While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
I recently had to help my father organize his medical visits.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
It's high time someone disrupted the damn desk phone network of these hospitals. It's definitely not a technical hurdle in 2024. All calls go on the data network. You route your calls out of the main router and any call that gets routed in such manner will have the ID of the router. Tag the router id to the hospital or hotel and be done with.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
My dentist texts me. My doctor uses MyChart, so I get notifications. Neither one calls me on the phone.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
Easy trick: Every time you get a spam call, answer it. Talk to them until _they_ hang up. String them along. Put them on speakerphone and keep working. Feed them fake credit card numbers (there are generators out there that create numbers that checksum correctly, so they type them into whatever they're using to bill numbers. Hopefully this helps flag them as a bad actor to the processors, idk).
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
How convenient for the data collecting companies that so generously sponsor the new & free services, that our democratically controlled communication infrastructure looses in value.
Advertising is a cancer on modern society. It will metastasize to any new communications medium, public or private, and destroy it from within. People will switch to new medium that offer less spam, but advertisers quickly follow to strip-mine the new channel. A cycle of life, so to speak.
Is our communication infrastructure democratically controlled? At least in the US, we may have federal regulators but isn't the infrastructure still owned by a few massive telecoms corporations?
"Our democratically controlled communication infrastructure" honestly deserves to be deprecated and replaced with some kind of federated voice system that comes out of the IETF instead of the telcos. What kind of antediluvian nonsense doesn't use end-to-end encryption in 2024?
> If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc.
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
i'm jealous of you. I recently had a day where I got 25 phone calls. 23 were spam. Turning on iOS "ignore unrecognize phone numbers" has been amazing (i assume android has the same feature)
I have 5+ spam calls every day. Looking at my call history it’s been that way as far back as it lets me scroll.
Blocking doesn’t make a ton of difference, as it’s almost always a different number.
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
Definitely. I'm American and I've lived in the Netherlands for the past three years. The difference is night and day.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
America doesn’t have privacy laws that prevent robot spam. Repercussions for violating the SPAM Act are not prosecuted very often.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
> While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
Currently, any password from more than 6 months ago, names of all my acquaintances, photos of all my paystubs over the last 6yrs (thank you Equifax and dishonest HR platforms), .... Astounding amounts of misconduct are normalized. They're just not widely known yet.
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
My phone number is from a different area code than I currently live in and I know no one from that area anymore. I can filter out 80% of spam just by ignoring calls from that area.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
Anyone who has kids has to answer the phone from strangers routinely. School staff and camp counselors are routinely using their own cell phones these days to communicate with parents.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
>And I find it odd when people call me on WhatsApp.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
Everything you mentioned is the beauty of the EU privacy laws (so far), however there is another negative externality you haven't planned for maybe.
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
Very similar here... same for my primary gmail address... the most annoying thing is the "credit monitoring" that comes with a few of my credit cards is all but worthless... I get constant notices that my "email is compromised" but absolutely no detail on how/where/what exactly is compromised, with is like saying, your email is public.
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
> The telephone companies make money based on minutes of usage.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
IMO The problem with data breaches is not the phone number being exposed, it's the other data around it that one can combine with other breaches to make full profiles of a person's comings and goings, their location/purchase history, their associations and preferences, etc.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
Doesn’t even have to be manipulated just incorrect. I share a rather uncommon name with at least two others within five years of my age. I get emails intended for either of them almost daily. One holds political views completely opposite my own. The other is rebuilding his life after a couple years in prison.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
I make and receive regular phone calls all the time. However I only answer those that are from numbers I have in my address book. I do the same with text messages, I have my default view set to "Known Senders" so I'm not even really aware of others. If I'm expecting an unknown sender message, such as a TFA code, it's easy enough to just look in "Unknown Senders" for it.
I feel the same way. I get far too many “hey!” Or “Hello?” “What’s up?” messages on my phone that never say another thing. Any family/friend of mine knows me well enough to try more than once to get my attention via messages, and 99% of them should probably be in my contact list already and I’ll hear the beep.
I’ve found some success is curbing spam calls with the “Silence Unknown Callers” feature in iPhone.
However this presents a few challenges. Mainly missing calls from delivery agents, who's number is obviously not in my iPhone contacts
I’ve been impressed with my iPhone and/or carrier (AT&T in the US) for tagging incoming calls as spam or telemarketing. The phone does still ring but I know not to answer it.
The solution to phone spam is voicemail transcription. Every call goes to voicemail, I get the transcription in a minute or two, and can call back if I want to.
I think that is intentional, AFAIK phone communication is more protected than other types so allowing spam to continue unabated is in the governments interest. Outsourcing the harassment to 3rd parties, similar to how prison torture is outsourced to the inmates. The government could fix these things but would rather not.
I think we just don't have very much competition in telecommunications so things never get fixed. Why bother? It's easier to extract rent off largely the same offerings as the rest of your market (difficult to understand pricing tiers that function as a congestion tax more than a transaction, often region-specific monopolies or duopolies, indistinguishable quality of service) and bring home large profits, market efficiency damned.
The phone network we once knew is useless in terms of answering or bothering with any calls or text from those not in your contacts. If you do .. you do so at your own risk!
Took a while, but this commenter is finally correct:
> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.
I use Authy _because_ it provides cloud sync. At the time, Google Authenticator didn't have it, and when I had to change phones it was a real hassle. Imagine if the phone had been stolen, no way to access the account normally to get a new QR, you'd have to "recover" every account.
I have been transferring Google Authenticator from phone to phone for years though? Going back to at least 2016, and that was 8 years ago. In 2020 I copied it from Android to iOS even by doing an export I had no idea was there.
The entire use case for Authy is the cloud backup and syncing across devices. If you don’t want that, use any of the other free and more open 2FA apps.
Then make it an independent email+password thing, so in case of a leak, something as critical and personal as a phone number doesn't get involved in the stolen data.
(I know the irony of this in particular being Authy, but nevertheless phone numbers should NOT be risked to be exposed anyhow)
Twilio has an incentive to make "the spirit of 2FA" worse, because SMS-only is how they make money. Either OTP 2FA will be more complicated and adopted less, or they'll own the entire space, like in Sendgrid's case.
Not to go too off-topic, but that post from 2015 has a response from 2019, how is that even possible? I thought HN auto locked posts after x number of days / years.
I don't want to go through the trouble of creating a throwaway to test it, but having worked in webdev long enough makes me believe it's possible that restriction is only on the frontend and some well placed curl may sidestep it
You can't pick and choose "Not a real scotsman"
since 99% of users will be on bigcorp 2FA
that does it in most ass-backwards way possible.
2FA as mobile apps locked to hardware is not
going to go away without 2FA being replaced by something else.
And they wonder in random organizations and businesses that I am not willing to give all my personal details right away on first contact despite their 'utmost importance' of handling my data very securely, all this just to be informed about their product. And they seems to be offended with a "but we did it so for many years now" on my refusal and saying goodbye if they try to insist this "company policy".
Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.
British Gas has taken to removing their bank account details from their invoices so that you have to set up an online account with them and then set up a Direct Debit (permission to take arbitrary amounts of money from your UK bank account).
Twilio requires Authy for 2fa for sendgrid and maybe even twilio itself instead of supporting more standardized 2fa that’d allow 1pass to be used. This is all the more frustrating because I was forced to use Authy to protect an account instead of my regular tooling and they still managed to screw it up. Twilio, take a hint and stop forcing people to use your custom thing
I just hate that some apps/services require 2FA. My 32 random characters which are unique to each service are secure enough. Adding another service on top just increases risk (as shown here; Authy was never going to do anything to protect me, but it has now leaked info about me.)
My recollection is that someone reversed their algorithm and they used almost TOTP which hurts me even more because that implies that they knew about the standard and still chose violence
There's this small web portal in Poland that for years provides a simple free email service (and an instant messenger with same login) with occasional "messages from our sponsors" in your inbox - you had to tick your "interests" during registration. In time banners started to appear and that was still fine because the Web was still a pretty innocent place and tracking was years ahead of us. At some point inbox was getting flooded with spam; either one you had to have or outside the service because the domain was popular and probably addresses were scrapped from the associated instant messenger. Then, banners started to be aware of inbox content and sponsored messages included tracking - milking your habits and activity become a thing.
