| endpoints, just register endpoints in the system that the auth
| endpoint works under.
|
| You know table driven tests?
|
| Use table driven endpoints. It works and makes things so much
| simpler and secure.
| znpy wrote:
| > 1. build a single endpoint handler that handles auth, then
| looks up the endpoint on the path. 2. Never create direct
| endpoints, just register endpoints in the system that the
| auth endpoint works under.
|
| So like, an authn/authz middleware ?
| cmgbhm wrote:
| This is actually a use-case I use for interviews.
|
| 1. Everyone tests authenticated user can do the right thing.
|
| 2. Can <wrong|expired> authenticated user access the data?
|
| 3. Can an unauthenticated user access data?
|
| If there's a testing framework that does this scaffolding
| automatically, I'd love to hear it.
| tmpz22 wrote:
| Holy shit why is this even a question?? You. Write. Tests.
|
| You build into your testing framework/library a mechanism that
| will craft sessions across your range of authentication-levels
| - unauthenticated (no-session), authenticated but unauthorized,
| etc. You mandate new endpoints must have permissions test in
| code review.
|
| Simple, straight forward, and absolutely the bare minimum of
| competency for any endpoint returning personal data.
| tetha wrote:
| Mh, I'm probably comparing apples to oranges and such.
|
| But the last 2-3 times I setup a config management, I made sure
| to configure the local firewalls as deny-all by default, except
| for some necessities, like SSH access. And then you provide
| some convenient way to poke the necessary holes into the
| firewall to make stuff work. Then you add reviews and/or
| linting to make sure no one just goes "everything is public to
| everyone".
|
| This way things are secure by default. No access - no security
| issues. And you have to make a decision to allow access to
| something. Given decent developers, this results in a pretty
| good minimum-privilege setup. And if you fuck up... in this day
| and age, it's better to hotfix too little access over losing
| all of your data imo.
| otachack wrote:
| As alternatives: I use Authenticator Pro on my phone and keep
| encrypted backups whenever I modify it. I know others have
| pointed out Aegis.
|
| The issue is starting the migration out of Authy. Assuming Authy
| has no easy export, I suggest you migrate over a few entries at a
| time (maybe from top down) while keeping account of transfers
| somehow. You can have authenticators live side by side in the
| meantime!
| cmgbhm wrote:
| You can rename them as they are migrated
| jmbwell wrote:
| iOS/iCloud has a built-in TOTP function also. Maybe better for
| friends and family than some people here.
|
| https://support.apple.com/guide/iphone/automatically-fill-in...
| delduca wrote:
| I have been using Apple's Passwords, it is great.
| blueelephanttea wrote:
| It's good. And the introduction of the Passwords app this fall
| will make it better.
|
| But it seems to me that Apple only supports adding TOTP codes
| if you have a password for the account. Which is annoying if
| you want to split your passwords and second factor into two
| different places. (For example if you wanted Bitwarden for
| passwords and TOTP/Passkeys in Apple.)
|
| You can of course put a dummy password in Apple. But that is
| kind of annoying.
| hypeatei wrote:
| I just migrated off of Authy last week but I was probably caught
| in this breach, ugh. Never liked it but they make it extremely
| difficult to export your data.
|
| I used this project for exporting:
| https://github.com/alexzorin/authy
|
| EDIT: it appears this project was actually using the
| unauthenticated endpoint (used in breach, too) to facilitate
| exporting, lol. Good luck to anyone trying to get off of Authy,
| Twilio really doesn't want you to export your data for "security"
| reasons.
| Zetaphor wrote:
| I also just recently left for Aegis and have been very happy. I
| feel much better knowing that my 2FA is completely offline
| teamspirit wrote:
| Right, I did the same a while back. Aegis for Android and
| 2FAS for iOS. Never looked back.
|
| Also, if anyone is going either direction, Android <-> iOS,
| both of these open source options allow easy export.
| lifeinthevoid wrote:
| 2FAS also exists for Android, is Aegis superior or you
| don't use 2FAS on Android for another reason?
