Authy replacement recommendations?

Forums › Desktop computing › Authy replacement recommendations?

1 | 2 | 3

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3195345 15-Feb-2024 00:16

MartinGZ: Personally I'll stick with Twilo for a bit longer although it seems they are having financial issues, perhaps one of the reasons behind the demise of the desktop version. I love the fact that you can have it on multiple devices and wish others would also do this. I think I read that they have 7 million users, not a huge number in the scheme of things.

Forgot to mention but there is no financial incentive for them to keep the platform running. I doubt they'll stop it straight away but the problem is the whole platform is tied to the cloud and I'd personally run right now.

I did when I saw the writing on the wall when they discontinued their own 2FA implementation (the whole reason for Authy in the first place).

mattwnz: I started using it due to Google Authenticator not having anyway of having it on multiple devices at the time I was using it. However I think it does now allow syncing to multiple devices, but I don't think it backs up like Authy does.

Microsoft Authenticator over Google any day. Google doesn't end to end encrypt their backups and you know Google with their graveyard also...

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

jlittle

200 posts

Master Geek
+1 received by user: 76

ID Verified

Subscriber

#3195411 15-Feb-2024 09:41

I moved from authy to bitwarden about a year ago.

The breadth of clients and functionality surprised me. There's browser extensions on the desktop, a GUI app on the desktop, a command-line tool useful in scripts (though jq skills were needed), the android app, and the browser extensions for android browsers. I mostly use the desktop firefox browser extension in its "Pop out to a new window" mode. The firefox mobile extension is clunky, but I suspect that may be due to the way firefox for mobile extensions work.

Bitwarden really suits me. I worry that it's got so much that their developers must be spread thin and the business is not sustainable.

Regards, John Little

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3196048 16-Feb-2024 01:43

Hi Michael, there is a lot in your replies, and I'm no security expert. A few things.

I still think that, by definition, you do not have 2FA. If your PW vault is decrypted, they have full access to everything.
"but the key is not letting that happen in the first place which is why I am comfortable keeping secrets locked inside a vault". Tell that to all those at LastPass. Are you absolutely certain that Bitwarden will never be hacked/compromised? Because I'm not. I just think that Bitwarden is amongst the better PW managers around and will continue to use it while it remains so.
"The convenience factor however with using Bitwarden for both your password store and 2FA is great". Convenience is useful, but way down my list of features I want with a PW manager. I decided that it was poor security to have the 2FA token and password in the same place. In my reading, this was also the opinion of the majority of security experts.
"Many sites have 2FA reset procedures". I agree that some sites make resetting passwords way to easy. I haven't tried a PW reset on a site that is covered by 2FA as well, so can't comment on that one. I seem to remember that to get around Bitwarden's own 2FA code, you needed the backup recovery code, without which access is impossible. However, I do not see your argument as a reason why I should make it even easier, by storing the 2FA token with the PW.
You must already use a different 2FA app in order to set up 2FA for Bitwarden?
I agree, the days of Authy may be numbered, but I'll keep my head in the sand for a while longer. Looked at Aegis as it can import from Authy, but it needs root access and that is not going to happen. I will look at MS, which I use anyway for a couple of accounts, but not sure how good it is at syncing over multiple devices. I agree on your thoughts about Google Authenticator.

I went through all this with a fine toothcomb before travelling overseas last year for an extended period, some of this discussed in this thread. There is no foolproof answer to this, not least, I was travelling with both my PW manager and 2FA app on the same device. At the time I could not really see any other options for that. However I did a few things to make life difficult for others. e.g. some passwords were incorrect in a way only I knew.

2FA tokens are a PITA, but useful. I'm starting to think that printing out the 2FA QR code on paper and storing it, is a way to get around not being able to transfer them between apps. Believe me, there is so much crap in my office no-one will ever be able to find them. The question then is, will I remember where I put them? Probably not, so back to the drawing board.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3196049 16-Feb-2024 02:17

@MartinGZ So the main take from here is yes, while my vault is decrypted it's in a vulnerable position. The thing is if an attacker gained access to your device it doesn't matter if you've got 2 apps (on the same device) but the fact is you're at this point fully pwned.

