Comment by denkmoon
2 years ago
If you've got anything in Authy that isn't using the authy custom authentication scheme (ie. just regular TOTP) now is the time to get it out.
Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year. It requires getting the tokens loaded into the desktop app, then downgrading to an older version so you can use the chrome remote debugger to run a javascript function against the desktop app (embedded chromium) which pulls out the raw tokens and gives them to you.
> Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year
Oh. Fucking great. So I'm locked in to using Authy forever now I guess.
I hate 2FA. It literally does exactly nothing for security, it's just another tool for these big companies like Google and Twilio to put themselves between me and the services I need access to, all while locking me in to their services and siphoning out information they can sell to advertisers. I hate it. I hate the "security" people who are pushing this garbage. I hate everyone involved in this space. I hate that I now can't log in to anything without going to fetch my phone. I hate these people.
Haha, I see you manically rage posting in this topic. I empathise, it's fucking shit when "smart" people foist something unwanted on you because they think it's better for you. FWIW, I'm feeling pretty liberated to have moved my OTP codes out of authy and into multiple locations - my data, as much as I'd prefer not to use it, is now under my control.
You can get the old desktop version from chocolatey/choco - https://community.chocolatey.org/packages/authy-desktop/
If anyone wants to try this themselves, this is the recipe that worked for me;
- Enable multi device for authy on my phone
- Install the 3.0 desktop authy client from chocolatey
- Get logged in and set up on the desktop client so that you can see the current OTP codes (not the lock symbol)
- Uninstall the 3.0.0 desktop authy client
- Install the 2.2.3 desktop authy client from chocolatey (https://community.chocolatey.org/packages/authy-desktop/2.2.... or choco install authy-desktop --version=2.2.3)
- DISCONNECT FROM THE INTERNET AFTER OPENING 2.2.3 AND BEFORE IT POPS THE UPDATE DIALOG
- The update dialog will block the program and you can't use the chrome remote debugger in the later steps
- Start from step 2 of https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
It is not worked now. If I tried to log in, the message popped up, "The device does not meet the minimum integrity requirements".
Thank you for the time you took to write this out. I'm sure it'll help people. It would probably work if I used Windows, but I don't.
Great comment. Authy seems to be taking a user hostile stance by taking hostage peoples OTP's this way.
Well, then now might be a good wakeup call to move those tokens to one of the many opensource apps that allow exports? Like Aegins, Authenticator Pro, etc.?
I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem).
I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone.
Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these.
I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when).
Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know.
I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app.
So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours).
TLDR: use a password manager to store your secrets. An OTP secret key is just a secret.
4 replies →