| teamspirit wrote:
| Didn't realize it exists for Android. I use ios now but
| Aegis was great on Android.
| NelsonMinar wrote:
| The lack of export in Authy is a really ugly choice they made.
| When I migrated to Aegis I used some hack that involved a
| desktop Electron app's javascript console. I wonder if that
| still works?
| hypeatei wrote:
| They don't offer Authy Desktop anymore officially and you
| need a specific version. Not sure if the hack still works if
| you have it installed.
| Yhippa wrote:
| What did you end up moving to?
| hypeatei wrote:
| Storing 2FA in Bitwarden (my password manager) and Aegis as a
| fallback. Also making offline backups of each periodically.
| mort96 wrote:
| Doesn't Bitwarden require you to be on the paid
| subscription plan to use 2FA? That's what I concluded
| anyway from trying to research this garbage when Microsoft
| was threatening to lock me out of my Github account. It's
| why I ended up on Authy.
| pnw wrote:
| Has anyone found a single open-source app that supports both
| mobile and desktop though? That was the attraction of Authy
| before they killed their desktop apps.
| hypeatei wrote:
| Most password managers support it and offer mobile + desktop
| clients.
| EVa5I7bHFq9mnYK wrote:
| The desktop version somewhat contradicts the purpose of 2FA.
| hypeatei wrote:
| Not really, 2FA is literally just that: a second factor.
|
| It makes it unlikely someone has access to both your
| password and the TOTP URI. So, if you leak your password on
| a public forum (for example), the person who gets that is
| not likely to also have your TOTP info.
| mort96 wrote:
| Good thing that 2fa is entirely unnecessary.
| smaddox wrote:
| No wonder I've seen such a major spike in spam calls / texts.
| 29athrowaway wrote:
| > due to an unauthenticated endpoint.
|
| This is truly unacceptable for an authentication product.
|
| An authentication product that doesn't implement authentication
| correctly in their own APIs?
| flutas wrote:
| IMO: I'm pretty sure this is less of an auth issue, than it is
| a rate limiting issue.
|
| I haven't been able to find anything about the endpoint, but
| based on the data exposed[0] I think the endpoint they are
| talking about is the register one which requires a phone
| number.
|
| I'd bet they didn't rate limit it, and someone just blasted
| through all phone numbers with it and stored the data for ones
| that didn't error out.
|
| [0]
|
| The CSV data columns:
|
| account_id
|
| phone_number
|
| device_lock
|
| account_status
|
| device_count
| ilrwbwrkhv wrote:
| Jesus fucking Christ. Can these companies learn how to write
| software? Quality is dropping like dogs. Twilio used to be a good
| company and now they are utter shite. Such a shame. Leetcode and
| bad hiring practices have done this to our industry.
| sethammons wrote:
| Neither bad hiring not leet code is a problem with Twilio
| properties in my experience. Quality however, that gets
| railroaded by "deliverables" -- the problem is craftsmanship is
| hard to maintain and manage as companies scale while priority
| shifts to product announcements.
| ilrwbwrkhv wrote:
| There needs to be penalties. Massive penalties for breaches
| like this. That is the real problem. Nothing will happen to
| Twilio even though they caused such loss. They need to suffer
| economically for this, then quality will improve.
| Zambyte wrote:
| It seems much easier to pin the ever-decreasing quality of
| software on the practice of trying to keep everything secret
| (propriety). Like, obviously it's not secure if they don't let
| people audit it...
| okokwhatever wrote:
| I still remember how hard was the process to be hired in this
| company. Maybe just a mask to hide the sad truth.
| delduca wrote:
| I never trusted them, I hated the fact of having to use SMS.
| ndneighbor wrote:
| I guess this explains the recent uptick in spam...
| pembrook wrote:
| While this sucks, my phone is in so many data breaches at this
| point it doesn't matter.
|
| The spam-to-ham ratio on my phone number is now far worse than
| any other channel for me. The traditional phone network is at
| risk of going the way of the fax machine if we don't do something
| about the spam problem like we did with email.
