Authy Got Hacked, Phone Numbers Leaked

News

If you're looking for an alternative that supports multi-device sync, try 2FAS.

Related Stores

Authy
Authy

Comments

    • what is that and is it free? can i move all from authy?

      • +1

        https://passkeys.directory/

        It’s not a drop in replacement for TOTP/Authy.

        The website needs to support it.

        You can use software passkeys (iPhone, android, password managers) or a more secure hardware passkeys (but usually a hard limit i.e 25 or 100 accounts)

    • -4

      Passkeys is crap

      • Agreed. Passkeys are great in theory but tiresome in practice.

        • how so? it's faster and easier than typing a password or getting your phone out for 2fa. if you're using a password manager to fill these, a passkey is just 1 click

          • +3

            @askbargain: Password manager can autofill, share creds with partner securely anad autofill TOTP codes. I have over 400 accounts in my password manager and it all works just fine. Each time I need to use passkeys, I have to pull my phone out, enable bluetooth (I don't use it otherwise), muck around and then worry about what happens when I upgrade phones.

            The worst part is that passkeys are tied to a proprietary device. None of the providers allow exporting to another device for migration. How ridiculous.
            https://1password.community/discussion/142696/will-it-be-up-…

            See this for a similar experience
            https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shatt…

            • @soan papdi:

              Password manager can autofill, share creds with partner securely anad autofill TOTP codes.

              Not that I've been motivated to start making the migration, but is that not the same for passkeys with decent password managers
              Eg
              https://bitwarden.com/help/storing-passkeys/

              The worst part is that passkeys are tied to a proprietary device

              As above, synchronisation via decent password managers? Don't have to be tied to a hardware key or specific mobile device brand. Setting it up initially in a locked ecosystem is more the problem, and does detract from the 'user Friendly' uptake likeness

              Web sites own implementation limits are the main issue, due to differening implementation of the standard (though it is new, you'd hope as it matures these per site differences become less)

              • +1

                @SBOB: I was not aware BW supported synced passkeys, this is a good improvement. I have to trial it with some services but the inertia is quite high when I have a working solution with synced passwords and TOTP

                • +1

                  @soan papdi: 100%.
                  Anyone using a password manager with high quality unique passwords and 2fa is already 'up there' in terms of good security practice. It's "effort" to change known reliable processes, especially when there's inconsistencies in implementation options.

                  Passkeys is clearly the next step but it's also not going to solve the vast majority of data breach issues which are back end problems anyway.

              • @SBOB: But it simply doesnt work. I have Google and ebay passkeys stored on BW and it never works on my phone and sometimes not even on my computer. It simply says that there is no passkey stored on the device. I have added and removed these passkeys several times and it doesnt work.
                https://github.com/bitwarden/clients/issues/6840

                I have to jump through so many cancellation and error pages to finally just use the password. It is annoying as hell.

            • @soan papdi: 2FA is a second step process. With passkey you are immediately prompted to login with passkey, and after pressing login it will just login.

              2FA autofill is not 100% a good experience and I’m sure you’ve had to enter it yourself. On mobile you have to paste the code yourself.

              You and other people had bad experiences because of bad implantation that gives passkeys a bad name.

              Don’t use passkeys on your phone/windows pc. You add passkeys on those devices if the service allows you to add multiple passkeys.

              Proton pass and Bitwarden (I think, I don’t use Bitwarden) allow you to export passkeys.

              And if you’re talking about hardware keys, it is just logical for those to not allow migration.

              • @askbargain:

                2FA autofill is not 100% a good experience and I’m sure you’ve had to enter it yourself. On mobile you have to paste the code yourself.

                Bitwarden auto copies TOTP to clipboard on the PC and mobile.

                Don’t use passkeys on your phone/windows pc. You add passkeys on those devices if the service allows you to add multiple passkeys.

                I created a Google passkey on my phone. I found the UX to be worse, when trying to log on to gmail using passkeys. For me, it felt very opaque. Where is my key stored? How can I back it up? If I restore my phone from iCloud, will it restore my passkeys? Each time I log on to gmail on the PC, I have to use my phone to authenticate.

                These things are hard to keep track for me, even as someone in the industry. Granted this was a year back, maybe things have improved recently

                And if you’re talking about hardware keys, it is just logical for those to not allow migration.

                Agreed, this is per design

                You and other people had bad experiences because of bad implantation that gives passkeys a bad name.