Fast forward to some 10 years ago the service offers a premium plan where you can turn off banners around inbox, the permanent banners that pretend to be emails at the top of the list. Of course paying turns off only these banners and sponsored messages and every other spam will pile up. There's a built-in filtering option but since people started to using it to get rid of these mandatory messages - it stopped working at all. And any filter entry is a dummy one. At this point it's more an ads and spam gallery with an optional email service. Instant messenger was killed off in 2016 as people preferred global networks, and so were small but popular discussions forums turned off.
Around same time portal was bought by what for year was a bigger competition to them (not the only one ofc). The idea that both portals should use a single login appears. So people saw messages at login saying that you should transfer your account to this unified platform because it's more secure and there are some "benefits". Later, a darkpattern message was displayed saying that the unified login service will be the only way to use all services including email. And this unified login comes with company's own 2FA mobile app which you can't replace with a generic generator of any kind. Aaand in the end, nothing really happens. The darkpattern messages disappear and you can still log into the email with same plain password you used for years. The 2FA becomes suddenly optional but "recommended". People complaining in Appstore reviews about login issues and fact that no generic generator works are suggested to talk with support where apparently something can be arranged.
What my hot guesses are is that the company believed that domestic service popularity combined with mandatory 2FA app that does collect a lot of additional unnecessary information will provide a steady source of money for this service. People accustomed for years to an attractive short local domain won't force themselves to move elsewhere. But that didn't work as planned and honestly, I don't know how they managed to survive till today.
I did created few addresses there but over the years I managed to move elsewhere; what was once cool and fast and plausible become obnoxious to use.
If you remember poczta o2 you surely remember tlen emoticon: [10ton] - that's the best way to sum up what happen to this portal and service.
This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint
I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
> I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
Authy is both a SaaS and a consumer-facing authenticator app.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
The consumer app also wants your phone number... It prompts you to "backup" your codes, so that they're not gone if you reinstall the app or switch devices
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
Cloudflare should probably deprecate their Authy provider, considering they support other more secure MFA options (hardware and virtual WebAuthN). I believe Wise (ex TransferWise) and Plastiq also use Authy natively for SMS OTP server side, but provide no mechanism to disable SMS 2FA (boo).
Nothing in the iOS Settings app for Authy, but tapping the little gear icon in the app UI shows my phone number and email! I guess I did enter them at some point and forgot. Thanks.
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
One step we have taken is to build an auth system that requires you as the developer to explicitly specify the security of an endpoint using a decorator. If no decorator is provided, then the endpoint is completely locked down even to admins (effectively disabled).
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
.NET web apps / APIs have an option where you can require authorization on all controllers (and their actions) by default. If you need an anonymous controller/action, you can use the `[AllowAnonymous]` attribute on it.
It's a common problem. On a previous job, I'd found one unauthenticated endpoint just because I want to add some integration tests on it and my tests failed! After that, I'd created a script which lists all endpoints and curl each one with invalid credentials and expecting them to return 401.
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path.
2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
> 1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
Mh, I'm probably comparing apples to oranges and such.
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
Holy shit why is this even a question?? You. Write. Tests.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
And then someone forgets to test that one thing for that one endpoint and no one notices ("mandate in code review" is not going to be fool-proof), or lines get crossed and they test the wrong thing.
This kind of arrogance is exactly how these mistakes get made.
It's sad how awful Twilio's engineering has become. I used it super early on and it was amazing, and while they had hiccups, they were never major and they were growing pains.
Today they have incidents almost every week, and now data breaches.
Also having an investor base that demands removing as much equity compensation as possible. (Whilst, IMO, not being aggressive enough to cut executive compensation)
But it's no surprise that when you ask management/executives "who needs to be laid off", the answer is not that many managers/executives...
I do think Kho is the right person for the job though, and Aidan was surprisingly smart too, so I my[1] bet is that they'll get there.
There really has to be steep repercussions for companies that fail to protect user data like this. At this point I can't help but feel that there is wilful neglect with the aim of exfiltrating data with unknowable aim.
Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.
More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.
Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.
I agree the US in particular should have better data protection laws and consequences.
But phone numbers aren’t something I’d consider confidential in most cases. Hell, we used to publish our phone numbers in physical books and give them to the whole town for free (literally).
The data was even monetized with ads plastering every page. I guess the digital age isn’t all that different from the analog age (in certain ways!)
We didn't use phone numbers to prove our identity back then. It was only used to call you. You often wanted it to be public so you could be reached. Now it's a critical piece of information required to access services online and prove who you say you are.
If you've got anything in Authy that isn't using the authy custom authentication scheme (ie. just regular TOTP) now is the time to get it out.
Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year. It requires getting the tokens loaded into the desktop app, then downgrading to an older version so you can use the chrome remote debugger to run a javascript function against the desktop app (embedded chromium) which pulls out the raw tokens and gives them to you.
> Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year
Oh. Fucking great. So I'm locked in to using Authy forever now I guess.
I hate 2FA. It literally does exactly nothing for security, it's just another tool for these big companies like Google and Twilio to put themselves between me and the services I need access to, all while locking me in to their services and siphoning out information they can sell to advertisers. I hate it. I hate the "security" people who are pushing this garbage. I hate everyone involved in this space. I hate that I now can't log in to anything without going to fetch my phone. I hate these people.
Haha, I see you manically rage posting in this topic. I empathise, it's fucking shit when "smart" people foist something unwanted on you because they think it's better for you. FWIW, I'm feeling pretty liberated to have moved my OTP codes out of authy and into multiple locations - my data, as much as I'd prefer not to use it, is now under my control.
Well, then now might be a good wakeup call to move those tokens to one of the many opensource apps that allow exports? Like Aegins, Authenticator Pro, etc.?
I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem).
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).
When I tried SendGrid it was super annoying that I had to install yet another Authenticator app on my phone. Now it’s become a point of data loss.
It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.
It's good. And the introduction of the Passwords app this fall will make it better.
But it seems to me that Apple only supports adding TOTP codes if you have a password for the account. Which is annoying if you want to split your passwords and second factor into two different places. (For example if you wanted Bitwarden for passwords and TOTP/Passkeys in Apple.)
You can of course put a dummy password in Apple. But that is kind of annoying.
IMO: I'm pretty sure this is less of an auth issue, than it is a rate limiting issue.
I haven't been able to find anything about the endpoint, but based on the data exposed[0] I think the endpoint they are talking about is the register one which requires a phone number.
I'd bet they didn't rate limit it, and someone just blasted through all phone numbers with it and stored the data for ones that didn't error out.
I just migrated off of Authy last week but I was probably caught in this breach, ugh. Never liked it but they make it extremely difficult to export your data.
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
The lack of export in Authy is a really ugly choice they made. When I migrated to Aegis I used some hack that involved a desktop Electron app's javascript console. I wonder if that still works?
Has anyone found a single open-source app that supports both mobile and desktop though? That was the attraction of Authy before they killed their desktop apps.
i've switched to keepass right after first breach. it's not convenient to store the db on eg gdrive and sometimes it doesn't work, but that is way better than another SaaS app that will eventually leak my passwords/2fa codes.
That makes sense. In case it helps others... when they announced end of life of the mac app, that was because Apple Silicon macs can run the iOS version of Authy. So, if you have an M series mac then you can still use and get updates to authy.
Authy is terrible. I recently tried to delete my account, because I've (finally) moved everything to Keepass, and they make it as difficult as possible. Then they make you wait 30 days before they actually delete it, making sure to email you constantly in the mean time, to ask you to please reconsider. My 30 days expired a few days ago, so if they had actually deleted my account when I told them to, my info maybe wouldn't have been leaked.
After I transferred everything I only had dead sites no longer around like FTX in the app. I feel like it needs to be left around as a kind of Time Machine…
Some months ago, I used https://github.com/alexzorin/authy to export them. It basically creates a dummy-device to access the tokens, and then exports them to some format. But I have not figured out how to import them now into another app.
Use the plaintext export option on that project. Most TOTP apps should accept the URIs that are exported. Maybe not en-masse but individually for sure.
I slowly migrated away from Authy when they decided to shut down their desktop authenticator. You can painfully export codes, though I generated new 2FA codes at every vendor.