|
| If I'm on a call, even with family, it's now almost exclusively
| on FaceTime/zoom/meet/etc. I can't remember the last time I
| talked on the traditional phone network or received a legitimate
| call. Which isn't great because those aforementioned platforms
| are all proprietary walled gardens with terrible incentives --
| once they capture the market fully they will eventually dump ads
| all over your calls. Don't believe me? Just look at what Gmail
| did to monetize the lock-in on your inbox.
| cjbgkagh wrote:
| I think that is intentional, AFAIK phone communication is more
| protected than other types so allowing spam to continue
| unabated is in the governments interest. Outsourcing the
| harassment to 3rd parties, similar to how prison torture is
| outsourced to the inmates. The government could fix these
| things but would rather not.
| darby_nine wrote:
| I think we just don't have very much competition in
| telecommunications so things never get fixed. Why bother?
| It's easier to extract rent off largely the same offerings as
| the rest of your market (difficult to understand pricing
| tiers that function as a congestion tax more than a
| transaction, often region-specific monopolies or duopolies,
| indistinguishable quality of service) and bring home large
| profits, market efficiency damned.
|
| Yes, I'm exaggerating. No, it's not by much.
| cjbgkagh wrote:
| Almost no-one is pro-spam, it's pretty much universally
| hated, and in many cases it's already illegal so it's more
| of a matter of enforcement. It is also trivial to detect.
|
| Sure there probably is some regulatory capture but if
| anything at all can be regulated it's spam calls /
| messages. If the government can't regulate spam then what
| could it be expected to regulate.
|
| The general population is increasing worried about scam
| calls for their elderly relatives, it's already a big deal.
| ToucanLoucan wrote:
| > Almost no-one is pro-spam
|
| In fact there are really only two groups that are pro-
| spam: spammers, obviously, and the entities that provide
| them services from which they may spam.
|
| Oh sure basically any provider of any service be it
| phone, web hosting, email, etc. will _say_ they don 't
| want spammers, and the email providers _may actually mean
| it_ what with them not wanting their server 's scores
| trashed and be unable to get email to anyone (though
| plenty others don't give a shit), but website hosts,
| telephone companies, and SMS providers? They utterly do
| not care and in fact go out of their way to not know when
| spammers are (mis)using their services.
|
| Meanwhile like that other commenter said, everyone is
| incentivized to enter walled garden services that
| actually do the barest minimum of enforcement for spam
| activity. I doubt they're conspiring in a dark room
| somewhere, but neither side is going to upset at the
| other in that situation.
| cjbgkagh wrote:
| Hence my other example of the inability to police prisons
| enough to prevent abuse, I didn't allege an explicit
| scheming but a happy little accident. Allowing a problem
| to fester when it benefits you is totally normal and
| expected behavior. But if there is a role for government
| at all it would be regulate such dysfunctions.
| treflop wrote:
| Email is easier to mitigate spam with. The whole body of
| the message is given upfront.
| varjag wrote:
| It's easy now. It was an unsolved problem two decades
| ago.
|
| And it's not like there's no technical means for the
| phones either. Just enforcing caller ID would go a long
| way to curtail spam. Like in our great Red Tape Europe,
| even with uptick in recent years we have a tiny fraction
| of spam calls compared to the United States.
| SoftTalker wrote:
| I make and receive regular phone calls all the time. However I
| only answer those that are from numbers I have in my address
| book. I do the same with text messages, I have my default view
| set to "Known Senders" so I'm not even really aware of others.
| If I'm expecting an unknown sender message, such as a TFA code,
| it's easy enough to just look in "Unknown Senders" for it.
| Ghexor wrote:
| How convenient for the data collecting companies that so
| generously sponsor the new & free services, that our
| democratically controlled communication infrastructure looses
| in value.
| TeMPOraL wrote:
| Advertising is a cancer on modern society. It will
| metastasize to any new communications medium, public or
| private, and destroy it from within. People will switch to
| new medium that offer less spam, but advertisers quickly
| follow to strip-mine the new channel. A cycle of life, so to
| speak.