                Maybe these corporations shouldn't have rolled out a half-baked solution while also marketing it as nirvana

                • @soan papdi:

                  Bitwarden auto copies TOTP to clipboard on the PC and mobile.

                  Have you ever had problems with those funny text boxes that only allow 1 digit. And when code changes, you have to backspace one by one. Or even on OzBargain where there are 2 textboxes when entering 2FA (one for code and one for recovery when they can easily make it 1). This trips up my password manager when it tries to autofill.

                  If you choose to have your passkey stored on iCloud, it's stored on your iCloud keychain (don't quote me but I think end-to-end encrypted with your iPhone passcode). If you want to login to Gmail on your pc, you can either add another passkey, or download iCloud passwords for windows. you're not locked to just using iCloud.

                  These things are hard to keep track for me

                  You can use a password manager like Proton Pass or Bitwarden to store your passkeys. Since you're already using Bitwarden, you might as well add passkeys on there and see which you like. I much like PayPal's new login with passkeys. There's no "login with passkey" button rather it triggers my password manager's passkey login.

                  Maybe these corporations shouldn't have rolled out a half-baked solution while also marketing it as nirvana

                  It used to be known as FIDO2 (not technically but let's just roll with this). Nobody supported it or cared. It's only when Google and Apple started adding it to their phones that companies are adopting it. They have only started to adopt it ~2 years ago. Just give it a bit more time and it will be the norm.

                  • @askbargain: Gave it a go just now, seems more polished than last year.
                    - visited PayPal. Won't let me add a passkey from the PC, have to use a mobile browser. Abandoned
                    - visited GitHub and Google, easily added and signed in again

                    Only problem is, I had to enter my Bitwarden master password twice per website (once each to save and retrieve). If we move this authentication to biometric, like faceid instead of entering master password, it will involve two devices each time and this will be even slower. I do think passkeys are technically better but the UX still sucks.

                    • @soan papdi:

                      • visited PayPal. Won't let me add a passkey from the PC, have to use a mobile browser. Abandoned

                      to be fair, once it's setup, it works really well. but paypal sucks. whoever made you enter email first should be fired. it's not for SSO like microsoft so there's no reason it should be like that.

                      Only problem is, I had to enter my Bitwarden master password twice per website (once each to save and retrieve).

                      you should be able to unlock bitwarden with windows hello/face id. if you set it up as such, there's no 2 devices at all.

          • @askbargain:

            how so? it's faster and easier than typing a password

            No it's not. At least not when I've tried it with Apple… Takes about 15-30sec with passkey.

            • @jv: Logging into PayPal with a passkey takes 3 seconds. Are you logging in with same device? Or are you using passkey or another device.

              • @askbargain:

                Logging into PayPal with a passkey takes 3 seconds.

                I can type a password in less than that…

                Logging into Apple with passkey is painful

                • @jv: When I say 3 seconds, I mean for the webpages to load. It's literally just 1 click.

                  You can't login to Apple with a passkey unless you're on an Apple device, which if you are, just uses Face ID or Touch ID, so I'm not sure how painful it is.

                  • +1

                    @askbargain:

                    You can't login to Apple with a passkey unless you're on an Apple device

                    Not true, you can from Windows.

                    • @jv: using the QR code? doesn't really count.

      • Chisel and stone is the way to go, just use a rare language

    • +1

      Passkeys are a more secure replacement for user names and passwords, not a replacement for 2FA.

      The additional security may be sufficent for some use cases/threat profiles.

    • I haven't seen any websites implement Passkeys successfully yet, it's better to stick with 2FA apps like Authy until they implement properly. I've tried a few accounts and regretted it almost immediate, it was difficult to setup and use at this point in time.

      • i dont even know what is that and always pick no dont setup passkey now haha

  • are you serious omg
    oh well just phone number right? the hacker cant use or recreate my 2FA numbers from authy to log into my websites if they know my password and username for example ?

    • +4

      send me your 2fa codes and I can check for you

    • Hacker may try to send a dodgy link for you to click or try sim swapping or scam call.

      Don't open any dodgy link sent through sms or email.

      Limit the number of devices that can login to Authy. Ensure only your devices have access to Authy. So new devices cannot access your account without your approval/permission.

      Nobody can do sim swapping my number to a new sim card, even if anyone get access to the pin for porting (Porting process will fail). Secret reason for this :P

      • Nobody can do sim swapping my number to a new sim card.