I thought I had a lot of totp codes to migrate but then it turned out I didn't use many of them. After deducting them, there remained 10 apps that I needed to migrate. It took me an hour to port them to bitwarden manually.
and we should do product liability lawsuits on every service that only allows SMS based one time passwords, if they don't allow a client side only option
So fun story, I recently switched away from Authy for various reasons, but the key one was that I had to restore from a backup on a device and when I did so I realized the Authy had never actually deleted any of the 2FA/TOTP accounts I'd configured over the years, things that had been deleted on device literally 5+ years ago were still stored and available on request via their API.
In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.
For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.
The main reason I didn't use Authy was that it requested phone number when signing up, and it didn't make any sense to me why they'd need it. Since then, I've been using 2FAS, since there's no personal data that can be leaked.
For iPhone, put the phone in do not disturb. It will send all calls to voicemail. If someone is on your emergency contacts, favorites, or 1by1 focus then a repeated call will actually ring your phone. Otherwise no notification. Not even a text counter increase unless the person taps (notify anyway).
Tried to do the same on an android phone and it didn’t work.
You can also port your phone to google voice or Fi and give away all your call information to them. Very few spam calls get through their filter.
I like the change phone area code to out of area and block all phone calls from that area that some call services provide.
One major problem I see with this hack is that the phone numbers exposed in the leak is the single factor of authentication needed to get access to an Authy account, including all the MFA tokens that the account has saved.
If there are any high-profile victims in this list SIM Swapping those phone numbers should be a very attractive approach.
I think security cautious companies should consider turning off multi-device support and start planning for a migration. This leak feels way riskier to me than what media reports it to be.
> There are account recovery options outside of multi-device, but those require the attacker to compromise your primary email. These also take a minimum of 24 hours, during which you would receive email notifications, and could request a cancellation
I just had to try it out now to make sure I'm correct on this and I believe I am. Here's what I found:
Multi-entity is enabled by default when creating an account. Enrolling a second device is possible via an OTP code received via a text message. This makes the phone number (in my mind at least) the default single-factor needed to access an Authy account.
As far as I can tell, the user has to either enroll either a second device, or manually disable multi-device support to make Authy SIM swapping resistant. I have not been an active Authy user for many years now so I might be mistaken here, but I strongly suspect a majority of Authys non-technical users have not done either. Meaning they would be susceptible to SIM Swapping attacks.
It feels funny to say "Hacker" when it was just someone one using something on the open internet the way it was (defacto) designed for, and just used it a lot.
Like if I crawl hackernews and download all the somethings am I a "hacker"?
To me a hack is some kind of escalation of privilege beyond what I'm truly entitled to (such as stuffing passwords, tricking software to run a payload, crafting a payload for service A so that it tricks Service B) ...
As alternatives: I use Authenticator Pro on my phone and keep encrypted backups whenever I modify it. I know others have pointed out Aegis.
The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!
consider* putting endpoints on a private overlay network in which network access is cryptography-gated (e.g. x.509 cert based).
then, a misconfigured endpoint (or a zero day etc.) can't be exploited by any_actor_on_the_internet - actors need to first complete the provisioning process you choose to enforce to be authorized to use the private overlay.
*not one size fits all, e.g. bad option if endpoints need to accept requests from unknowns.
however, many endpoints only need to accept requests from known (identified, authenticated, authorized) endpoints, and the added friction to id/authN/authZ get use the private overlay is not a business impediment.
there is a stigma here due to the horrors of NAC on private enterprise WANs. but NAC goals can be accomplished without that baggage via internet overlays and modern cryptography.
to be clear, i am by no means advocating to abandon traditional methods of endpoint auth - this it is just another layer which recognizes that single layers are rarely airtight (e.g. what just happened to Authy and Twilio).
I recently setup a focus profile on my iPhone that only lets calls ring through from knowns contacts. There is going to be an adjustment period as I discover people and companies (such as doctors/hospitals) that I want to allow calls from and add them to the whitelist. But otherwise, it has been really nice to cut down on all of the interruptions.
You can flip on the option in the settings to silence unknown callers. It does a decent job, and prevents a lot of the manual micro-managing. I will sometimes toggle it off if I’m expecting a call from an unknown number, but it will also pull numbers it sees in texts and email and known.
I manually set this up several years ago, to only ring for contract in my address book. It was annoying, but worked. At the same time, I submitted the feature request to Apple and it came to iOS about a year later.
I found my calls have gone down dramatically since using it. I used to get 3-4 calls per day. Now, even if I have the feature toggled off, I might get a couple calls in a month. Once the number appears inactive, I think it drops off a lot of lists.
Thank you for drawing attention to this. Whenever I've scrolled past that option in the settings, I incorrectly assumed how it works and it's actually much more useful than I realized. I've adjusted my settings accordingly and I'll give it a chance. Thanks again.
I have resisted moving off Authy as I liked the idea of cross-platform cloud sync. That'll teach me. Any other suitable alternatives? Aegis is android only. I do run vaultwarden, but it means I need another 2FA to login to it, before I can use it as a 2FA for other sites.
KeePassXC (and the associated apps) can store TOTP, and you can sync it with SyncThing on any device. Add an always-on NAS with SyncThing and you'll always have an up-to-date vault, even when your other devices are offline.
2FAS - https://github.com/twofas and I did replaced Authy with it some year ago; I'm using it mainly on iPhone while having a backup file on desktop and second app installed on Samsung phone
Does anyone have a recommendation for an Open Source 2FA OTP app? That's the only thing I use Authy for, to scan the QR Codes into the App and generate the 2FA tokens, but in a way that allows me to migrate to another phone without having to re-set all the 2FA tokens on the vendor side.
I personally use Bitwarden for TOTPs (with a self hosted vaultwarden instance), it's by far not the most secure way to store your passwords and TOTPs next to each other, but it saves so much time.
I migrated to Aegis a while back because I wasn't happy with how hard it is to get secrets out of Authy, or that someone else is managing them, and they they need my phone number (guess I was right, again).
I use Folder Sync on my Android to sync the Aegis auto-backups to a MinIO bucket I host at home.
Ente Auth or bitwarden builtin one or keepassXC builtin one.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
I'm of the opinion that it's basically fine yo store them in your password manager. Yes if your password manager is broken into you lose everything (same as having no 2fa in that case), but you still prevent people from guessing your password and often avoid having to deal with email- or text-based 2fa. And if your password manager is broken into, there's a good chance your device has been broken into, in which case it doesn't matter where you store your 2fa.
I use andOTP https://github.com/andOTP/andOTP and my favorite feature is the database of 2FA can be backed up PGP-encrypted and reimported on another device. But sadly it is no longer maintained. The latest version on Google Play Store is from 2021 and can still be installed and works fine on Android 14.
For Android, if you happen to use Keepass as your password manager, I really like KeePassDX[0]. If the camera app you use doesn't support QR scanning, though, you'd need an app for that (and I don't think any FOSS camera apps implement this, as for as I can tell).
This one[1] seems the most up-to-date, by a German research group. You'd share the link as text to the KeePassDX app, search for the entry it's for, and it populates it with the HTOP/TOTP secret.
There are iOS Keepass clients that support this as well, though from what I can tell there's some drama with source code[2][3] in the landscape.
If you do not need QR codes, oathtool is great. You can protect your tokens, recovery codes etc. with gpg -c or similar, so the encryption is entirely separate from the authentication mechanism.
And you actually know what is going on. Works for GitHub.
Raivo was bought by a shady developer last year and is no longer open source. If that wasn’t enough, a few weeks ago they released an update which deleted all your codes - failing at literally the one job a 2FA app has!
Besides all the other advice of using the password manager as a 2FA store as well, on the stand-alone side there is Aegis. I have good experience with it, and allows better interoperability than Authy as well.
While it’s nice that password managers can handle this as others have mentioned, the whole point of a 2nd factor is to ensure an attacker can’t get in if they somehow get your password. Storing the second factor along with the 1st factor doesn’t make much sense to me.
Most likely whatever password app you use supports these now. I know for myself, I started using Authy long long ago when there were not really many options.
In my case, 1 Password can do this now. I believe the same is true for Bitwarden and Apple passwords.
Jesus fucking Christ. Can these companies learn how to write software? Quality is dropping like dogs. Twilio used to be a good company and now they are utter shite. Such a shame. Leetcode and bad hiring practices have done this to our industry.
Neither bad hiring not leet code is a problem with Twilio properties in my experience. Quality however, that gets railroaded by "deliverables" -- the problem is craftsmanship is hard to maintain and manage as companies scale while priority shifts to product announcements.