| lovethevoid wrote:
| It's also so annoying circular. We spend money to get more
| clients but this stops being effective at a certain point
| so now you're just spending money to advertise for the sake
| of it or the status, and could even be losing money by
| doing so.
| pembrook wrote:
| I don't have a problem with advertising generally, as long
| as I know upfront that's what funds a tool I'm using, and
| isn't disguised like a non-ad (eg. Unlike what Google does,
| which is outright deception). Advertising and spam are two
| separate things in my book.
|
| However, my real problem is with what I call "The Google
| Strategy." Basically, they take publicly funded
| infrastructure like HTTP and SMTP, capture the network by
| dumping "free" products on the market (with basically no
| advertising), kill off competitors, then monetize their
| market capture by removing the "free" part, packing these
| products with ads, making them worse and worse over time in
| the process. And everyone is trapped, since they captured
| the network of this public infrastructure. This is the
| story of Google Search, Gmail, YouTube, etc.
|
| It's anti-competitive, anti-markets, and quite frankly
| should have been regulated away as a strategy a long time
| ago.
|
| Google basically ran Microsoft's classic anti-competitive
| B2B strategy to capture the consumer internet, and got away
| with it!
| mort96 wrote:
| > I don't have a problem with advertising generally
|
| You should, honestly.
| AnthonyMouse wrote:
| "Our democratically controlled communication infrastructure"
| honestly deserves to be deprecated and replaced with some
| kind of federated voice system that comes out of the IETF
| instead of the telcos. What kind of antediluvian nonsense
| doesn't use end-to-end encryption in 2024?
| bonestamp2 wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Doctors and dentists.
|
| Most of the calls I get are spam, but then the MOST important
| calls I get are from doctors, labs, and dentists. I do as much
| as possible online of course, but not all of these
| professionals have good online systems and phone calls are
| often required.
|
| Sometimes you know what number they're going to be calling from
| ahead of time, but often you don't... especially if you're in a
| large medical network that has different offices for different
| specialists, etc. It's a really sad situation if you get sick
| and you're trying not to miss these important calls, especially
| when it's a long wait for a specialist and then you miss their
| call when they get to your name on the waiting list.
|
| This will literally cost some people their lives and
| legislators need to act on making spoof calls impossible --
| there's no reason why anyone should be allowed to spoof a
| number that they can't receive calls at.
| tmpz22 wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Social services are another example. Many services are
| county-administered and thus don't have a centralized online
| platform. As always our most vulnerable populations suffer
| the most from techno-greed. Not the families of software
| engineers who built the system.
| thephyber wrote:
| I recently had to help my father organize his medical visits.
|
| Dealing with his healthcare providers was a bit of a pain,
| but it was _way_ worse because he has stopped answering
| calls, primarily because of the call spam rate. I think
| because he owns his own business, he never fails to hand out
| his contact info when he is shopping, and he owns his own
| business (so his contact info is published by the city).
|
| His phone provider has a feature to opt into spam filtering,
| his phone has another, and I downloaded a spam list filtering
| app for him. I disabled the ringer for numbers not in his
| contact list. I did similar actions to reduce spam in his
| text messages.
|
| This was a good triage, but the damage is already done to his
| psyche. He doesn't answer the phone anymore.
| codersfocus wrote:
| Why not get a second sim? Most phones can have 2 sims
| active, and a phone / text only plan is dirt cheap
| (3-6$/m).
|
| Offer the second number with much greater discretion.
| qingcharles wrote:
| From experience it seems to be semi-random.
|
| I've never had a single spam call on my main phone
| number, but friends who have got a new number get maybe
| 20 spam calls per day, with only having given their
| number to their closest friends and family.
|
| I think one factor that weighs in heavily is if your
| contacts download thousands of spam apps onto their
| phones and click YES to every permission. Then your phone
| number is harvested from your contact's phone and sold.
| TikTok, for instance, will beg me multiple times on a
| frequent basis to see my contacts. I don't think you can
| even install WhatsApp without giving it your entire phone
| book, can you?
