I feel like this misses the problem with Authy. There are hundreds, possibly thousands of 2FA alternatives for Authy. But when my 401K provider requires Authy to login in without providing a generic 2FA option, THAT is the problem.
THE problem with Authy in my humble opinion isn’t just that it’s an obnoxious proprietary app I shouldn’t need — it’s that it forces you to accept SMS as a get-out-of-security-free card. Being able to get a reset text to your registered number (and you MUST register a number, of course) unlocks all your OTPs for the attacker (who slipped some teenaged phone salesman $50 or a fake ID to swap your sims.)
SMS is cancer to security and I won’t use any system that forces me to accept something so easy to exploit as proof of my consent.
The readers cost money and people lose them. I still have one for one bank but otherwise it's SMS everywhere.
They clearly just don't see it as a realistic threat, on top of all the other security measures in place (for me it's a password, and also a memorable word that isn't typed on the keyboard, then SMS OTP). It's not a great defence of SMS but perfect is the enemy of good, and SMS is just about ok.
Most hacking stories I hear about seem to happen through social engineering, where people go to great lengths to authenticate themselves for someone over the phone.
One thing that is starting to take hold is banking apps, which once installed can be used to authenticate payment. Again not perfect but better than SMS, and users are increasingly likely to have them installed because of ease of use.
The main problem with secure device based 2FA is how to handle the case when device gets lost and you don't have backups (many people don't really think this kind of stuff beforehand). How can a person re-establish their identity? For services like Google, Facebook etc. the answer might be "you don't", but it is more difficult for companies where the end user is also the customer.
And I think the best answer is government issued digital identity and being able to use that to recover your access to the online services (of course up to you if you wish to make this connection).
The card reader with scanning a barcode is incredibly obtrusive. It requires you to carry the card/bank specific reader with you. So when you're on the go you and want to pay something online with a debit/credit card, you need to whip out the card and the specific reader.
And it included that annoying scanning a barcode on screen AND confirming € amount.
And the readers had 2 options. Sign and confirm (?). Why they couldn't incorporate this into the barcode?
It was all done because it definitely lowered mistakes and was more secure than card number and CVV to pay online.
This is a terrible, terrible idea. TOTP is secure for nerds but presents very very real security downsides for literally everyone else. Increased popularity of TOTP invites increased frequency of malicious TOTP apps exfiltrating user OTPs. This is pretty much THE reason why it’s quite common to see companies provide TOTP as a hidden, nerdy alternative.
Again, if HN got what it wanted as far as tech regulation, the world would be a terrible place, but HN consistently puts nerdy desires ahead of what would actually help wider society.
The reason that SMS is preferred is that "everyone has it". Requiring all customers to get an app is much harder than requiring them to have a phone number than can receive SMS
"everyone has it" and it is "good enough" at preventing large scale attacks like credential stuffing from data breaches.
Most online services aren't so worried about a small number of users being SIM-swapped. They are worried about large numbers of users that reused their password across thousands of sites 5 of which had their database dumped.
SMS 2FA isn't about providing individual users a high level of security. It is about providing a baseline level of security for all users.
I disagree. A bank reported ~1,000 SIM swap attacks happened to their clients during 2021 alone in a single EU country. That's a lot. Furthermore, these attacks target high value individuals which I imagine is a particular cause of concern for banks. For this reason, the EU has phased out SMS as a valid 2FA, although not many banks have complied yet.
Some banks, like ING, already refuse to send OTPs by SMS and effectively require using an app. SMS is also bad from a user perspective as it turns your phone into a single point of failure. Also, if you are roaming abroad, SMS delivery is usually slow and unreliable. Imagine going to another country and being unable to validate a credit card transaction.
Authy isn't that proprietary, and neither is Google Authenticator or Microsoft Authenticator (?). They are closed source apps but they aren't proprietary forms of TOTP.
I've been able to use Yubikey Authenticator for anything that said it wanted any of the above, and the awesome thing is you can plug the Yubikey into another device, install and open up Yubikey Authenicator on that device and it works just fine and has all of your services stored on the hardware key, making it easy to upgrade phones or plug they key into a desktop and not depend on a phone.
If a company requires you to use Authy you can't just put that into another authenticator. Yes, you the Authy app can ingest a normal TOTP QR or secret and be used the same way as those others, but their special weird 7-digit OTP thing is proprietary to them, and businesses which choose "Authy" as their only OTP solution are locking people into using this crappy, SMS-linked app.
Another reason it's terrible is for business. Lots of businesses have an account that several people will need to access (yes, it's great to have multiple user support, but not all things do, or sometimes you need a 'bot user'). With something that supports real TOTP you can put that secret into 1password (or heck, scan the code into 7 different people's phone authenticator apps). With Authy you have to pick some random person's cell phone to tie that account to, and hope they don't go on vacation.
