They also stopped supporting their desktop app, forcing users back onto a single point of failure: the mobile app.
If Twilio isn't going to support Authy in good faith, they should stop holding their remaining users hostage.
Google Authenticator has done this before too, way back in 2013: https://news.ycombinator.com/item?id=6325760
The ability to export secrets is an unfortunate compromise which vendors make for consumer markets. The MFA apps were not designed for exportability. If you own any Yubikeys you will know this. The whole idea is that this factor is "something you have", in other words, possession of the item containing your secret. An exported secret is no longer a secret, no longer something you have; it's just another password you're shuffling around.
The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?
The great thing about Yubikeys is that I can associate backup keys for accounts (when they are supported), so if I lose one key, I can deactivate the lost key and use a backup key in its place.
With heavily locked-down 2FA apps, I have to hope I can do a full recovery on a new device, or go through the recovery code process, or start all over again w/ new 2FA codes. If I'm lucky, the app allowed me to have it installed onto a backup device.
It's way more complicated that just swapping in a new Yubikey.
Unfortunately most such websites use KBA or Text based authentication as a backup for TOTP so you may as well just stick it in Google drive.
- No tokens to exfiltrate off a computer
- Avoids keylogger style attacks
- More durable than cell phones
That said, for people that have high amounts of money in certain accounts (> 1m), it might also present physical dangers (e.g. kidnapping, home invasion) for thieves attempting to get access to the hardware key.
Google Authenticator and some other 2FA apps allow the user to export their tokens to other apps so you don't need to redo TOTP on every website.
The most secure method is to only have tokens on the 2FA device and to avoid using TOTP backup/restore altogether (or manually copy the tokens on a secondary 2FA device). It's a tradeoff between security vs. convenience.
> Much to my surprise, when checking the App Store page, I saw that an update to the app had been approved by Apple only 14 minutes prior. I downloaded the update, tapped upon one of the previously "locked" items, and entered my backup password. Boom, the previously locked 2FA codes were now unlocked and restored, ready for use.
After that, it was vaults that were easily exportable and backed up all the way (like most password managers).
jiveturkey•4h ago
> Authy was sold to Twillo in 2015