There needs to be penalties. Massive penalties for breaches like this. That is the real problem. Nothing will happen to Twilio even though they caused such loss. They need to suffer economically for this, then quality will improve.
It seems much easier to pin the ever-decreasing quality of software on the practice of trying to keep everything secret (propriety). Like, obviously it's not secure if they don't let people audit it...
That app is so dumb. Completely negated the usefulness of TOTP. Needs just to die already. Some executive over at Twilio signed the check for Authy acquisition and is still trying to justify the expense.
> for the 100,000th time, just stop using phone numbers for 2FA.
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
I recently had to help my father organize his medical visits.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
21 replies →
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
It's high time someone disrupted the damn desk phone network of these hospitals. It's definitely not a technical hurdle in 2024. All calls go on the data network. You route your calls out of the main router and any call that gets routed in such manner will have the ID of the router. Tag the router id to the hospital or hotel and be done with.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
5 replies →
My dentist texts me. My doctor uses MyChart, so I get notifications. Neither one calls me on the phone.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
I have a dedicated phone I use solely for healthcare.
The number in my main phone changes every 90 days.
1 reply →
Getting a new, out of state number can sometimes help.
My phone is out of state due to my previous address, and 95% of spam i get is spoofed to that old town or the surrounding area.
No doctors office/etc calls me from that area. It works pretty nice
7 replies →
Where I live, they moved to Whatsapp (dentist) and dedicated app (public hospitals) for messaging and notification.
Doctors and dentists are shifting to apps with integrated VoIP calls and dropping PSTN.
1 reply →
Easy trick: Every time you get a spam call, answer it. Talk to them until _they_ hang up. String them along. Put them on speakerphone and keep working. Feed them fake credit card numbers (there are generators out there that create numbers that checksum correctly, so they type them into whatever they're using to bill numbers. Hopefully this helps flag them as a bad actor to the processors, idk).
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
This works.
I started doing this as well.
I mimic the Jolly Roger call service and they usually hang up in less than a minute.
Ex…
- Act like you can’t hear them
- Ask them to restart what they were saying
- Start a conversation with a fictional person in the background
It’s fun and makes getting spam calls enjoyable.
https://jollyrogertelephone.com/
1 reply →
Incredible post. Starting this today!
How convenient for the data collecting companies that so generously sponsor the new & free services, that our democratically controlled communication infrastructure looses in value.
Advertising is a cancer on modern society. It will metastasize to any new communications medium, public or private, and destroy it from within. People will switch to new medium that offer less spam, but advertisers quickly follow to strip-mine the new channel. A cycle of life, so to speak.
7 replies →
Is our communication infrastructure democratically controlled? At least in the US, we may have federal regulators but isn't the infrastructure still owned by a few massive telecoms corporations?
"Our democratically controlled communication infrastructure" honestly deserves to be deprecated and replaced with some kind of federated voice system that comes out of the IETF instead of the telcos. What kind of antediluvian nonsense doesn't use end-to-end encryption in 2024?
2 replies →
> If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc.
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
i'm jealous of you. I recently had a day where I got 25 phone calls. 23 were spam. Turning on iOS "ignore unrecognize phone numbers" has been amazing (i assume android has the same feature)
4 replies →
I have 5+ spam calls every day. Looking at my call history it’s been that way as far back as it lets me scroll. Blocking doesn’t make a ton of difference, as it’s almost always a different number.
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
3 replies →
Is this like an American thing? I'm in the Netherlands and i get like 1 spam call per two months (business internet/electricity salesperson usually)
Definitely. I'm American and I've lived in the Netherlands for the past three years. The difference is night and day.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
America doesn’t have privacy laws that prevent robot spam. Repercussions for violating the SPAM Act are not prosecuted very often.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
1 reply →
In Spain I get at least 4 or 5 calls a week from different providers.
Luckily at the moment, there's still a delay after you answer the call as (I assume) you're being connected to a human. How long will this last....?
Currently, when I don't hear a voice within 1s or so, I hang up. A legitimate caller will (hopefully) call back pretty quick.
1 reply →
Presumably because there aren't very many fluent Dutch speakers in India/Phillipines/Carribean countries where the spam call centers are.
They target the US, and to some extent the UK, Gulf countries like UAE where English is the de facto language.
The experience is pretty poor in Australia too. Texts are more common than calls, but the rate is roughly 1/day.
> While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
Currently, any password from more than 6 months ago, names of all my acquaintances, photos of all my paystubs over the last 6yrs (thank you Equifax and dishonest HR platforms), .... Astounding amounts of misconduct are normalized. They're just not widely known yet.
> Gmail did to monetize the lock-in on your inbox
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
My phone number is from a different area code than I currently live in and I know no one from that area anymore. I can filter out 80% of spam just by ignoring calls from that area.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
Anyone who has kids has to answer the phone from strangers routinely. School staff and camp counselors are routinely using their own cell phones these days to communicate with parents.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
Agreed. Phone calls are quite common in my circle. Spam calls have definitely risen in the last 10 years, but the ratio is nothing like the GP.
I'm an European and I get zero spam calls.
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
>And I find it odd when people call me on WhatsApp.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
7 replies →
Everything you mentioned is the beauty of the EU privacy laws (so far), however there is another negative externality you haven't planned for maybe.
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
I'm not sure that GDPR is helping us a lot there.
Very similar here... same for my primary gmail address... the most annoying thing is the "credit monitoring" that comes with a few of my credit cards is all but worthless... I get constant notices that my "email is compromised" but absolutely no detail on how/where/what exactly is compromised, with is like saying, your email is public.
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
The telephone companies make money based on minutes of usage. There is a very large financial incentive for the really big telcos to allow spam calls.
Spam callers are likely the most lucrative customer of the telephone network for the telephone companies.
> The telephone companies make money based on minutes of usage.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
1 reply →
IMO The problem with data breaches is not the phone number being exposed, it's the other data around it that one can combine with other breaches to make full profiles of a person's comings and goings, their location/purchase history, their associations and preferences, etc.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
Doesn’t even have to be manipulated just incorrect. I share a rather uncommon name with at least two others within five years of my age. I get emails intended for either of them almost daily. One holds political views completely opposite my own. The other is rebuilding his life after a couple years in prison.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
Interesting. Here in the UK I get about 1 spam phone call a year.
I make and receive regular phone calls all the time. However I only answer those that are from numbers I have in my address book. I do the same with text messages, I have my default view set to "Known Senders" so I'm not even really aware of others. If I'm expecting an unknown sender message, such as a TFA code, it's easy enough to just look in "Unknown Senders" for it.
I feel the same way. I get far too many “hey!” Or “Hello?” “What’s up?” messages on my phone that never say another thing. Any family/friend of mine knows me well enough to try more than once to get my attention via messages, and 99% of them should probably be in my contact list already and I’ll hear the beep.
I have never shared my phone number with any online service aside from my bank and I don't get any spam on my phone.
I still don't recommend to do that and just toss those that demand your phone number away. Get a business phone if your work demands it.
I’ve found some success is curbing spam calls with the “Silence Unknown Callers” feature in iPhone. However this presents a few challenges. Mainly missing calls from delivery agents, who's number is obviously not in my iPhone contacts
I’ve been impressed with my iPhone and/or carrier (AT&T in the US) for tagging incoming calls as spam or telemarketing. The phone does still ring but I know not to answer it.
The solution to phone spam is voicemail transcription. Every call goes to voicemail, I get the transcription in a minute or two, and can call back if I want to.
With the caveat that this now adds a third-party transcriber that logs the content of every single voicemail you get.
Which will definitely end up in some data breach at some point.
This is what you get on iPhone with the "Silence Unknown Callers" setting.
I think that is intentional, AFAIK phone communication is more protected than other types so allowing spam to continue unabated is in the governments interest. Outsourcing the harassment to 3rd parties, similar to how prison torture is outsourced to the inmates. The government could fix these things but would rather not.
I think we just don't have very much competition in telecommunications so things never get fixed. Why bother? It's easier to extract rent off largely the same offerings as the rest of your market (difficult to understand pricing tiers that function as a congestion tax more than a transaction, often region-specific monopolies or duopolies, indistinguishable quality of service) and bring home large profits, market efficiency damned.
