Comment by feld

11 years ago

Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.

This is not in the spirit of 2FA.

16 comments

feld

Reply
Icyerasor  7 years ago

An in my opinion crucial information is missing in the discussion that unfolded here 4 years ago; still this discussions comes up as a top result when searching for "authy telephone number required" and that is why I want to add something for current and future references: The phone number is only needed to recover access to your encrypted data that is stored on authys servers.

If you're questioning yourself whether authy is trustworthy because they require you to provide a phone number for a 2FA-TOTP-Method that does technically not require it at all(!) and thus could pose a potential security degredation, check the FAQ about account recovery/passwords here: https://support.authy.com/hc/en-us/articles/115001950787-Bac...

Quote: * The Backups password is never sent nor stored in our servers for your security * Like the Backups password, the App Protection PIN (and optional biometric data) is never stored in our servers * Like the Backups password and App Protection PIN, the Master Password is never stored in our servers

the question still is if you trust those promises - but as authy is backed by twilio (thus lots of 2FA-SMS are already processed by them) the chances are good those guys know what they do and do it responsibly

danielpal  11 years ago

Hi, good question. The reason for the phone number is that we depend on your phone number as part of your identity. Almost all 2-FA systems today use the phone number as a way to send you the code via text/phone call. If you read my blog post: blog.authy.com/twilio you'll see we decided to build our infrastructure on top of the telecom infrastructure because it was ubiquitous.

I also understand why some people don't like clouds backups. The good news is that backups are off by default and optional. If you don't need them, you can keep them disabled.

  • feld  11 years ago

    This tweet indicates you're using TOTP, slightly modified from Google's implementation:

    https://twitter.com/authy/status/498244613766139904

      @benmcginnes Yes we are RFC 6238 TOTP compatible. 
  Same algorithm as GAuth but 7 digits, 256 bit keys and 10 seconds window.

    So why do you still need my phone number? There's no network connection or SMS required to generate those TOTP codes. I'm not buying the story that you need to text me or call me unless you're storing the seed/token centrally and sending it to users upon request which I strongly disagree with. That should only be stored on the user's device.

    • mcdoug  11 years ago

      For those interested in how TOTP is implemented, here it is in Python [1] and Ruby [2]. It is really simple and understandable. Oh, and did you know you can secure your SSH connections using TOTP [3]?

      This stuff is no more complicated than storing password hashes. Having a nice client app is good, but Google Authenticator is good enough. So instead of using authy and relying on a third party, why not get something like [4] and be done with it?

      [1] https://github.com/nathforge/pyotp

      [2] https://github.com/mdp/rotp

      [3] http://delyan.me/securing-ssh-with-totp/

      [4] https://github.com/mtigas/django-twofactor

      1 reply →

    • maxerickson  11 years ago

      Authy exists to make 2 factor easier for people implementing it. Some users will want methods other than TOTP, so they support methods other than TOTP.

      If they don't have a phone number they can't do all that transparently, which is bad when you are aiming your service at a broad audience.

      2 replies →

    • rglullis  11 years ago

      Ok, serious question: how do you manage your tokens? What happens if your device flies out of the window?

      A couple of months ago I managed to break the screen of my tablet with 20-30 services I use 2FA (Google Authenticator). I had to spend about 50 bucks just to get a new screen and repair it.

      For some of these services I had the token saved on my keepass, but I always felt a little dirty doing that. If there was a way to keep backups of Google Authenticator data, I'd take it in a heartbeat.

      3 replies →

  • fluidcruft  11 years ago

    "identity" isn't part of the 2FA concept (nor should it be)--you're shoehorning in something that doesn't belong.

  • higherpurpose  11 years ago

    Is that method of sending the Authy authentication code any more secure than all the "regular" SMS-based 2FA methods (like say Gmail's SMS-based 2FA)? If so, how?

    I think Google's (or Microsoft's because I think they use a similar SMS-based 2FA) method could be easily manipulated by intelligence agencies for example with access to the carriers' networks. The Google Authenticator app is now completely useless for Gmail as well, since they made it to fallback to SMS-based 2FA if you forgot your password (ugh - why Google? WHY?!).

  • sswaner  11 years ago

    > we decided to build our infrastructure on top of the telecom infrastructure because it was ubiquitous.

    I am not very familiar with Authy, but I have built pin-code 2FA solutions using Twilio. Based on your comments, I am not sure the point of Authy if it is easy to build 2FA except TOTP using yesterday's Twilio.

bdcravens  11 years ago

The advantage is that if you lose/switch phones, you don't have to reset your 2FA. (a disadvantage, of course, if your account/device is compromised)