Comment by ceejayoz
3 years ago
The phone number gets used during account recovery; when I reset my iPhone once without a second Authy device to activate it, I was locked out for 24h while it bombarded my number with calls and texts about the impending restore. I appreciated that safety measure.
And I don't appreciate being forced into a "feature" that specifically subverts the entire god damn point of 2FA codes and leaves them in an unprotected state on some third party server.
Great!
It is, indeed, great to have choices.
(Side note: Authy backups are encrypted client-side with the user's backup password. They're not unprotected on a third-party server; Authy has no ability to decrypt them. https://authy.com/blog/how-the-authy-two-factor-backups-work...)
I apologize for getting that wrong and also want to acknowledge that choice IS good, and I do agree that informed users can reasonably make that decision. I get a bit too "there's one best/right answer" on this topic, thanks for checking me a bit.
The TOTP secrets are encrypted with a passprhase locally. You need the phone number to download the encrypted secrets but then need to use your passphrase to decrypt the restored backup locally.