| toast0 wrote:
| I don't know about most phones supporting that, probably
| depends on the market.
|
| But best I can tell, 80% of my spam calls are just war
| dialing; a new number would get war dialed just as much.
| Probably wouldn't get collections calls for my deadbeat
| cousin though.
| AdamJacobMuller wrote:
| I haven't answered my phone for anyone not in my VIP list
| in a year or two.
|
| I can see when someone is calling and in realtime see them
| leaving a voicemail via speech-to-text and pick up the call
| if I want but 99.999% of the time it's spam.
| A4ET8a8uTh0 wrote:
| Which app did you use ( I seem to have similar issue with
| my other parent )?
| unshavedyak wrote:
| Getting a new, out of state number can sometimes help.
|
| My phone is out of state due to my previous address, and 95%
| of spam i get is spoofed to that old town or the surrounding
| area.
|
| No doctors office/etc calls me from that area. It works
| pretty nice
| alister wrote:
| > _Getting a new, out of state number_
|
| The problem with that idea is that when you make _local_
| calls, people think that _you_ are the spammer.
|
| I too have an out-of-state number after having moved, and I
| can definitely confirm that when I make a local call, some
| people will not pick up after seeing the unusual area code
| on their caller ID. They told me so.
|
| There's another problem too: Even when I leave voicemail
| for a local business (plumber, dentist, replying to a "for
| sale" ad), some people will be thinking, Why does this guy
| need a plumber or want to buy my kayak if they live 1500
| miles away?
|
| I've resorted to leaving an explanation saying "Even though
| my area code is XYZ, I'm in the same city as you".
| DougN7 wrote:
| I've been impressed with my iPhone and/or carrier (AT&T in the
| US) for tagging incoming calls as spam or telemarketing. The
| phone does still ring but I know not to answer it.
| joe_the_user wrote:
| My phone number is from a different area code than I currently
| live in and I know no one from that area anymore. I can filter
| out 80% of spam just by ignoring calls from that area.
|
| I wind-up using the phone because so many organizations
| malevolently misfeature they websites - doing what you want to
| (pay basic bill or whatever) is hard but upselling and new
| features, those you can do instantly.
| yread wrote:
| Is this like an American thing? I'm in the Netherlands and i
| get like 1 spam call per two months (business
| internet/electricity salesperson usually)
| xyst wrote:
| America doesn't have privacy laws that prevent robot spam.
| Repercussions for violating the SPAM Act are not prosecuted
| very often.
|
| Personally, the only "spam" I get is flagged by the cellular
| provider and 99% of the time the calls are silenced. Not
| really an issue for me. The only people that "call" me are in
| my contacts list anyways. Everyone else can leave a VM or
| text message.
| grardb wrote:
| Definitely. I'm American and I've lived in the Netherlands
| for the past three years. The difference is night and day.
|
| Whenever I visit, I switch to my US SIM card and am
| immediately bombarded with spam texts (mostly from political
| parties) and scam calls. In my experience, Android is pretty
| good at marking calls and texts as "potential scams," but
| they're still there. In the Netherlands, I've gotten a few
| scam attempts via WhatsApp. Other than that, I think I've
| received one phone call soliciting donations to the Red
| Cross, and nothing else.
| xyst wrote:
| > Gmail did to monetize the lock-in on your inbox
|
| This is why I have my own mail server and domain. Full control
| over mail, and access to features that you pay for (ie,
| unlimited e-mail aliases, control over mailbox size). No more
| worrying about "google decided to shut your free account down
| for whatever reason. Bye bye decades of emails and loss to
| services that use email based OTP or magic link login.
| TacticalCoder wrote:
| > If I'm on a call, even with family, it's now almost
| exclusively on FaceTime/zoom/meet/etc.
|
| I really don't get that. I don't get these, on neither of my
| phones (I've got two numbers). When it rings, it's virtually
| always friends or family. Sometimes the bank/insurance/doctor.
| Very exceptionally do I get a commercial or scam call.