Yes, I'm exaggerating. No, it's not by much.
14 replies →
The phone network we once knew is useless in terms of answering or bothering with any calls or text from those not in your contacts. If you do .. you do so at your own risk!
Really? I get nearly zero spam text maybe 1-2 per year, even voice calls now. I get maybe 1 per month now. I'm with US carrier TMobile and on iOS.
Yet another reason the digital world is marching towards a closed-by-default model.
Took a while, but this commenter is finally correct:
> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.
> This is not in the spirit of 2FA.
https://news.ycombinator.com/item?id=9100560
I use Authy _because_ it provides cloud sync. At the time, Google Authenticator didn't have it, and when I had to change phones it was a real hassle. Imagine if the phone had been stolen, no way to access the account normally to get a new QR, you'd have to "recover" every account.
I have been transferring Google Authenticator from phone to phone for years though? Going back to at least 2016, and that was 8 years ago. In 2020 I copied it from Android to iOS even by doing an export I had no idea was there.
2 replies →
Good for you. Still doesn't answer gp's question. Why do we have to create a central account?
1 reply →
The entire use case for Authy is the cloud backup and syncing across devices. If you don’t want that, use any of the other free and more open 2FA apps.
Twilio was forcing users to install Authy. See this thread:
https://1password.community/discussion/116314/sendgrid-requi...
Then make it an independent email+password thing, so in case of a leak, something as critical and personal as a phone number doesn't get involved in the stolen data.
(I know the irony of this in particular being Authy, but nevertheless phone numbers should NOT be risked to be exposed anyhow)
Twilio has an incentive to make "the spirit of 2FA" worse, because SMS-only is how they make money. Either OTP 2FA will be more complicated and adopted less, or they'll own the entire space, like in Sendgrid's case.
Not to go too off-topic, but that post from 2015 has a response from 2019, how is that even possible? I thought HN auto locked posts after x number of days / years.
I don't want to go through the trouble of creating a throwaway to test it, but having worked in webdev long enough makes me believe it's possible that restriction is only on the frontend and some well placed curl may sidestep it
2 replies →
You can't pick and choose "Not a real scotsman" since 99% of users will be on bigcorp 2FA that does it in most ass-backwards way possible. 2FA as mobile apps locked to hardware is not going to go away without 2FA being replaced by something else.
And they wonder in random organizations and businesses that I am not willing to give all my personal details right away on first contact despite their 'utmost importance' of handling my data very securely, all this just to be informed about their product. And they seems to be offended with a "but we did it so for many years now" on my refusal and saying goodbye if they try to insist this "company policy".
Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.
British Gas has taken to removing their bank account details from their invoices so that you have to set up an online account with them and then set up a Direct Debit (permission to take arbitrary amounts of money from your UK bank account).
Twilio requires Authy for 2fa for sendgrid and maybe even twilio itself instead of supporting more standardized 2fa that’d allow 1pass to be used. This is all the more frustrating because I was forced to use Authy to protect an account instead of my regular tooling and they still managed to screw it up. Twilio, take a hint and stop forcing people to use your custom thing
Ugh. I hate that some apps require use of specific auth apps. This should not be a thing, we have great generic systems for this already.
I just hate that some apps/services require 2FA. My 32 random characters which are unique to each service are secure enough. Adding another service on top just increases risk (as shown here; Authy was never going to do anything to protect me, but it has now leaked info about me.)
8 replies →
Yeah, Steam get with the program
My recollection is that someone reversed their algorithm and they used almost TOTP which hurts me even more because that implies that they knew about the standard and still chose violence
Long story time:
There's this small web portal in Poland that for years provides a simple free email service (and an instant messenger with same login) with occasional "messages from our sponsors" in your inbox - you had to tick your "interests" during registration. In time banners started to appear and that was still fine because the Web was still a pretty innocent place and tracking was years ahead of us. At some point inbox was getting flooded with spam; either one you had to have or outside the service because the domain was popular and probably addresses were scrapped from the associated instant messenger. Then, banners started to be aware of inbox content and sponsored messages included tracking - milking your habits and activity become a thing.
Fast forward to some 10 years ago the service offers a premium plan where you can turn off banners around inbox, the permanent banners that pretend to be emails at the top of the list. Of course paying turns off only these banners and sponsored messages and every other spam will pile up. There's a built-in filtering option but since people started to using it to get rid of these mandatory messages - it stopped working at all. And any filter entry is a dummy one. At this point it's more an ads and spam gallery with an optional email service. Instant messenger was killed off in 2016 as people preferred global networks, and so were small but popular discussions forums turned off.
Around same time portal was bought by what for year was a bigger competition to them (not the only one ofc). The idea that both portals should use a single login appears. So people saw messages at login saying that you should transfer your account to this unified platform because it's more secure and there are some "benefits". Later, a darkpattern message was displayed saying that the unified login service will be the only way to use all services including email. And this unified login comes with company's own 2FA mobile app which you can't replace with a generic generator of any kind. Aaand in the end, nothing really happens. The darkpattern messages disappear and you can still log into the email with same plain password you used for years. The 2FA becomes suddenly optional but "recommended". People complaining in Appstore reviews about login issues and fact that no generic generator works are suggested to talk with support where apparently something can be arranged.
What my hot guesses are is that the company believed that domestic service popularity combined with mandatory 2FA app that does collect a lot of additional unnecessary information will provide a steady source of money for this service. People accustomed for years to an attractive short local domain won't force themselves to move elsewhere. But that didn't work as planned and honestly, I don't know how they managed to survive till today.
I did created few addresses there but over the years I managed to move elsewhere; what was once cool and fast and plausible become obnoxious to use.
If you remember poczta o2 you surely remember tlen emoticon: [10ton] - that's the best way to sum up what happen to this portal and service.
1 reply →
Even worse.. 2FA is mandatory on Twilio products, so either install authy or don't use Twilio - no exceptions.
I use a normal authenticator app which is not Authy.
I was able to use my standard app for Twilio, but didn't manage to use anything but Authy with SendGrid. Is there a trick?
Yeah, no. You don't need to use Authy.
1 reply →
They should be held fully liable for damages for this kind of nonsense when indeed it goes wrong.
Authy uses a standardized QR code to seed your TOTP. This isn't true.
Have you tried it? They use a proprietary integration with Authy that prevents you from using anything else. No QR code is ever provided.
It's either Authy or 2FA through SMS, no other option.
Not true. Look at the documentation, authy or sms.
This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).
It took them two years to fix it.
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint
Isn’t it what you are describing?
Based on the reports that I’ve read so far, this vuln was different to the one I found, which was on an authenticated endpoint.
Definitely some similarities though, I’d love to see some concrete technical information on it.
I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
> I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
https://news.ycombinator.com/item?id=33244324
Authy is both a SaaS and a consumer-facing authenticator app.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
The consumer app also wants your phone number... It prompts you to "backup" your codes, so that they're not gone if you reinstall the app or switch devices
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
5 replies →
What's Authy's proprietary TOTP protocol? Is it just in fact HOTP, like Duo?
https://news.ycombinator.com/item?id=20936222
Cloudflare should probably deprecate their Authy provider, considering they support other more secure MFA options (hardware and virtual WebAuthN). I believe Wise (ex TransferWise) and Plastiq also use Authy natively for SMS OTP server side, but provide no mechanism to disable SMS 2FA (boo).
https://authy.com/guides/cloudflare/
There's no "Use Authy" option any more in Cloudflare. It just says:
And clicking the button gives you a generic QR code to use with app of your choice.
2 replies →
Have you looked into the settings? On android you can see a cellphone-number and e-mail there. If they are missing, I guess it's not known to them.
Nothing in the iOS Settings app for Authy, but tapping the little gear icon in the app UI shows my phone number and email! I guess I did enter them at some point and forgot. Thanks.
If you use cloud sync I think it requires your phone number
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
One step we have taken is to build an auth system that requires you as the developer to explicitly specify the security of an endpoint using a decorator. If no decorator is provided, then the endpoint is completely locked down even to admins (effectively disabled).
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
.NET web apps / APIs have an option where you can require authorization on all controllers (and their actions) by default. If you need an anonymous controller/action, you can use the `[AllowAnonymous]` attribute on it.
1 reply →
That's pretty cool.
> that triggers additional review steps
Is this done by some sort of a linter running in CI?
