Comment by hypeatei
2 years ago
I just migrated off of Authy last week but I was probably caught in this breach, ugh. Never liked it but they make it extremely difficult to export your data.
I used this project for exporting: https://github.com/alexzorin/authy
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
The lack of export in Authy is a really ugly choice they made. When I migrated to Aegis I used some hack that involved a desktop Electron app's javascript console. I wonder if that still works?
They don't offer Authy Desktop anymore officially and you need a specific version. Not sure if the hack still works if you have it installed.
I also just recently left for Aegis and have been very happy. I feel much better knowing that my 2FA is completely offline
Right, I did the same a while back. Aegis for Android and 2FAS for iOS. Never looked back.
Also, if anyone is going either direction, Android <-> iOS, both of these open source options allow easy export.
2FAS also exists for Android, is Aegis superior or you don't use 2FAS on Android for another reason?
1 reply →
Do they offer a device-to-device sync with the desktop? Or is it all gone if you lose your phone?
Has anyone found a single open-source app that supports both mobile and desktop though? That was the attraction of Authy before they killed their desktop apps.
Most password managers support it and offer mobile + desktop clients.
i've switched to keepass right after first breach. it's not convenient to store the db on eg gdrive and sometimes it doesn't work, but that is way better than another SaaS app that will eventually leak my passwords/2fa codes.
The desktop version somewhat contradicts the purpose of 2FA.
In this case what if you use 2FA while browsing with your phone. Wouldn't that also contradict the purpose?
The main purpose is that people won't get phished as easily or if they reuse passwords it can't be abused. Or if password was to leak for any reason.
Good thing that 2fa is entirely unnecessary.
Not really, 2FA is literally just that: a second factor.
It makes it unlikely someone has access to both your password and the TOTP URI. So, if you leak your password on a public forum (for example), the person who gets that is not likely to also have your TOTP info.
Why do you need it to be a single app?
Because I don't want to manually sync between desktop and mobile?
What did you end up moving to?
Storing 2FA in Bitwarden (my password manager) and Aegis as a fallback. Also making offline backups of each periodically.
Doesn't Bitwarden require you to be on the paid subscription plan to use 2FA? That's what I concluded anyway from trying to research this garbage when Microsoft was threatening to lock me out of my Github account. It's why I ended up on Authy.
2 replies →