|
| I think it's not an argument good enough to excuse to excuse
| Authy here: _" my phone already leaked, so what's one more
| leak!?"_.
|
| > Which isn't great because those aforementioned platforms are
| all proprietary walled gardens with terrible incentives
|
| Oh I fully agree. I'm using Telegram for chat but zero
| FaceTime/meet/WhatsApp here. People want to call me, they
| usually phone me. Once in a rare while Telegram.
| iamtheworstdev wrote:
| i'm jealous of you. I recently had a day where I got 25 phone
| calls. 23 were spam. Turning on iOS "ignore unrecognize phone
| numbers" has been amazing (i assume android has the same
| feature)
| graemep wrote:
| Wow. I was wondering why people were fussing about the odd
| spam call! The most I have had is 2 in a day and my number
| is in websites, social media, whatever.
|
| Almost all spam is instantly recognisable. Mostly visa and
| parcel delivery scams.
|
| In do not block unknown numbers because lots of
| organisations use them here (UK) This includes people I
| really do want to be able to contact me if they want to
| such as the police.
| Angostura wrote:
| Interesting. Here in the UK I get about 1 spam phone call a
| year.
| kccqzy wrote:
| > I can't remember the last time I talked on the traditional
| phone network or received a legitimate call
|
| Doctors, dentists, moving companies, home improvement
| contractors, recruiters, etc. These are some of the most
| important phone calls I've received in recent memory.
|
| I don't know what world you live in, but I religiously block
| phone numbers after just one spam call. And I usually don't
| give out my phone number. (I'm much happier giving out email
| addresses since I have an infinite supply of addresses.) I
| never get enough spam calls that I feel like the phone system
| is going the way of the fax machine.
| jonathanlydall wrote:
| When I tried SendGrid it was super annoying that I had to install
| yet another Authenticator app on my phone. Now it's become a
| point of data loss.
|
| It's bizarre to me that Twilio decided to get into the
| Authenticator business at all, especially while SendGrid had
| plenty enough problems to keep them busy.
| deegles wrote:
| I have removed all SMS based 2FA from every account that allows
| it and you should too.
| yieldcrv wrote:
| and we should do product liability lawsuits on every service
| that only allows SMS based one time passwords, if they don't
| allow a client side only option
| mort96 wrote:
| Why? 2fa doesn't meaningfully add security if you're using
| decent passwords, and SMS-based 2fa is no less secure than no
| 2fa
| selbyk wrote:
| I'm a bit confused how this is relevant. Authy is a OTP app,
| nothing to do with SMS.
| yieldcrv wrote:
| Authy uses SMS based recovery of your entire account, a
| weaker link that a single service using SMS based OTP
| ingatorp wrote:
| You can always disable multi-device, so it can act like a
| regular OTP auth app.
| yakito wrote:
| We should have something similar to Apple's hide my email for
| phone numbers
| moffkalast wrote:
| "Company who thought they'd lost all public trust loses last
| additional bit of trust they didn't even know they still had,
| more at 11."
| darkr wrote:
| This doesn't surprise me. I found an information exposure vuln on
| the user registration endpoint a while ago (given a phone number
| of an authy user who had previously registered via another
| customer, retrieve all other numbers/devices/timestamps, email
| addresses and other info for that user).
|
| It took them two years to fix it.
| rvnx wrote:
| > Twilio has detected that threat actors were able to identify
| data associated with Authy accounts, including phone numbers,
| due to an unauthenticated endpoint
|
| Isn't it what you are describing?
| darkr wrote:
| Based on the reports that I've read so far, this vuln was
| different to the one I found, which was on an authenticated
| endpoint.
|
| Definitely some similarities though, I'd love to see some
| concrete technical information on it.
| exabrial wrote:
| That app is so dumb. Completely negated the usefulness of TOTP.
| Needs just to die already. Some executive over at Twilio signed
| the check for Authy acquisition and is still trying to justify
| the expense.