It's a common problem. On a previous job, I'd found one unauthenticated endpoint just because I want to add some integration tests on it and my tests failed! After that, I'd created a script which lists all endpoints and curl each one with invalid credentials and expecting them to return 401.
This is really, really, simple.
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
> 1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
So like, an authn/authz middleware ?
Mh, I'm probably comparing apples to oranges and such.
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
> necessities, like SSH access.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
This is actually a use-case I use for interviews.
1. Everyone tests authenticated user can do the right thing.
2. Can <wrong|expired> authenticated user access the data?
3. Can an unauthenticated user access data?
If there’s a testing framework that does this scaffolding automatically, I’d love to hear it.
Holy shit why is this even a question?? You. Write. Tests.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
And then someone forgets to test that one thing for that one endpoint and no one notices ("mandate in code review" is not going to be fool-proof), or lines get crossed and they test the wrong thing.
This kind of arrogance is exactly how these mistakes get made.
It's sad how awful Twilio's engineering has become. I used it super early on and it was amazing, and while they had hiccups, they were never major and they were growing pains.
Today they have incidents almost every week, and now data breaches.
Yeah, its not surprising what a bunch of layoffs will do. The Authy people have been gone for a while.
Not financial advice:
Also having an investor base that demands removing as much equity compensation as possible. (Whilst, IMO, not being aggressive enough to cut executive compensation)
But it's no surprise that when you ask management/executives "who needs to be laid off", the answer is not that many managers/executives...
I do think Kho is the right person for the job though, and Aidan was surprisingly smart too, so I my[1] bet is that they'll get there.
[1]: I'm long twilio btw.
The company has had terrible profitability metrics and needed to cut a ton of fat. Maybe they laid off the wrong people though.
There really has to be steep repercussions for companies that fail to protect user data like this. At this point I can't help but feel that there is wilful neglect with the aim of exfiltrating data with unknowable aim.
Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.
More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.
Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.
I agree the US in particular should have better data protection laws and consequences.
But phone numbers aren’t something I’d consider confidential in most cases. Hell, we used to publish our phone numbers in physical books and give them to the whole town for free (literally).
The data was even monetized with ads plastering every page. I guess the digital age isn’t all that different from the analog age (in certain ways!)
We didn't use phone numbers to prove our identity back then. It was only used to call you. You often wanted it to be public so you could be reached. Now it's a critical piece of information required to access services online and prove who you say you are.
that was before internet now phone number leaks can be way more troublesome due to the way all of our data is connected to it via 2FA
If you've got anything in Authy that isn't using the authy custom authentication scheme (ie. just regular TOTP) now is the time to get it out.
Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year. It requires getting the tokens loaded into the desktop app, then downgrading to an older version so you can use the chrome remote debugger to run a javascript function against the desktop app (embedded chromium) which pulls out the raw tokens and gives them to you.
> Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year
Oh. Fucking great. So I'm locked in to using Authy forever now I guess.
I hate 2FA. It literally does exactly nothing for security, it's just another tool for these big companies like Google and Twilio to put themselves between me and the services I need access to, all while locking me in to their services and siphoning out information they can sell to advertisers. I hate it. I hate the "security" people who are pushing this garbage. I hate everyone involved in this space. I hate that I now can't log in to anything without going to fetch my phone. I hate these people.
Haha, I see you manically rage posting in this topic. I empathise, it's fucking shit when "smart" people foist something unwanted on you because they think it's better for you. FWIW, I'm feeling pretty liberated to have moved my OTP codes out of authy and into multiple locations - my data, as much as I'd prefer not to use it, is now under my control.
You can get the old desktop version from chocolatey/choco - https://community.chocolatey.org/packages/authy-desktop/
If anyone wants to try this themselves, this is the recipe that worked for me;
- Enable multi device for authy on my phone
- Install the 3.0 desktop authy client from chocolatey
- Get logged in and set up on the desktop client so that you can see the current OTP codes (not the lock symbol)
- Uninstall the 3.0.0 desktop authy client
- Install the 2.2.3 desktop authy client from chocolatey (https://community.chocolatey.org/packages/authy-desktop/2.2.... or choco install authy-desktop --version=2.2.3)
- DISCONNECT FROM THE INTERNET AFTER OPENING 2.2.3 AND BEFORE IT POPS THE UPDATE DIALOG
- The update dialog will block the program and you can't use the chrome remote debugger in the later steps
- Start from step 2 of https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
3 replies →
Well, then now might be a good wakeup call to move those tokens to one of the many opensource apps that allow exports? Like Aegins, Authenticator Pro, etc.?
I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem).
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).
5 replies →
When I tried SendGrid it was super annoying that I had to install yet another Authenticator app on my phone. Now it’s become a point of data loss.
It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.
What are some of the SendGrid problems you're thinking about?
We built ente.io/auth
If you need a cross platform authenticator, do check it out.
FOSS, optional e2ee backups.
I switched to this from authy months ago and never looked back. Thank you!
I followed this guide - basically, run an older version of authy with devtools enabled and use the js console to export your items.
https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
Glad to hear Auth is being useful!
If anyone else is considering a switch, our community has documented a migration guide here: https://help.ente.io/auth/migration-guides/authy
iOS/iCloud has a built-in TOTP function also. Maybe better for friends and family than some people here.
https://support.apple.com/guide/iphone/automatically-fill-in...
It's good. And the introduction of the Passwords app this fall will make it better.
But it seems to me that Apple only supports adding TOTP codes if you have a password for the account. Which is annoying if you want to split your passwords and second factor into two different places. (For example if you wanted Bitwarden for passwords and TOTP/Passkeys in Apple.)
You can of course put a dummy password in Apple. But that is kind of annoying.
I have been using Apple’s Passwords, it is great.
> due to an unauthenticated endpoint.
This is truly unacceptable for an authentication product.
An authentication product that doesn't implement authentication correctly in their own APIs?
IMO: I'm pretty sure this is less of an auth issue, than it is a rate limiting issue.
I haven't been able to find anything about the endpoint, but based on the data exposed[0] I think the endpoint they are talking about is the register one which requires a phone number.
I'd bet they didn't rate limit it, and someone just blasted through all phone numbers with it and stored the data for ones that didn't error out.
[0]
The CSV data columns:
account_id
phone_number
device_lock
account_status
device_count
So it's wardialing via the API then.
No wonder I've seen such a major spike in spam calls / texts.
I just migrated off of Authy last week but I was probably caught in this breach, ugh. Never liked it but they make it extremely difficult to export your data.
I used this project for exporting: https://github.com/alexzorin/authy
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
The lack of export in Authy is a really ugly choice they made. When I migrated to Aegis I used some hack that involved a desktop Electron app's javascript console. I wonder if that still works?
They don't offer Authy Desktop anymore officially and you need a specific version. Not sure if the hack still works if you have it installed.
I also just recently left for Aegis and have been very happy. I feel much better knowing that my 2FA is completely offline
Right, I did the same a while back. Aegis for Android and 2FAS for iOS. Never looked back.
Also, if anyone is going either direction, Android <-> iOS, both of these open source options allow easy export.
2 replies →
Do they offer a device-to-device sync with the desktop? Or is it all gone if you lose your phone?
Has anyone found a single open-source app that supports both mobile and desktop though? That was the attraction of Authy before they killed their desktop apps.
Most password managers support it and offer mobile + desktop clients.
i've switched to keepass right after first breach. it's not convenient to store the db on eg gdrive and sometimes it doesn't work, but that is way better than another SaaS app that will eventually leak my passwords/2fa codes.
The desktop version somewhat contradicts the purpose of 2FA.
3 replies →
Why do you need it to be a single app?
1 reply →
What did you end up moving to?
Storing 2FA in Bitwarden (my password manager) and Aegis as a fallback. Also making offline backups of each periodically.
3 replies →
Authy is basically unsupported. Not surprised. I switched my accounts to 1Password when they announced the end of life of the macOS app.
I chose Authy back in the day because that's what everyone was suggesting. I hate it. I hate the whole cyber"security" community.
> I hate the whole cyber"security" community.
Why do you hate the whole community?
1 reply →
That makes sense. In case it helps others... when they announced end of life of the mac app, that was because Apple Silicon macs can run the iOS version of Authy. So, if you have an M series mac then you can still use and get updates to authy.