The Lastpass example is actually a great one. Yes, it was an absolute security mess but the most important take from this is for most people their vaults were not compromised. As-long as you use a secure seed (as in your master password) to secure your vault along with a provider that sets your iterations higher than 1 then you're pretty good as far as security goes. I did joke a bit here as Lastpass were pretty shocking considering many vaults still had an iteration count as low as 1 vs Bitwarden at 600,001 but I was also very early to migrate off before this mess happened as Lastpass is also pretty expensive. This compromise however really paved the way to password managers becoming more and more secure.

Password managers are also one of the main targets from attackers but the thing is as long as you use the leading password managers then you're pretty good. Bitwarden is actually the password manager I recommend given they've have a bug bounty program, yearly security assessments, it is fully opensource etc. You can read more here: https://bitwarden.com/compliance/

It is still however 2FA even if the vault and 2FA generator is in the same place. As I've said above, you're likely still using the same device. Hardware tokens (eg, YubiKey) are the most secure form of 2FA for highly sensitive things (Bitwarden can use these to add 2FA to your vault, which I personally do) and for those times you don't carry keys on you then app based 2FA is pretty good too. The thing is your password vault in general is an area of trust so it doesn't matter what you store there, you need to trust it. Google Chrome's own built in password manager for example is just a sqlite database behind the scenes and this is not something I'd ever personally trust. I do like having access to my seeds still which Bitwarden does give you access to so I can easily switch to another platform.

The main key here is with 2FA if somebody were to get your password via a breach, a sticky note or anything like that then you're not getting access to that account and even if somebody were to get my Bitwarden vault file it is remarkably safe also: https://bitwarden.com/help/what-encryption-is-used/

You've got to weigh up with how inconvenienced you want to be. The problem is, Authy's end is written on the wall so are you going to add more keys to just move them off to another platform later on? This is why myself, and many others are suggesting to take the time and move somewhere else now so you don't have to deal with a bigger job later on (especially when you'll only have the mobile app at that point). But the key take away here is you're worried about your vault getting compromised and I agree, if your vault is in a decrypted state you're technically vulnerable but bug bounty programs combined with opensource software are great ways to keep security up on apps like this so a drive by download of your encrypted vault just simply never happens.

hairy1

3352 posts

Uber Geek
+1 received by user: 644

ID Verified

Trusted

Lifetime subscriber

#3196674 17-Feb-2024 09:01

Hey all. Happy Saturday.

I have been self hosting Bitwarden for some time and love it. I am in the same camp that having multifactor in the same app is not a great solution. I have been using Authy for years and on the back of this discussion I have been looking at replacements.

I spun up the self hosted 2fauth and let me just say I am extremely impressed with the UI and features. It works really well, is fast and works across all my devices.

I am going through the pain of migration but very happy with it so far. Highly recommended if you can self host.

Cheers, Matt

My views (except when I am looking out their windows) are not those of my employer.

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#3197015 18-Feb-2024 13:06

So I've moved one account over to a keepass database with ONLY OTP codes.

No passwords will be saved in this database as it's no longer providing any benefit besides making the attacker enter one more extra detail. Sure there is a usability vs security debate which MichaelMurphy is trying to argue, but very much disagree you're back to one factor https://github.com/Rookiestyle/KeePassOTP/wiki/Using-OTP-is-using-two-factor-authentication%3F

I'm using KeePassDX as the app for OTP (and using Keepass2Android for my Passwords database). (Scan QA code with phone camera all - send text to KeePassDX and select/create entry.

It looks like KeePassXC will display the OTP number in the UI, I've not yet found how to get keepass 2.xx to show the OTP in the UI, might need a plugin...

I have the keepass databases syncing via nextcloud so can access on multiple devices (I use "key file/provider as well for extra and means access to the database itself is not useful).

So far looks like this approach will work, but would be ideal to not have to use KeePassXC and only use the one windows app (keepass) (but preference is two different apps on Android as switching databases on android is KeePass2Android is messy).