| awahab92 wrote:
| what do people use instead of twilio today? they make 2dcp
| verifications take too long
| blackeyeblitzar wrote:
| What's a better 2FA product that is E2E encrypted and lets me
| export the seeds?
| godzillabrennus wrote:
| Authy is basically unsupported. Not surprised. I switched my
| accounts to 1Password when they announced the end of life of the
| macOS app.
| bonestamp2 wrote:
| That makes sense. In case it helps others... when they
| announced end of life of the mac app, that was because Apple
| Silicon macs can run the iOS version of Authy. So, if you have
| an M series mac then you can still use and get updates to
| authy.
| encom wrote:
| Authy is terrible. I recently tried to delete my account,
| because I've (finally) moved everything to Keepass, and they
| make it as difficult as possible. Then they make you wait 30
| days before they actually delete it, making sure to email you
| constantly in the mean time, to ask you to please reconsider.
| My 30 days expired a few days ago, so if they had actually
| deleted my account when I told them to, my info maybe wouldn't
| have been leaked.
|
| Dog shit company. Avoid.
| mort96 wrote:
| I chose Authy back in the day because that's what everyone was
| suggesting. I hate it. I hate the whole cyber"security"
| community.
| bonestamp2 wrote:
| I recently setup a focus profile on my iPhone that only lets
| calls ring through from knowns contacts. There is going to be an
| adjustment period as I discover people and companies (such as
| doctors/hospitals) that I want to allow calls from and add them
| to the whitelist. But otherwise, it has been really nice to cut
| down on all of the interruptions.
| gz5 wrote:
| consider* putting endpoints on a private overlay network in which
| network access is cryptography-gated (e.g. x.509 cert based).
|
| then, a misconfigured endpoint (or a zero day etc.) can't be
| exploited by any_actor_on_the_internet - actors need to first
| complete the provisioning process you choose to enforce to be
| authorized to use the private overlay.
|
| *not one size fits all, e.g. bad option if endpoints need to
| accept requests from unknowns.
|
| however, many endpoints only need to accept requests from known
| (identified, authenticated, authorized) endpoints, and the added
| friction to id/authN/authZ get use the private overlay is not a
| business impediment.
|
| there is a stigma here due to the horrors of NAC on private
| enterprise WANs. but NAC goals can be accomplished without that
| baggage via internet overlays and modern cryptography.
|
| to be clear, i am by no means advocating to abandon traditional
| methods of endpoint auth - this it is just another layer which
| recognizes that single layers are rarely airtight (e.g. what just
| happened to Authy and Twilio).
| hypeatei wrote:
| > many endpoints only need to accept requests from known
| (identified, authenticated, authorized) endpoints
|
| Do you mean clients for the last part? I'm not a networking
| expert but I don't see how layering on certs here is going to
| help?
| mihaaly wrote:
| And they wonder in random organizations and businesses that I am
| not willing to give all my personal details right away on first
| contact despite their 'utmost importance' of handling my data
| very securely, all this just to be informed about their product.
| And they seems to be offended with a "but we did it so for many
| years now" on my refusal and saying goodbye if they try to insist
| this "company policy".
|
| Unluckily sooo many give zero or negative fack among their
| potential and existing customers. This includes businesses
| providing medical services sending all the clien't data and
| medical results in clear text email and even declaring for their
| own convenience that "The property and copyright or other
| intellectual property rights in the contents of any document or
| images provided to you shall remain our property", for your
| ultrasound results. Your medical results are their property for
| those use their services. So they do as they plase with their
| data, not your data, not your concern if it is protected or not.
| And people go there and rate this service 4.8 on google, insane.
| Of course no-one really reads TOC, not even for sensitive medical
| services. People do not learn.
| ehPReth wrote:
| is this just like
|
| anotherservicetwilioruined.example.com/api/doesthispersonhaveanac
| count?phone=+12012000000
|
| and then the service says 'yeah that number has an account' (and
| nothing else?)? then whomever repeats that for every possible
| phone number?
|
| or... more than that?
| vishnumohandas wrote:
| We built ente.io/auth
|
| If you need a cross platform authenticator, do check it out.
