Comment by zenkan
2 years ago
One major problem I see with this hack is that the phone numbers exposed in the leak is the single factor of authentication needed to get access to an Authy account, including all the MFA tokens that the account has saved.
If there are any high-profile victims in this list SIM Swapping those phone numbers should be a very attractive approach.
I think security cautious companies should consider turning off multi-device support and start planning for a migration. This leak feels way riskier to me than what media reports it to be.
But it's not the single factor?
> There are account recovery options outside of multi-device, but those require the attacker to compromise your primary email. These also take a minimum of 24 hours, during which you would receive email notifications, and could request a cancellation
https://help.twilio.com/articles/19753631468059
And for multi device you can require current device to approve new ones
I just had to try it out now to make sure I'm correct on this and I believe I am. Here's what I found:
Multi-entity is enabled by default when creating an account. Enrolling a second device is possible via an OTP code received via a text message. This makes the phone number (in my mind at least) the default single-factor needed to access an Authy account.
As far as I can tell, the user has to either enroll either a second device, or manually disable multi-device support to make Authy SIM swapping resistant. I have not been an active Authy user for many years now so I might be mistaken here, but I strongly suspect a majority of Authys non-technical users have not done either. Meaning they would be susceptible to SIM Swapping attacks.
My old Authy account definitely was, at least.