Comment by zenkan
2 years ago
I just had to try it out now to make sure I'm correct on this and I believe I am. Here's what I found:
Multi-entity is enabled by default when creating an account. Enrolling a second device is possible via an OTP code received via a text message. This makes the phone number (in my mind at least) the default single-factor needed to access an Authy account.
As far as I can tell, the user has to either enroll either a second device, or manually disable multi-device support to make Authy SIM swapping resistant. I have not been an active Authy user for many years now so I might be mistaken here, but I strongly suspect a majority of Authys non-technical users have not done either. Meaning they would be susceptible to SIM Swapping attacks.
My old Authy account definitely was, at least.
No comments yet
Contribute on Hacker News ↗