        Can you share how??? Pretty please

    • I've had the same mobile phone number for decades. It's probably in every scammer database in the world by now.

      • Yep. Same. But mine has good number easy to remember so i dont want to change.
        Oh and yahoo email..

      • This is why i change my phone number every few years. But it's so much work.

  • +2

    https://2fas.com/vs/authy/
    far out i want to change. is it an easy way to migrate from authy to 2fas?

    • +3

      Don't think you can export our of authy so it's a manual process of going to each site and deregister and re register 2fa

    • +1

      https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d…

      Not sure if this still works, but did work a while ago when I left Authy.

      • Looks too complicated steps there?
        Once we migrate we can remove all entries from authy and close our account , right?

  • +3

    For anyone looking to change, I use Aegis on android which works stand-alone, and is really good; it's hard to trust any cloud service nowadays

    • I went Authy -> Aegis -> 2FAS.
      2FAS can import from Aegis quite easily.

      • why did you need to leave aegis?

      • And later on if we need to change from 2fas can we also import easily (not going to eqch site one by one disable enable

    • I did the same a while back, used the old desktop version of Authy method to extract my keys and import in to Aegis.
      I didn't like the lack of desktop app though and then learnt that KeePass which I use on my phone and desktop anyway can handle TOTP so now I use that.

  • +11

    Google Authenticator and Microsoft Authenticator are all free and just as good. GA also supports sync with your account, so no stress when moving phones.

    • +3

      GA must have finally picked up its' game then. It went for years without any form of sync as I recall

      • It was a simple QR code scan with the new phone. Did it fairly recently with the Motorola G54 I picked up.

      • +4

        Yes, the reason why many people have Authy …

  • +2

    2FAS

    Open source. Combine it with Bitwarden if you do not have a password manager already.

    Highly recommend.

  • "I trusted my personal details and credentials to a third party, and i'm surprised when something goes wrong."

    • Yeah sometimes i worry about bitwarde. I mean it has everything.. the website, user and pass… not all website offer 2fa

      • Bitwarden is rock solid, open source and regularly audited.

        Authy was not.

    • Any times on self hosting, securely, the entire internet on a home server for us plebs?

      • I'm not sure what you're asking here.

  • May be a dumb question, but why the hell can't you store passwords on a hardware passkey? This would then negate the need for a crap password manager with tiresome master passwords (ironic you need a password for a password) and do all the authentication in one step by USB on PC or NFC on mobile.

    Nothing worse when trying to log on and you need to get your phone with authenticator or TOTP when you have a yubikey plugged in. Why can't it act as a software password manager/authenticator for sites that don't work with FIDO2?

    • From bitwarden site:

      Use YubiKey
      The following assumes that YubiKey is your highest-priority enabled method. To access your vault using a YubiKey:
      Log in to your Bitwarden vault on any app and enter your email address and master password.
      You will be prompted to insert your YubiKey into your computer's USB port

      • I have yubikey but havent use it yet… not all sites support, plus lazy. Now im thinking why not just use yubikey ass 3rd factor to access my bitwarden. Hmm but then i need to carry thr key everywe… already keyless ( house door with smart lock fingerprint)

        • I'm more thinking from a corporate point of view. Come in to work, plug in your key then you should be password less to PC/domain/RDP and subsequent use in that session eg sites, passwords, network resources such as SharePoint or MYOB or whatever software is being used.

          Unplug key, session done. Can still do it manually with other methods but the key with one pin/password is king.

    • but why the hell can't you store passwords on a hardware passkey?

      You can. Yubikey 5 and Nitrokey 3 support this. Sadly, limited entries.

      • But then you need to carry the yubikey.
        I wish we have a nfc chip on our arm, forehead or somewhere else

        • Subdermal nfc implants are a thing. Personally wouldn't use one as technology moves at such a rapid pace and they'd be obsolete in a few years, and removal would be painful. However, you do you.

          They wouldn't work for a yubikey however.

          • @Haulien: yeah i watch too much movies obviously i want the scammers got zap dead right away when they do bad things

  • https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d…
    Posted by tomekkn user.

    I just did it and it is still work wirh one condition: you must have already installed authy desktop before they got hacked

  • +2

    As long as you have a backup password there's no fuss. Your mobile number has been leaked 1000x over already anyway.

Login or Join to leave a comment