Tips for switching authenticator apps?

The Twilio Authy breach has me thinking it’s time to switch to a different authenticator app.

Does anyone who’s done this before have any tips for moving the codes from one app to the other and making the transition as fast and smooth as possible?

(The Authy breach is discussed in this thread)

Sadly, unless you’ve saved all the seeds when initially adding accounts or made screenshots, the only way to move away from Authy is to go account by account, disable 2FA, enable 2FA, and scan the code with the new app. There’s no export from Authy.

I may do this gradually, as I have some 70 accounts there. I’ve not settled on where to move, I suppose Bitwarden.

The upside is that as soon as you disable and reenable 2FA for an account, a new seed is generated, and the ones in Authy automatically become invalid.

3 Likes

There is a method to get the TOTP seeds from an old desktop version, running a script in the developer console. You might need to enable multi-device in your phone first, then download the latest desktop, then download an old one.

2 Likes

After reading about the Authy breach I moved my 2fa accounts to Bitwarden Authenticator. @dario method is correct on how you have to do it.

1 Like

Methods are as mentioned by others, but don’t move 2FA to your password manager, that makes 2FA senseless. Passkeys are another way but not widely supported

Move it to another a 2FA app like 2FAS or Ente Auth. Both are pretty highly recommended in the reddit community as well, and they allow backup/exports

3 Likes

I’m leaning toward Duo, which Wirecutter recommends. I also use Bitwarden, but I want to keep my authenticator separate for the extra security.

1 Like

Thanks, that’s what I plan to do. I’ll probably use Duo, which Wirecutter recommends. I don’t think it’s worth trading even a little security for the very minor convenience of integrating it into a password manager, given how critical it is.

Thanks for that link. I knew I saw instructions somewhere on how to export seeds from Authy a while back, and it seems those intending to move need to hurry as the desktop app required for this will cease to work in August.

& @cornchip Maybe I’m paranoid, but I’m reluctant to enable multi-device even temporarily, since Authy’s method for multi-device relies on your phone number…which is why Twilio had a database of Authy users’ phone numbers…which just got stolen in a hack.

1 Like

I guess it depends on how many codes you’d need to disable-re-enable. For me, if not wanting to enter my phone number, it’d save a lot of time to spend $5-10 to activate my other eSim, use it to make an Authy account, bulk export the seeds, and request deletion of the account and close out the phone line.

1 Like

Seems like 1Password and iCloud Keychain are the two main password managers remaining that haven’t had any breaches so far.

1 Like

Bitwarden hasn’t either, and afaik neither has Dashlane.

1 Like

Authenticator is a separate app.

I was using the generic, lower-case term to cover the category. They’re all authenticator apps. I wasn’t specifically referring to Microsoft Authenticator.

While you are at it, you can purchase a yubikey and also create email aliases each account. This will shrink the attack vector on each account as they’ll need more info and perhaps also a security key to access your account.

I lost my amazon account earlier this year to an sms otp hack, and even since I’ve been removing sms where possible and leveraging the unique username, password, otp, passkey and physical security key to the furthest extent possible.

Some that was interesting was after I got my account closed, there were a few credit applications to the credit card company that was my primary card at Amazon, and my cell phone service provider notified me of unsuccessful attempt to log
into my account. My credit was frozen which blocked the credit applications, and the login attempt alerts stopped after I changed my email address on the account.

So security in depth works! Think about implementing it at the same time you’re change authenticator providers.

4 Likes

Which service are you using for email aliases? I’m using simplelogin and have been happy with it.

Re password and TOTP managers in general, I switched from Bitwarden to Strongbox, because I was annoyed with both the Bitwarden UI and this issue regarding the web extension that has been left unaddressed for six years. Strongbox has been satisfyingly reliable and frequently updated.

2 Likes

I have spent two to three hours moving all of my 70 accounts from Authy to 2FAS manually.

I was hoping to be able to use the guide linked above, but this seems to be no longer working as Authy seems to be intentionally blocking desktop apps from connecting at all (I got the network error) if not already logged in.

Authy is also quick at downloading updates to desktop apps, whereas a certain version is needed to perform the export. Neither macOS nor Windows desktop apps seem to be able to connect to Authy anymore (unless you had it installed previously – I did not, as I only had the iPadOS version running on my new-ish MBP as the desktop version was already officially discontinued when I first installed it on this machine).

There’s also another way to export everything from Authy if you have a desktop version installed that is already logged in:

Some users are reporting success in exporting the seeds on rooted Android devices at the GitHub link in the comments.

A manual switch seems to be the only feasible way to move from Authy right now. It took me much less time than anticipated, though.

2 Likes

Thank you! That’s great information.

If you have a desktop version of Authy installed and synced (I did not), you might be able to downgrade to v2.2.3 and block the internet access for Authy, as it’s otherwise quick to update automatically (before you get a chance to do anything). One of the two export methods above might then still work. Fresh installs apparently won’t sync so I couldn’t get around that.

I gave up on tinkering with it as moving all the codes manually wasn’t such a bad idea after all for a bit of a security review; I changed a couple of old passwords along the way and shut down several accounts I did not need anymore.

I opted for 2FAS for the time being as all the open-source authenticators seem to support some sort of import/export, e.g. Ente Auth, which is also recommended, can import from 2FAS. What’s important is that all the seeds are there in plain text after export, contrary to Authy’s lock-in.

1 Like