Authy is terrible. I recently tried to delete my account, because I've (finally) moved everything to Keepass, and they make it as difficult as possible. Then they make you wait 30 days before they actually delete it, making sure to email you constantly in the mean time, to ask you to please reconsider. My 30 days expired a few days ago, so if they had actually deleted my account when I told them to, my info maybe wouldn't have been leaked.
Dog shit company. Avoid.
After I transferred everything I only had dead sites no longer around like FTX in the app. I feel like it needs to be left around as a kind of Time Machine…
I guess this explains the recent uptick in spam...
Authy makes it hard to migrate away. Anyone know how to get the seed of the 2FA codes? Is there really no export option?
Some months ago, I used https://github.com/alexzorin/authy to export them. It basically creates a dummy-device to access the tokens, and then exports them to some format. But I have not figured out how to import them now into another app.
Use the plaintext export option on that project. Most TOTP apps should accept the URIs that are exported. Maybe not en-masse but individually for sure.
1 reply →
I slowly migrated away from Authy when they decided to shut down their desktop authenticator. You can painfully export codes, though I generated new 2FA codes at every vendor.
I thought I had a lot of totp codes to migrate but then it turned out I didn't use many of them. After deducting them, there remained 10 apps that I needed to migrate. It took me an hour to port them to bitwarden manually.
Maybe? https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
Authy desktop is no longer available and you need a specific version.
2 replies →
Just write down any key before you store it in the Authy.
You'll have to reset them one by one.
I finished that process recently for 50+ accounts. It's something that I would definitely wish on my worst enemy.
1 reply →
I have removed all SMS based 2FA from every account that allows it and you should too.
I'm a bit confused how this is relevant. Authy is a OTP app, nothing to do with SMS.
Authy uses SMS based recovery of your entire account, a weaker link that a single service using SMS based OTP
1 reply →
and we should do product liability lawsuits on every service that only allows SMS based one time passwords, if they don't allow a client side only option
Why? 2fa doesn't meaningfully add security if you're using decent passwords, and SMS-based 2fa is no less secure than no 2fa
2 replies →
So fun story, I recently switched away from Authy for various reasons, but the key one was that I had to restore from a backup on a device and when I did so I realized the Authy had never actually deleted any of the 2FA/TOTP accounts I'd configured over the years, things that had been deleted on device literally 5+ years ago were still stored and available on request via their API.
In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.
For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.
Terrible. Glad I moved away from Authy a long time ago. Small reminder that I need to delete the account though.
I still remember how hard was the process to be hired in this company. Maybe just a mask to hide the sad truth.
The main reason I didn't use Authy was that it requested phone number when signing up, and it didn't make any sense to me why they'd need it. Since then, I've been using 2FAS, since there's no personal data that can be leaked.
For iPhone, put the phone in do not disturb. It will send all calls to voicemail. If someone is on your emergency contacts, favorites, or 1by1 focus then a repeated call will actually ring your phone. Otherwise no notification. Not even a text counter increase unless the person taps (notify anyway).
Tried to do the same on an android phone and it didn’t work.
You can also port your phone to google voice or Fi and give away all your call information to them. Very few spam calls get through their filter.
I like the change phone area code to out of area and block all phone calls from that area that some call services provide.
Actually, I have a Samsung S20+ and "Do not disturb" works pretty well, even scheduled
One major problem I see with this hack is that the phone numbers exposed in the leak is the single factor of authentication needed to get access to an Authy account, including all the MFA tokens that the account has saved.
If there are any high-profile victims in this list SIM Swapping those phone numbers should be a very attractive approach.
I think security cautious companies should consider turning off multi-device support and start planning for a migration. This leak feels way riskier to me than what media reports it to be.
But it's not the single factor?
> There are account recovery options outside of multi-device, but those require the attacker to compromise your primary email. These also take a minimum of 24 hours, during which you would receive email notifications, and could request a cancellation
https://help.twilio.com/articles/19753631468059
And for multi device you can require current device to approve new ones
I just had to try it out now to make sure I'm correct on this and I believe I am. Here's what I found:
Multi-entity is enabled by default when creating an account. Enrolling a second device is possible via an OTP code received via a text message. This makes the phone number (in my mind at least) the default single-factor needed to access an Authy account.
As far as I can tell, the user has to either enroll either a second device, or manually disable multi-device support to make Authy SIM swapping resistant. I have not been an active Authy user for many years now so I might be mistaken here, but I strongly suspect a majority of Authys non-technical users have not done either. Meaning they would be susceptible to SIM Swapping attacks.
My old Authy account definitely was, at least.
It feels funny to say "Hacker" when it was just someone one using something on the open internet the way it was (defacto) designed for, and just used it a lot.
Like if I crawl hackernews and download all the somethings am I a "hacker"?
To me a hack is some kind of escalation of privilege beyond what I'm truly entitled to (such as stuffing passwords, tricking software to run a payload, crafting a payload for service A so that it tricks Service B) ...
Not using curl on a loop.
How come companies don't care about encrypting their users' data in their databases?
It's been possible for a very long time now.
Yet, companies keep leaking. And people keep sleeping.
Why would that have helped? The endpoint was exposing the data, not the database. The endpoint would have simply decrypted.
encryption of data at rest is for hard drives that walk off, not for access.
As alternatives: I use Authenticator Pro on my phone and keep encrypted backups whenever I modify it. I know others have pointed out Aegis.
The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!
You can rename them as they are migrated
consider* putting endpoints on a private overlay network in which network access is cryptography-gated (e.g. x.509 cert based).
then, a misconfigured endpoint (or a zero day etc.) can't be exploited by any_actor_on_the_internet - actors need to first complete the provisioning process you choose to enforce to be authorized to use the private overlay.
*not one size fits all, e.g. bad option if endpoints need to accept requests from unknowns.
however, many endpoints only need to accept requests from known (identified, authenticated, authorized) endpoints, and the added friction to id/authN/authZ get use the private overlay is not a business impediment.
there is a stigma here due to the horrors of NAC on private enterprise WANs. but NAC goals can be accomplished without that baggage via internet overlays and modern cryptography.
to be clear, i am by no means advocating to abandon traditional methods of endpoint auth - this it is just another layer which recognizes that single layers are rarely airtight (e.g. what just happened to Authy and Twilio).
> many endpoints only need to accept requests from known (identified, authenticated, authorized) endpoints
Do you mean clients for the last part? I'm not a networking expert but I don't see how layering on certs here is going to help?
I recently setup a focus profile on my iPhone that only lets calls ring through from knowns contacts. There is going to be an adjustment period as I discover people and companies (such as doctors/hospitals) that I want to allow calls from and add them to the whitelist. But otherwise, it has been really nice to cut down on all of the interruptions.
You can flip on the option in the settings to silence unknown callers. It does a decent job, and prevents a lot of the manual micro-managing. I will sometimes toggle it off if I’m expecting a call from an unknown number, but it will also pull numbers it sees in texts and email and known.
I manually set this up several years ago, to only ring for contract in my address book. It was annoying, but worked. At the same time, I submitted the feature request to Apple and it came to iOS about a year later.
I found my calls have gone down dramatically since using it. I used to get 3-4 calls per day. Now, even if I have the feature toggled off, I might get a couple calls in a month. Once the number appears inactive, I think it drops off a lot of lists.
Thank you for drawing attention to this. Whenever I've scrolled past that option in the settings, I incorrectly assumed how it works and it's actually much more useful than I realized. I've adjusted my settings accordingly and I'll give it a chance. Thanks again.
I have to thank this hacker for motivating me to move fully off this app again. Stopped being useful without the desktop app.
Sucks that Twitch.tv still relies on it. My only service that uses it still, I’ve since migrated to other managers
I have resisted moving off Authy as I liked the idea of cross-platform cloud sync. That'll teach me. Any other suitable alternatives? Aegis is android only. I do run vaultwarden, but it means I need another 2FA to login to it, before I can use it as a 2FA for other sites.
Bitwarden released a standalone authenticator app recently. You can give it a try.
https://bitwarden.com/blog/bitwarden-just-launched-a-new-aut...
Does this mean you can export the backup and run a separate authenticator, yet both are sync'd?
This doesn't sync across devices/os, does it?
KeePassXC (and the associated apps) can store TOTP, and you can sync it with SyncThing on any device. Add an always-on NAS with SyncThing and you'll always have an up-to-date vault, even when your other devices are offline.
