Fuck #Authy. Fuck it in it's stupid ass. They got rid of the desktop version. Fine. It sucks, but I could deal with it. Then they dropped support for #GrapheneOS. Meaning I'm locked out of everything. Luckily I have a #YubiKey so I can get into most things. I guess it's time to move to something else.
#authy
0 posts0 participants0 posts today
Continued thread
There are different articles floating on the internet of people who've experienced the same as I have. For no reason, without any warning, you cannot uninstall authy anymore on your device.
If you do a few things will happen; one of them is that after installation it will not allow you to get an SMS from your mobile phone, or it will allow that, but you will not be able to add any new accounts.
In either case the program has become worthless and you will get no warning 
Have you started migrating your authy MFA 2FA accounts to open source MFA clients?
¡¿No?!
Please start asap. The company has quietly been changing things with this important program and since they do not allow you to export your accounts easily, you will be in a situation where you have to systematically migrate the most important account you have to open source clients
At a certain point authy will stop working even on your new Androids without explanation no **fucks given**
I can't remember if I had mentioned this before, but apparently #Authy stopped enabling their iPad app from working on macOS.
Now, the app is forcing an update and I can't update it through the App Store.
What the fuck is actually going on?
Why take this feature away?!
I want to move away from Authy. Dear Fedi, safest authenticator app? Go. #AskFedi #Authy #AuthenticatorApp
Edit: I ended up going with Ente 
https://ente.io/auth/
enteMastodon server migrationOur journey migrating to Fosstodon
I've been trying to use more #OpenSource software in the new year, in the past two weeks I’ve made the switch for the following apps: (I’m on #macOS )
1. #1Password → #Bitwarden ( @bitwarden )
2. #Authy → #Ente Auth
3. #Ivory → Ice Cubes ( @IceCubesApp )
4. #AppCleaner → #Pearcleaner
5. The Unarchiver → #Keka
6. #Bartender → #Dozer
7. Caffeine → #KeepingYouAwake
There's a lot more to go, but I’m trying to go slow and enjoy the #FOSS journey.
Moving my 2FA Codes from Authy to Aegis
Author: Ben Tasker
https://www.bentasker.co.uk/posts/blog/general/switching-to-aegis-for-totp-codes.html?utm_source=rss
#2fa #aegis #authentication #authy #open-source #software #totp
www.bentasker.co.uk · Moving my 2FA Codes from Authy to Aegis
More from 
Ben Tasker
New #blog post: Moving my #TOTP tokens from #Authy to #Aegis
In 2020, I moved my #2fa tokens from Google Authenticator to Authy. Unfortunately, Twilio have since changed things, undermining the reason that I'd chosen Authy in the first place.
I wanted the replacement to be #FOSS and after a bit of searching around, settled on Aegis Authenticator.
This post talks about why/how and what the benefits so far are.
https://www.bentasker.co.uk/posts/blog/general/switching-to-aegis-for-totp-codes.html
www.bentasker.co.uk · Moving my 2FA Codes from Authy to Aegis
More from Ben Tasker
@cellio The #Authy redesign is a UX dumpster fire. It's stupidly difficult to find site codes visually now. I need to switch to something else but I'm in the middle of some other tech migrations and haven't ripped the band-aid off yet.
Some alternatives I've been looking into (open source):
https://ente.io/auth/
https://2fas.com/
There's other options too.
enteMastodon server migrationOur journey migrating to Fosstodon
@neff Because I have a lot of 2FA codes in Authy, they all trigger when I've unlocked the app and I find too many visuals a bit overwhelming - especially as they're all on a countdown the moment I've unlocked it! It's a personal thing though, I'm not saying #Authy is bad as a solution.
I want to know I can hit "generate" then look at my monitor, with more than 10 seconds of my countdown left.
With that, and currently no darkmode, I'm switching. Personal preference though.
getaegis.appAegis AuthenticatorAegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.
Authy used to be a good 2FA application, but it's time to stop using it. Please read my article before deleting anything, though.
https://garymcgath.com/wp/stop-using-authy/
#authy #2FA #security
Gary McGath · It’s time to stop using AuthyMulti-factor authentication is a valuable security measure. If someone guesses or steals your password, it’s another barrier to their getting into your account. Using an application that gene…
Ugh, #Authy changed their android app and now there's always a code being generated, or worse, all accounts in the app are generating codes.
As far as I can see you can't revert back to the more logical "choose the system I ACTUALLY want a code for" screen.
Anyone else using Authy for #2FA knows if there's a way to be less bombarded by codes when opening the app?
