Comment by eviks
2 years ago
But it's not the single factor?
> There are account recovery options outside of multi-device, but those require the attacker to compromise your primary email. These also take a minimum of 24 hours, during which you would receive email notifications, and could request a cancellation
https://help.twilio.com/articles/19753631468059
And for multi device you can require current device to approve new ones
I just had to try it out now to make sure I'm correct on this and I believe I am. Here's what I found:
Multi-entity is enabled by default when creating an account. Enrolling a second device is possible via an OTP code received via a text message. This makes the phone number (in my mind at least) the default single-factor needed to access an Authy account.
As far as I can tell, the user has to either enroll either a second device, or manually disable multi-device support to make Authy SIM swapping resistant. I have not been an active Authy user for many years now so I might be mistaken here, but I strongly suspect a majority of Authys non-technical users have not done either. Meaning they would be susceptible to SIM Swapping attacks.
My old Authy account definitely was, at least.