Decrypting the OTPs on another device has required a password for a long time now (maybe always, I can't actually remember if it was always there or just added years ago). It isn't only bound to your phone number.
No, that's the problem, a hacker can clone your SIM. it's not trivial, but it's not impossibly hard, as in there are known attacks and if your fortune is protected by SMS 2fa, you'd better hope you don't draw attention from a motivated attacker. SS7 attacks and others are not theoretical.
A hacker can perform a SIM swap attack, where they convince the operator using bribes and/or fake IDs to provide a replacement SIM card for your number.
Requiring a TOTP to get into the app handling your TOTP might not be the easiest for most. A strong encryption password on Authy prevents this and you can also disable multi-device / enrollment when not needed.
If Authy wants to not be a joke, then they should end their mandatory SMS authentication method, then. I certainly am not going to trust it when there's an SMS requirement to even get in. Because I (not unreasonably) assume if you contact Authy support and can pass their SMS check, they might have some way of "giving you back access to your account" and by "you" I mean criminals posing as you.
As far as I know, and I may be wrong there, but Authy gives you access back to your account. Not to your TOTP codes which are encrypted by your Backup Password.
Once logged in, you need to enter that "second" password in order to get access to the TOTP codes and Authy will notify you of the new device connected.
A hacker doesn't need to clone your SIM, all they need is access to an SS7 line almost anywhere in the world and they can see your messages, regardless of carrier or phone. I suppose North Korea probably doesn't have access to SS7 servers, but that might just be the only one. Granted, SS7 isn't cheap or easy to get access to, but when it comes to banking fraud, the economics change.
The victim will be disconnected from the network, but there's no way in hell the first line of carrier support will detect any of this. You'll have to put your faith in the security monitoring of your carrier (the ones letting spoofed numbers in and out of the network, so good luck I guess). There's absolutely nothing you can do about this thread other than hope that your carrier is smart enough and that you're not important enough for a sophisticated fraudster to target.
As for cheaper threads, everyone who tweeted about owning a crypto exchange account with their phone number on display will probably lose their SIM at some point. SIM swapping is easy with a fake ID, and people within phone stores have been caught doing it from the inside.
SMS is insecure and often abused. Don't use it. Maybe also disable 2G on your phone while you're at it.
They can clone it, they can eavesdrop on it by having hacked your phone, they can be eavesdropping on the wireless network. But the most likely is they can dupe your carrier to port your number out
If we're talking OTP/TOTP -- it's all the same. Even if a provider instructs you to use a specific app, e.g. Google or Authy, you can simply scan the QR code with whatever authenticator app you're using. All the QR code does is encode a URI containing the secret and issuer.
Authy supports TOTP, but also has its own proprietary TOTP-esque format that a bunch of sites & companies use (Twitch and my bank, among them) that can't be copied into another site.
(Yes, it's bad, no, it shouldn't exist, no, I don't know why they don't just <...>, etc.)
Authy (the app) does support generic TOTP which as you mentioned, so do hundreds of others. Unfortunately, the authy app (and some well meaning but not so well versed companies) opt to use Authy's proprietary OTP which isnt compatible with other clients.
This is simply not true. Just today an app asked me to use Microsoft Authenticator, and scanning the QR code with Google Auth and Authy didn’t work, earning me an “Invalid QR code” error and forcing me to install the app from MS.
I don't think there's a formal spec for the otpauth URI yet [0], even if there is a spec by Google [1], so this may just come down to MS adding some incompatibility to force usage of their authenticator, or the app using some proprietary authentication scheme that is not otpauth.
There's nothing complicated about otpauth provisioning URIs i.e. what's encoded into the QR code.
You assume that because you were not able to overcome whatever error/s you encountered with Google Auth and Authy, that you were being forced to use MS Authenticator.
Pretty uncharitable interpretation on your end. I am a developer and went to the extent of verifying the content of the QR code and the optional URL for manually adding it. No OTP code in there.
I truly did not mean to come off as rude. The 'content of the QR code' would've revealed the actual seed and so would corroborate your assumption if you did, in fact, verify as much. I merey stated a troubleshooting fact. No offense intended.
My bad for misunderstanding the tone of your comment. I likely wouldn't have gone off in this direction if you asked me what measures I took to check the OTP code in a collaborative/constructive way rather than expressing doubt they way you did. Either way, all good.
There used to be a roundabout (unsupported) way to export from Authy Desktop to another app but Authy discontinued the Desktop app and Windows at least won't let you launch it anymore.
I'm not aware of a way to export from the Authy phone app.
Is there a list of services that have a specific 2FA provider requirement? In my experience, my when my service ask for 2FA it usually says Google Authenticator and use Authy. I'm looking to migrate out of Authy in the near future.
