Comment by rvz
2 years ago
My goodness, for the 100,000th time, just stop using phone numbers for 2FA. (I know you won't anyway)
There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.
If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.
Authy doesn't implement SMS 2FA (how could it). A phone number is part of your user profile for registered mobile devices hosting the app.
> Authy doesn't implement SMS 2FA (how could it).
https://www.authy.com/integrations/ssh/
"Someone in your organization doesn't have a smartphone? We got you covered. Authy SSH can send them the token via SMS or a phone call."
Even worse... Sounds like phone number is irrelevant, yet they collect it.
It's used to store and retrieve your 2fa secrets in case you lose your device
4 replies →
How else are they going to track people with a hard-to-change identifier?
2 replies →
That is brilliant news for SIM swappers and criminals now that they can gain access to your codes directly with your phone number!
A terrific reason to avoid anything Twilio / Authy
In fairness, you cannot. It requires a backup password.
> for the 100,000th time, just stop using phone numbers for 2FA.
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
If you use Authy, turn off "allow multi-device" and SIM-swapping isn't an issue. This should be on regardless of the leak.
But one of the selling points for me was to allow multiple devices so that if one broke I'd still have access.
You can enable multi device, and have it on multiple devices, then disable it (and keep it on multiple devices - it's just that then adding yet another device needs toggling multi-device on from an existing device, a confirmation SMS is not enough).
1 reply →
people with this use case would need to be comfortable taking on the extra risk.
It doesn’t scare me because in Authy you also set a password which without you cannot access the codes.
The phone number here just acts as a username.