hey MPU,
A bit of first world issue here. I have Authy installed everywhere, mac, iPad, iPhone. I know that they stopped supporting the desktop app. I continued chugging on, whenever I work, I just pull up my phone to authenticate. But today, is one of those days…where pulling up my phone while working on something just got to me and my ‘focus’.
Just to chime in on the discontinued desktop app (as I’m also using Authy) – if you’re on an Apple Silicon Mac, the iPad version of Authy works just fine on it.
The thing keeping me with Authy is that I have over 70 2FA codes in it, and moving them to another app would take quite some time.
The second aspect is a security concern: technically, you should be safer using two different apps (a password manager and a 2FA authenticator) than having a single one in case of a breach.
I’m happy with the 1Password integration for 2FA.
Have not thought about the possible security angle of keeping everything in one place might actually be reducing the two factors down to one?
I’ve been using 1Password since ‘08 and 1password.com since 2017.
That’s correct. So you would need to weigh the convenience of having your passwords and 2FA available in a single solution on all your devices vs the possibility of some additional risk.
It was an easy decision for me.
That’s why I don’t use the authenticator built into Bitwarden. Right now I’m using Authy and it’s been fine, but I may revisit that at some point.
Bitwarden launched a separate authenticator app earlier this month. There’s no sync yet (there’s a roadmap in the announcement), but this could eventually become a feasible option for moving away from Authy (perhaps with a secondary Bitwarden account for added security).
I use OTP Auth. It had iCloud sync, mobile and desktop apps, & is free with a voluntary “pro” in app purchase to enable custom icons and/or support the developer.
And no ads.
On the topic of having your password and 2FA codes in the same environment, one of our security folks wrote a blog post last year explaining the trade-offs and the situations where it might matter.
As usual, I offer the disclaimer that I work for 1Password, but I’m sharing this in case it helps anyone with their decision-making as the concept applies equally to any solution that lets you store both factors together (including iCloud Keychain, etc.)
Quoting a key section here for convenience:
It’s important to acknowledge that 2SV is a very valid way to secure your accounts, and improves upon the standard use of a username and password (one-factor authentication). The additional required step can prevent account compromise by someone who gains access to your login information; it acts as a barrier regardless of TOTP location.
But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful.
I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a compromised device.
FWIW, Wirecutter now recommends Duo
I use 1Password for everything - and I don’t mind, for the reasons mentioned in @marius’ post.
Much more convenient, for a reasonably low decrease in security. That someone gets my password to an account (through a breach somewhere) has a much higher chance, than someone getting access to my 1Password account.
If you have a specific threat model, I see the arguments for keeping them separate. But I think features like this will increase the total security, because more people with bother with 2FA.
How alarmed should someone be about this hack?
Mildly alarmed. Watch out for phishing attempts especially via text messages as they got the phone numbers. Make sure to turn off the multi-device option in Authy as that will disable the ability to add further devices to the account (which is good security advice anyway – all currently added devices continue to work).
Twilio’s response, speaking from a PR perspective, is extraordinarily poor. It talks just about their ‘unauthenticated endpoints’ and updated apps and not a single word about user data or what users should do.
Unfortunately this isn’t Twilio’s first security breach. Apparently they still haven’t gotten their act together. From 2022:
I agree with @dario. Someone knows your phone number and that you are an Authy user, so keep that in mind if something look suspicious.
Also, if your phone company offers any optional account protection, like requiring a passcode to make changes, you might want to take advantage of that.
I have been using Authy for TOTP and didn’t realize they had been hacked. Thank you for bringing this up. I’m thinking of moving to a two tier security model. I’ll get a hardware key and use it for accounts that are crucial like 1password, email, domain, and financial accounts. Then move the rest of my TOTP enabled accounts into 1password.