Old friend of mine just got home after being away for almost a year to find Authy Desktop got EOL'd and they can no longer access their backup password. Any recovery tips? Twilio support is autoclosing the tickets...
In *2019*, Alex Weinert of Microsoft wrote in https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124:
«
MFA had failed.
[...]
All Authenticators Are Vulnerable
[...]
»
Today, as echoed in https://www.bleepingcomputer.com/news/microsoft/microsoft-enable-mfa-or-lose-access-to-admin-portals-in-october/, Microsoft still insists that using weak MFA is a good idea.
In https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/ Microsoft writes (on August 15):
«
As recent research [1] by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.
»
From that same article, "solutions" with (nearly as weak as SMS) "Microsoft Authenticator" is at the TOP of their list:
«
Organizations have multiple ways to enable their users to utilize MFA through Microsoft Entra:
• Microsoft Authenticator [...]
• FIDO2 security keys [...]
• Certificate-based authentication [...]
• Passkeys [...]
• Finally, and this is the least secure version of MFA, you can also use a SMS or voice approval [...]
»
From [1] (PDF) = https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD?culture=en-us , no date of the "investigation period" to be seen *anywhere*, and one of the authors being Alex Weinert, more extreme percentages (approved by Microsoft's marketing dept):
«
Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials.
»
Dear reader: please stop buying Microsoft BS that completely ignores PhaaS.
To name a few examples:
"Experts agree [*] that setting up two-factor authentication (2FA) İs one of the most powerful ways to protect your account from getting hacked. However, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have seen attackers successfully compromise a victim who had enabled 2FA." - (PDF) https://www.accessnow.org/wp-content/uploads/2024/08/Spearphishing-cases-in-Eastern-Europe-2022-2024-technical-brief.pdf
[*] Not me. My tip is here: https://infosec.exchange/@ErikvanStraten/112724966066248808
EvilGinx2: "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication" - https://github.com/kgretzky/evilginx2 (there are more, like Modlishka, Muraena, CredSniper, EvilProxy (Phaas), NakedPages etc.)
Not even a fake website needed: https://www.bleepingcomputer.com/news/security/new-greatness-service-simplifies-microsoft-365-phishing-attacks/
From https://mrd0x.com/attacking-with-webview2-applications/:
«
Bypass 2FA
WebView2 also provides built-in functionality to extract cookies. This allows an attacker to extract cookies after the user authenticates into the legitimate website. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate.
»
In addition, from https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/:
«
"Yubikeys can't save you because you're authenticating to the REAL website not a phishing website."
mr.d0x
»
AND:
«
However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable.
»
Correct, but a local compromise does'nt protect you when you're using FIDO2 hardware keys or passkeys.
From 2022: https://microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/:
«
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA).
»
"Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling" - https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling
"New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security" - https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html
From https://www.europol.europa.eu/media-press/newsroom/news/international-investigation-disrupts-phishing-service-platform-labhost:
«
The investigation uncovered at least 40 000 phishing domains linked to LabHost, which had some 10 000 users worldwide.
[...]
LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.
»
"Security and Privacy Failures in Popular 2FA Apps" by Gilsenan et al. (USENIX 2023): https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan
The PDF can also be found here: https://github.com/blues-lab/totp-app-analysis-public (Aegis was one of the least problematic apps, and don't use Authy).
This is what is wrong with weak MFA/2FA:
You
o
/|\ [device + browser]
/ \ |
v
[login.microsoftonline-aitm.com]
|
v
[login.microsoftonline.com]
(no thanks to DV-certificates).
TECHCOMMUNITY.MICROSOFT.COMAll your creds are belong to us!Multi-factor Authentication (MFA) matters.
Twilio has finally killed off its Authy for Desktop application, forcibly logging users out of the desktop application.
I'm very worried about what Authy did in regards to GrapheneOS (not intentionally I hope) not just because it's bad, but because it might be a hint for banking apps to switch into the same design massively. And while at least you could replace 2FA apps with other alternatives, banking is much harder to do.
Such behavior against custom ROMs is irritating.
(Graphene's thread https://grapheneos.social/@GrapheneOS/112878067304840664)
GrapheneOS MastodonGrapheneOS (@GrapheneOS@grapheneos.social)https://arstechnica.com/gadgets/2024/07/loss-of-popular-2fa-tool-puts-security-minded-grapheneos-in-a-paradox/
The article unfortunately leaves out most of the points we made in the thread.
GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.
Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox - Enlarge / Graphene is a remarkable allotrope, deserving of further stud... - https://arstechnica.com/?p=2039975 #two-factorauthentication #googleplayservices #grapheneos #lineageos #android #google #authy #tech #roms #2fa
Ars Technica · Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox
