Comment by stoplying1
3 years ago
And I don't appreciate being forced into a "feature" that specifically subverts the entire god damn point of 2FA codes and leaves them in an unprotected state on some third party server.
Great!
3 years ago
And I don't appreciate being forced into a "feature" that specifically subverts the entire god damn point of 2FA codes and leaves them in an unprotected state on some third party server.
Great!
It is, indeed, great to have choices.
(Side note: Authy backups are encrypted client-side with the user's backup password. They're not unprotected on a third-party server; Authy has no ability to decrypt them. https://authy.com/blog/how-the-authy-two-factor-backups-work...)
I apologize for getting that wrong and also want to acknowledge that choice IS good, and I do agree that informed users can reasonably make that decision. I get a bit too "there's one best/right answer" on this topic, thanks for checking me a bit.
The TOTP secrets are encrypted with a passprhase locally. You need the phone number to download the encrypted secrets but then need to use your passphrase to decrypt the restored backup locally.