It's about being tied to a third-party service. Currently, the one causing you a problem is Apple's. It could just as well be Authy's.
With standard TOTP, you could pull out a paper backup and use it to make any TOTP app on any platform work. But with Authy, you're screwed if they're down.
And it sounds like you're screwed right now because Apple is down. Again, this wouldn't be an issue if you were using standard TOTP.
Meanwhile, if I'd given in and setup 2FA on my company's CloudFlare account, I wouldn't be able to access it right now.
So yes, I have an axe to grind -- with CloudFlare. We pay you $200/month, and the only reason we can still access our account is because I've refused to setup 2FA on it with Authy.
Meanwhile, if I'd given in and setup 2FA on my company's CloudFlare account, I wouldn't be able to access it right now.
That's not the case. I'm in that position because of the fact that I got my phone into a bad state and can't reauth to iTunes. Others in the office have no problem at all and by talking to the technical support guys I know that I'm in an unusual position otherwise our customers would be very upset.
So yes, I have an axe to grind -- with CloudFlare. We pay you $200/month, and the only reason we can still access our account is because I've refused to setup 2FA on it with Authy.
What exactly is wrong with Authy that makes it completely unacceptable for you to use?
What exactly is wrong with Authy that makes it completely unacceptable for you to use?
Let's turn this device into a secure token
Enter your Authy cellphone
__+code__ __Authy cellphone number__
They're my private tokens. I don't want to set up an account with Authy Inc and I certainly don't want my tokens in your cloud. Sure maybe it'd be nice to sync across my devices, but not if it looks like it means doing so via somebody else's servers!
You realise that you encrypt the tokens you send and you can't restore them without that password, right? And that backups are opt-in only and you can leave that option disabled?
Do you not trust them to actually encrypt the data before backup? Or is there another issue?
No, I don't realise any of that, because Let's turn this device into a secure token is the sum total of the information you get when you fire up the Authy app. No links to any explanations of why they want you to have an account, and I didn't care enough to go looking further myself.
But the real issue for me is: given a choice between (1) having my private tokens physically only on my own devices; (2) having an account and apparently some form of my tokens at a third party in another country susceptible to bulk espionage and subpoenas... why on earth would I choose (2) in today's climate?
Or in summary: I guess I don't trust them to actually encrypt anything in the face of legal threats.
Authy necessarily has the keys on its servers in cleartext. When you integrate them into your application, you send the code the user inputs to Authy's servers for verification.
Authy is a third-party authentication provider, it is not simply a synchronization service.
I recently complained about the lack of a Windows Phone client on their Facebook page, and their response was "The service you've requested is currently not on our roadmap".
I had asked the founder about a Windows Phone client a couple of weeks ago and at the time he had said a WP client was 'very likely'. Not sure which is more recent, but I would also like to see an Authy client for Windows Phone.
> What exactly is wrong with Authy that makes it completely unacceptable for you to use?
This exact scenario is sufficient on its own. Also individually sufficient are the unnecessary revelation of personal information to Authy, and an aversion to perpetuating an authentication method that unsophisticated users can easily confuse with more secure methods that don't rely on third parties.
you do realise that Authy uses standard TOTP? And Google Auth? This is like complaining about Firefox being a "third party app" and if you were just a normal person you would parse the HTML in your brain directly from the output of your ethernet cable or something.
None of these tools have any form of lock-in, but Apple imposes its own layer, in this case.
Authy uses a modified form of TOTP. CloudFlare requiresAuthy, not a standard TOTP implementation. They make this very clear when you try to activate 2FA.
Authy works as a third-party authentication provider. Their servers are in the loop on every login. They aren't just a TOTP app + synchronization, they actually do the code validation themselves.
The correct analogy would be if every time you went to a website in Firefox, it asked Mozilla's servers if it was OK to go there. Also if, when installing Firefox, it demanded you create an account and give your cell phone number to Mozilla. (Or better yet, Google.)
Tbh, to setup sync or install extensions in Chrome, you need a Google Account, for which you need to give them your cellphone number. And it uses a blacklist hosted by Google to check if a page should show a malware warning, or not even display at all.
I just installed AdBlock in Chrome, via the Chrome web store, on a Windows 7 box, that has never had a Google account logged in on it. So at the moment, I see no evidence that you need one to install extensions. Even if you did need one to install from the Chrome Web Store, you can also side-load.
With regard to the others, there are crucial distinctions:
* Chrome synchronization is entirely optional. You can use Chrome without ever logging into Google's servers. That's not the case with Authy.
* The malware blocklist feature uses data stored on your local machine that is frequently updated from Google's servers. It does not send the URLs to Google. Even aside from privacy implications, that would be annoyingly slow. And the block can be bypassed (last time I saw it, anyway) with a single click.
