Comment by maxerickson
11 years ago
Authy exists to make 2 factor easier for people implementing it. Some users will want methods other than TOTP, so they support methods other than TOTP.
If they don't have a phone number they can't do all that transparently, which is bad when you are aiming your service at a broad audience.
Then why not allow users to defer entering a phone number until they try to add a service that actually requires it?
Because doing a high enough level of identity verification at that point would be disruptive.
I'm not really interested in defending it, I probably don't like the idea of depending on a third party any more than feld does, I was just pointing out that there are simpler explanations for what they are doing than I'm not buying the story that you need to text me or call me unless you're storing the seed/token centrally and sending it to users upon request which I strongly disagree with.
Another one is that if they actually implemented TOTP like that their business would take a lot of damage when it was revealed publicly (because what's the point of paying for a broken implementation?).