Comment by snowwrestler
2 years ago
I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
> I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
https://news.ycombinator.com/item?id=33244324
Authy is both a SaaS and a consumer-facing authenticator app.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
The consumer app also wants your phone number... It prompts you to "backup" your codes, so that they're not gone if you reinstall the app or switch devices
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
Figures. I stand corrected then.
We used Authy for 2FA at my last company and migrated off it to use a complete auth platform. The amount of user (consumer and business) hostile shit we found in the process was astounding.
Twilio was nice to work with way back when it was the only decent API-driven POTS connection service out there. They've steadily gotten worse over the years and acquisitions though. Wouldn't recommend them to my worst enemy these days.
4 replies →
What's Authy's proprietary TOTP protocol? Is it just in fact HOTP, like Duo?
https://news.ycombinator.com/item?id=20936222
Cloudflare should probably deprecate their Authy provider, considering they support other more secure MFA options (hardware and virtual WebAuthN). I believe Wise (ex TransferWise) and Plastiq also use Authy natively for SMS OTP server side, but provide no mechanism to disable SMS 2FA (boo).
https://authy.com/guides/cloudflare/
There's no "Use Authy" option any more in Cloudflare. It just says:
And clicking the button gives you a generic QR code to use with app of your choice.
Thank you for correcting me, Cloudflare was presented as an Authy token that would be destroyed when I deleted my Authy account and some of the docs I found led me to believe this was still actively in use. I retract the Cloudflare part of my above comment.
1 reply →
Have you looked into the settings? On android you can see a cellphone-number and e-mail there. If they are missing, I guess it's not known to them.
Nothing in the iOS Settings app for Authy, but tapping the little gear icon in the app UI shows my phone number and email! I guess I did enter them at some point and forgot. Thanks.
If you use cloud sync I think it requires your phone number