top | item 44043081

(no title)

codalan | 9 months ago

Just got off Authy. They've done everything to trap customers into their broken platform, primarily by never allowing the user to export their tokens, either to file, or to another MFA application.

They also stopped supporting their desktop app, forcing users back onto a single point of failure: the mobile app.

If Twilio isn't going to support Authy in good faith, they should stop holding their remaining users hostage.

discuss

CameronBanga|9 months ago

I should have been smarter and thought about looking at export sooner, it wasn't until I had this issue that I dug in and realized how bad it was.

foxyv|9 months ago

Most 2FA apps don't allow export for security reasons. I usually just re-generate all my TOTP keys manually. It's terribly painful, but I used to do it with every phone upgrade.

ValentineC|9 months ago

"Security reasons" is pretty insane, considering how easy it is to lose access to a good number of accounts if any 2FA app breaks from a bad update.

Google Authenticator has done this before too, way back in 2013: https://news.ycombinator.com/item?id=6325760

codalan|9 months ago

It's only a security issue if you don't secure the cloud storage that's used for backups.

Google Authenticator and some other 2FA apps allow the user to export their tokens to other apps so you don't need to redo TOTP on every website.

The most secure method is to only have tokens on the 2FA device and to avoid using TOTP backup/restore altogether (or manually copy the tokens on a secondary 2FA device). It's a tradeoff between security vs. convenience.