2FAS - https://github.com/twofas and I did replaced Authy with it some year ago; I'm using it mainly on iPhone while having a backup file on desktop and second app installed on Samsung phone
Could try that FOSS ente app
And there is a FOSS app I forgot the name of to allow exporting Authy tokens from cli
Does anyone have a recommendation for an Open Source 2FA OTP app? That's the only thing I use Authy for, to scan the QR Codes into the App and generate the 2FA tokens, but in a way that allows me to migrate to another phone without having to re-set all the 2FA tokens on the vendor side.
For Android I'd recommend Aegis
https://f-droid.org/packages/com.beemdevelopment.aegis/
Or if you have a YubiKey you could also use it for TOTPs
Windows, Linux, Android: https://github.com/Yubico/yubioath-flutter
iOs: https://github.com/Yubico/yubioath-ios
I personally use Bitwarden for TOTPs (with a self hosted vaultwarden instance), it's by far not the most secure way to store your passwords and TOTPs next to each other, but it saves so much time.
This.
I migrated to Aegis a while back because I wasn't happy with how hard it is to get secrets out of Authy, or that someone else is managing them, and they they need my phone number (guess I was right, again).
I use Folder Sync on my Android to sync the Aegis auto-backups to a MinIO bucket I host at home.
Ente Auth or bitwarden builtin one or keepassXC builtin one.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
(1) https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
I'm of the opinion that it's basically fine yo store them in your password manager. Yes if your password manager is broken into you lose everything (same as having no 2fa in that case), but you still prevent people from guessing your password and often avoid having to deal with email- or text-based 2fa. And if your password manager is broken into, there's a good chance your device has been broken into, in which case it doesn't matter where you store your 2fa.
I mix it up and store some 2FA on different apps.
When it’s not a system I’m deeply concerned about I will just use the 2FA on the password manager.
I use andOTP https://github.com/andOTP/andOTP and my favorite feature is the database of 2FA can be backed up PGP-encrypted and reimported on another device. But sadly it is no longer maintained. The latest version on Google Play Store is from 2021 and can still be installed and works fine on Android 14.
For Android, if you happen to use Keepass as your password manager, I really like KeePassDX[0]. If the camera app you use doesn't support QR scanning, though, you'd need an app for that (and I don't think any FOSS camera apps implement this, as for as I can tell).
This one[1] seems the most up-to-date, by a German research group. You'd share the link as text to the KeePassDX app, search for the entry it's for, and it populates it with the HTOP/TOTP secret.
There are iOS Keepass clients that support this as well, though from what I can tell there's some drama with source code[2][3] in the landscape.
[0] https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
[1] https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
[2] https://github.com/MiniKeePass/MiniKeePass/issues/606
[3] https://keepassium.com/articles/keepass-apps-for-ios/welcome...
And other allegations under the ethics & transparency sections of KeePassium's list of iOS alternatives https://keepassium.com/articles/keepass-apps-for-ios/
I started with Keepassium but ended up with Strongbox which has been great.
4 replies →
I used Aegis for a while and really liked it, switched to Bitwarden now but the UX was better
I use both and make offline backups regularly.
I've implanted my 2FA token in my arm and just hope it never breaks :D
Which one did you get? Did you get the Apex Flex from Dangerous Things? How do you like it/how was the process?
https://dangerousthings.com/product/apex-flex/
If you do not need QR codes, oathtool is great. You can protect your tokens, recovery codes etc. with gpg -c or similar, so the encryption is entirely separate from the authentication mechanism.
And you actually know what is going on. Works for GitHub.
https://www.nongnu.org/oath-toolkit/
As mentioned elsewhere, Aegis and Authenticator Pro are both good on Android. Both are available on Play Store and on F-Droid.
I use a YubiKey with their Authenticator app.
https://2fas.com/
I‘m using Raivo. It hasn’t let me down, yet
Raivo was bought by a shady developer last year and is no longer open source. If that wasn’t enough, a few weeks ago they released an update which deleted all your codes - failing at literally the one job a 2FA app has!
The same Raivo that was sold to some shady dev who proceeded to delete all of the OTPs that I had in the app?
https://www.reddit.com/r/privacy/comments/1d3zqvv/raivo_auth...
I only answer the phone now if I know the caller or if I’m expecting a call, and even then I would usually let it go to voicemail and call them back.
I had to use authy for damn twitch which couldn't go for normal authenticator. Thank you -.-
Good motivation to stop using Authy.
What is a good alternative?
Besides all the other advice of using the password manager as a 2FA store as well, on the stand-alone side there is Aegis. I have good experience with it, and allows better interoperability than Authy as well.
Aegis (Android), supports automatic backups. There is also Ente Auth (it's been mentioned on this site), but I haven't used it much.
On iOS, I’ve been using “OTP Auth”.
While it’s nice that password managers can handle this as others have mentioned, the whole point of a 2nd factor is to ensure an attacker can’t get in if they somehow get your password. Storing the second factor along with the 1st factor doesn’t make much sense to me.
Most likely whatever password app you use supports these now. I know for myself, I started using Authy long long ago when there were not really many options.
In my case, 1 Password can do this now. I believe the same is true for Bitwarden and Apple passwords.
3 replies →
I'll join the choir and recommend Aegis. It's slick, got features, code on Github.
We should have something similar to Apple's hide my email for phone numbers
We’d probably need dedicated country codes to handle the volume.
What’s a better 2FA product that is E2E encrypted and lets me export the seeds?
I never trusted them, I hated the fact of having to use SMS.
How to confirm if my number was one of the leaked ones?
I suppose https://haveibeenpwned.com/ will add the information when it can be verified.
Can you imagine being the one to tell the CEO.
Auth0, Authy, Okta, and the like were and are the fail of delegating critical functions to third-parties.
For authentication, authorization, and 2FA, run it yourself on-prem or go home.
Damn 2FA with telephone numbers, I hate it!
09040246964
what do people use instead of twilio today? they make 2dcp verifications take too long
Jesus fucking Christ. Can these companies learn how to write software? Quality is dropping like dogs. Twilio used to be a good company and now they are utter shite. Such a shame. Leetcode and bad hiring practices have done this to our industry.
Neither bad hiring not leet code is a problem with Twilio properties in my experience. Quality however, that gets railroaded by "deliverables" -- the problem is craftsmanship is hard to maintain and manage as companies scale while priority shifts to product announcements.
There needs to be penalties. Massive penalties for breaches like this. That is the real problem. Nothing will happen to Twilio even though they caused such loss. They need to suffer economically for this, then quality will improve.
It seems much easier to pin the ever-decreasing quality of software on the practice of trying to keep everything secret (propriety). Like, obviously it's not secure if they don't let people audit it...
Agile practices and the elimination of proper QA are also part of the problem.
is this just like
anotherservicetwilioruined.example.com/api/doesthispersonhaveanaccount?phone=+12012000000
and then the service says 'yeah that number has an account' (and nothing else?)? then whomever repeats that for every possible phone number?
or... more than that?
That app is so dumb. Completely negated the usefulness of TOTP. Needs just to die already. Some executive over at Twilio signed the check for Authy acquisition and is still trying to justify the expense.
"Company who thought they'd lost all public trust loses last additional bit of trust they didn't even know they still had, more at 11."
My goodness, for the 100,000th time, just stop using phone numbers for 2FA. (I know you won't anyway)
There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.
If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.
Authy doesn't implement SMS 2FA (how could it). A phone number is part of your user profile for registered mobile devices hosting the app.
> Authy doesn't implement SMS 2FA (how could it).
https://www.authy.com/integrations/ssh/
"Someone in your organization doesn't have a smartphone? We got you covered. Authy SSH can send them the token via SMS or a phone call."
Even worse... Sounds like phone number is irrelevant, yet they collect it.
8 replies →
That is brilliant news for SIM swappers and criminals now that they can gain access to your codes directly with your phone number!
A terrific reason to avoid anything Twilio / Authy
2 replies →
> for the 100,000th time, just stop using phone numbers for 2FA.
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
If you use Authy, turn off "allow multi-device" and SIM-swapping isn't an issue. This should be on regardless of the leak.
But one of the selling points for me was to allow multiple devices so that if one broke I'd still have access.
3 replies →
It doesn’t scare me because in Authy you also set a password which without you cannot access the codes.
The phone number here just acts as a username.