|
| FOSS, optional e2ee backups.
| mort96 wrote:
| No. Fuck you 2fa people. This whole space is despicable. Let me
| keep using passwords. Don't force me to use your garbage
| services.
| kylehotchkiss wrote:
| Twilio requires Authy for 2fa for sendgrid and maybe even twilio
| itself instead of supporting more standardized 2fa that'd allow
| 1pass to be used. This is all the more frustrating because I was
| forced to use Authy to protect an account instead of my regular
| tooling and they still managed to screw it up. Twilio, take a
| hint and stop forcing people to use your custom thing
| https://www.twilio.com/docs/sendgrid/ui/account-and-settings/two-
| factor-authentication
| qingcharles wrote:
| Ugh. I hate that some apps require use of specific auth apps.
| This should not be a thing, we have great generic systems for
| this already.
| mort96 wrote:
| I just hate that some apps/services require 2FA. My 32 random
| characters which are unique to each service are secure
| enough. Adding another service on top just increases risk (as
| shown here; Authy was never going to do anything to protect
| me, but it has now leaked info about me.)
| calderwoodra wrote:
| Even worse.. 2FA is mandatory on Twilio products, so either
| install authy or don't use Twilio - no exceptions.
| Featherknight wrote:
| Sucks that Twitch.tv still relies on it. My only service that
| uses it still, I've since migrated to other managers
| xyst wrote:
| Terrible. Glad I moved away from Authy a long time ago. Small
| reminder that I need to delete the account though.
| jordigh wrote:
| Took a while, but this commenter is finally correct:
|
| > Why does Authy require I provide my cell phone number and email
| address? Why do I have to have a user account? This is completely
| ridiculous. I do not need nor want cloud syncing or backup. You
| are making Authy a potential target for attacks by associating a
| user to cloud stored 2FA information.
|
| > This is not in the spirit of 2FA.
|
| https://news.ycombinator.com/item?id=9100560
| instagib wrote:
| For iPhone, put the phone in do not disturb. It will send all
| calls to voicemail. If someone is on your emergency contacts,
| favorites, or 1by1 focus then a repeated call will actually ring
| your phone. Otherwise no notification. Not even a text counter
| increase unless the person taps (notify anyway).
|
| Tried to do the same on an android phone and it didn't work.
|
| You can also port your phone to google voice or Fi and give away
| all your call information to them. Very few spam calls get
| through their filter.
|
| I like the change phone area code to out of area and block all
| phone calls from that area that some call services provide.
| rcostin2k2 wrote:
| Actually, I have a Samsung S20+ and "Do not disturb" works
| pretty well, even scheduled
| denkmoon wrote:
| If you've got anything in Authy that isn't using the authy custom
| authentication scheme (ie. just regular TOTP) now is the time to
| get it out.
|
| Exporting the raw totp tokens can only be done from the desktop
| version that is currently deprecated and scheduled to be nuked
| from existence later this year. It requires getting the tokens
| loaded into the desktop app, then downgrading to an older version
| so you can use the chrome remote debugger to run a javascript
| function against the desktop app (embedded chromium) which pulls
| out the raw tokens and gives them to you.
| mort96 wrote:
| > Exporting the raw totp tokens can only be done from the
| desktop version that is currently deprecated and scheduled to
| be nuked from existence later this year
|
| Oh. Fucking great. So I'm locked in to using Authy forever now
| I guess.
|
| I hate 2FA. It literally does exactly nothing for security,
| it's just another tool for these big companies like Google and
| Twilio to put themselves between me and the services I need
| access to, all while locking me in to their services and
| siphoning out information they can sell to advertisers. I hate
| it. I hate the "security" people who are pushing this garbage.
| I hate everyone involved in this space. I hate that I now can't
| log in to anything without going to fetch my phone. I hate
| these people.
| 486sx33 wrote:
| Damn 2FA with telephone numbers, I hate it!
___________________________________________________________________
(page generated 2024-07-04 23:00 UTC)