Just got off Authy. They've done everything to trap customers into their broken platform, primarily by never allowing the user to export their tokens, either to file, or to another MFA application.
They also stopped supporting their desktop app, forcing users back onto a single point of failure: the mobile app.
If Twilio isn't going to support Authy in good faith, they should stop holding their remaining users hostage.
Most 2FA apps don't allow export for security reasons. I usually just re-generate all my TOTP keys manually. It's terribly painful, but I used to do it with every phone upgrade.
Typically the way these codes are compromised is when they are stored in a non-HSM location like Google drive or transferred somehow. Then again, if you are just trying to keep people out of your Facebook account it's not a big deal. But if you are trying to keep people from financial accounts I wouldn't recommend transferring TOTP keys. Instead using a backup method like a printed out one time use sheet would be better.
Unfortunately most such websites use KBA or Text based authentication as a backup for TOTP so you may as well just stick it in Google drive.
It sucks Yubikey (or other hardware based auth) isn't more prevalent in the financial/banking world. It helps mitigate a lot of types of attacks:
- No tokens to exfiltrate off a computer
- Avoids keylogger style attacks
- More durable than cell phones
That said, for people that have high amounts of money in certain accounts (> 1m), it might also present physical dangers (e.g. kidnapping, home invasion) for thieves attempting to get access to the hardware key.
It is indeed the very epitome of sanity, if you simply consider that the codes are secrets, and this entire practice is derived from having hardware dongles with secure enclaves, where secrets go in but never come out. It is the utmost in security when this one-way relationship is observed.
The ability to export secrets is an unfortunate compromise which vendors make for consumer markets. The MFA apps were not designed for exportability. If you own any Yubikeys you will know this. The whole idea is that this factor is "something you have", in other words, possession of the item containing your secret. An exported secret is no longer a secret, no longer something you have; it's just another password you're shuffling around.
The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?
In an ideal world, I'd just use Yubikeys for everything. The problem is that it's not universally supported (or only supports a limited number of keys), so now I have a hodgepodge of 2FA app or Yubikeys or, even worse, phone/email 2FA.
The great thing about Yubikeys is that I can associate backup keys for accounts (when they are supported), so if I lose one key, I can deactivate the lost key and use a backup key in its place.
With heavily locked-down 2FA apps, I have to hope I can do a full recovery on a new device, or go through the recovery code process, or start all over again w/ new 2FA codes. If I'm lucky, the app allowed me to have it installed onto a backup device.
It's way more complicated that just swapping in a new Yubikey.
> The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?
Not all TOTP implementations, especially indie PHP websites, are robust enough to have implemented backup codes.
Well, that's pretty sad, but surely, in every case, there is some procedure that's delineated for account recovery when something goes wrong?
I have been dismayed at some supposedly professional implementations, such as when I telephoned Wal-Mart to ask what can be done if I lost my phone (SMS is their only 2FA) and they said that they were prohibited from changing anything in account settings or profiles, and the best idea was to create a new account. (That is crazy -- if you shop at a marketplace like that, they've stored all your receipts, your membership, a potentially years-long trail of paperwork that you may need for taxes, or reimbursement, or refunds later on!)
Even worse, I had a bad time with the United States Postal Service. If I recall correctly, I'd lost access to the registered email address, and I was requesting to change it to something within my control, and they said "no can do", and they told me that my only recourse would be to create a new account, so that's what I did. Interestingly, USPS offers 2FA via either email or SMS, and their SMS gateway service is frequently out of order, so I always use email when logging in there.
Once, around 2021, I contacted GitLab to inform them that their account recovery process was a backdoor to circumvent MFA. They denied any such problem. I suggest that any account recovery implementation be just as secure as the front door to sign in, but also not impossible, because why do you want loyal customers to lose their accounts completely?
It's only a security issue if you don't secure the cloud storage that's used for backups.
Google Authenticator and some other 2FA apps allow the user to export their tokens to other apps so you don't need to redo TOTP on every website.
The most secure method is to only have tokens on the 2FA device and to avoid using TOTP backup/restore altogether (or manually copy the tokens on a secondary 2FA device). It's a tradeoff between security vs. convenience.
I think Microsoft Authenticator is the smartest right now because it's a "two-cloud" solution partly out of necessity, but also that seems a trustworthy architecture more generally. Since almost no one's phone runs Windows anymore, the raw app data backups "naturally" go to either iCloud or Google Drive. Then Microsoft keeps other (HSM) decryption keys in OneDrive. The threat model requires compromises of two clouds, so Microsoft Authenticator can be way more generous on how often and easily it backs up. It's an interesting point in the security vs. convenience tradeoff.
The worst are the apps that will constantly bother you with an in-app popup to enable notifications, e.g. Goat. They make it come up randomly so you'll accidentally click on it.
Or apps that you pay for (Spotify Premium, Tidal) that will constantly bombard you with marketing in-app popups at random times. So instead of listening and enjoying my music, I can accidentally click on one of these landmines and get redirected to something I do not want.
I cancelled Spotify because of this. Will also cancel Tidal after my trial because they just copying the same ugly tactics as Spotify.
Already had my fill of Pixel 7 Pro problems. The screen failed to register any touches on it, twice. Once within warranty, once outside it. Best I could do is file a claim with my credit card company for a measly $300.
For a $1200 phone.
Had a bizarrely similar experience with the Pixel Watch.
The screen just failed to respond to touch. Wasted an hour figuring out how to get into fast boot mode. After a factory reset, it started working, but it doesn't get much more than 12-16 hours of battery time before needing a charge.
After losing a lot of money, time, and patience, I'm done with Google anything. Their hardware is garbage and they seem to have failed to address these issues with newer Pixel releases. Not sure what the point is of having 7 years of updates when the phone's hardware will barely last one of those years. And good luck with support.
Switched to a Samsung A54, and although it is slower and laggier in some aspects, the hardware is solid and I've been impressed at how clean OneUI is.
Tip: When your Pixel screen fails to respond to touch, you can at least plug in a USB mouse and recover what you can before tossing it into the dead gadget drawer.
On my iPhone 13 Pro, calendar notifications will fail, and the alarm clock will fail to ring. No idea why. I need to reboot my iPhone once a week to fix this issue, and it's been this way since I bought this phone a few years ago. No iOS updates has ever fixed this.
I also have issues with the sluggish interface. Some of my third-party email apps takes several seconds to just load the list of messages. They take milliseconds to load on a Pixel.
My lock screen can sometimes take a bit more than a second to unlock.
The browser dropdown will occasionally load the wrong page when I touch the URL.
The keyboard is more wrong than right, most of the time. Out of all the bugs and problems that make the iPhone almost unusable, it would be the terrible, auto-incorrect keyboard.
The analogy that comes to mind is when the auto industry consolidated to just three large players. Quality was never great to begin with, but it steeply declined after that. It took foreign companies to add real competition to the market.
Apple has been in decline for years now, especially since their only other competitors are Samsung and Google.
They also stopped supporting their desktop app, forcing users back onto a single point of failure: the mobile app.
If Twilio isn't going to support Authy in good faith, they should stop holding their remaining users hostage.