Also found this, but not tried it as a way to get "everything" (read link for what is missed) out of Authy to import into another app. It looks like it brings the secure material with it.: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93

edit:

This plugin lets you right click and copy the OTP, or you can use its own context menu to show you the token. https://keepass.info/plugins.html#keeotp . This should mean I don't need to use KeePassXC.

edit again:

Just used the gist link above to export from the desktop app (note the version to use), scanned all the qrcodes and loaded them into KeePassDX fairly seamless. I then confirmed every QA code in the app showed up and was providing the same number

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

HP

Shop now for HP laptops and other devices (affiliate link).

paulchinnz

Circumspice
796 posts

Ultimate Geek
+1 received by user: 223

Trusted

Lifetime subscriber

#3204377 8-Mar-2024 10:12

@michaelmurfy I've taken your recommendation to use MS Authenticator. Got a bunch of accounts set up on one phone using hotmail login to the app. I want to set this up on another phone, but upon logging into the Authenticator app with my hotmail login, only the hotmail account is in the app (and not the other ~15). Is there some way of synchronising the app between phones? This was one of the nice features with Authy.

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3204444 8-Mar-2024 13:18

I mostly use Authy for mobile. But some 2fa codes I keep in KeepassXC as well. If I'm really lazy I'll tell keepass to type {USERNAME}{TAB}{PASSWORD}[DELAY 5000}{TOTP}

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3261003 18-Jul-2024 12:26

I just noticed an alternative to Authy Two factor authenticator for online accounts - Zoho OneAuth

If you use it on one device, it looks as though you don't need to register, but sync requires a Zoho account. Big plus is that it doesn't seem to require a phone number. But like Authy and Twilio, it is software made available by a software company for free use. Who knows how long it will be supported or what the security is like (other than what they write.)

Unfortunately it's likely I won't have time to check it out for a couple of weeks, but thought I would put the link up anyway.

gehenna

8667 posts

Uber Geek
+1 received by user: 3883

Moderator

Trusted

Lifetime subscriber

#3261012 18-Jul-2024 12:55

I just launch the phone app on my PC via Phone Link when I need it.

bagheera

544 posts

Ultimate Geek
+1 received by user: 189

#3261014 18-Jul-2024 13:01

fyi for authy users

https://news.trendmicro.com/2024/07/10/twilio-authy-data-breach/

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint […] We know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened.”

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

jonathan18

7415 posts

Uber Geek
+1 received by user: 2850

ID Verified

Trusted

#3261035 18-Jul-2024 13:50

MartinGZ:

I just noticed an alternative to Authy Two factor authenticator for online accounts - Zoho OneAuth

I'm interested to hear more about this as a potential replacement for Authy.

I had planned to switch all my 2FA across to Microsoft Authenticator then realised there's no Windows app (somewhat ironic!) - not concerned in relation to everyday use, but more the hassle if I lose/destroy my phone. I guess 1. the chances of that happening aren't great and 2. if it does I could find a spare phone to install the MS Authenticator app on and sync my account from the cloud. So perhaps this lack of Windows support should not be a deciding factor?

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3285078 22-Sep-2024 15:30

Thanks to @bagherra for that info, I had no notification from Authy about that, so it spurred me into action. Authy account now deleted.

I initially transferred my 2FA to Google, for at least that allowed transfer of accounts, albeit only 10 at a time. Recently did another search on 2FA apps to meet my requirement. Security was the obvious one, but ability to sync between devices was other and that was a huge advantage of Authy. Bitwarden has recently put out an Authenticator app and they promise sync in the future, but it is currently a very basic app. One to watch. The other two possibilities were 2FAS and Aegis, both open source, both backup to google account.

Chose 2FAS as it offers sync (as opposed to backup) to a google account. I have a couple of phones with different accounts, so thought why not just add a third common google account to each device and use that. Works a treat. Entered the accounts in 2FAS on one phone and as soon as I pointed the second device to the common account, the entries were populated by a sync. You cannot sync to an iOS device. My guess is that Bitwarden will offer that in the future.

As people will know, doing anything with 2FA is a pain if you have to move to a different app/device. As part of the process I have (figuratively) printed out the 2FA/QR codes and stored them under the mattress. Actually, I see nothing wrong with physically printing them out and storing them in a safe place.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#3301230 24-Oct-2024 22:13

I'm also on the lookout for a replacement after Authy's recent enshittification. The depressing thing is it was the consistently top-rated MFA Android app across a pile of surveys, but now they've decided that since it was pretty good they need to come in and break it, sigh.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3301249 24-Oct-2024 23:37

Bitwarden is very good these days with MFA and also Passkeys.

I get it, why would people store 2FA in the same vault as your passwords. But your vault should be trusted and it doesn't matter if 2FA is stored elsewhere, if somebody gets your vault you're pretty screwed.

1 | 2 | 3