I did that when they leaked my phone number to hackers, as happened to other millions of users. Using authy is a security threat
9tr6gyp3@lemmy.world
on 02 Aug 2024 20:15
nextcollapse
Whoa
Boozilla@lemmy.world
on 02 Aug 2024 20:19
nextcollapse
What are some good multi-platform alternatives/ replacements?
PatrickYaa@lemmy.one
on 02 Aug 2024 20:24
nextcollapse
I switched to Aegis
beejjorgensen@lemmy.sdf.org
on 02 Aug 2024 21:14
collapse
I switched to Aegis when google authenticator didn’t allow exports. It’s simple and it works.
Estebiu@lemmy.dbzer0.com
on 02 Aug 2024 22:04
collapse
Wait, google auth doesnt allow exports? For me it dies…? Am I missing something…?
Scrollone@feddit.it
on 03 Aug 2024 17:06
nextcollapse
It allows exports but only is a stupid QR-code based format.
Estebiu@lemmy.dbzer0.com
on 04 Aug 2024 23:24
collapse
Aaahh, you mean that. Yeah, it’s annoying.
beejjorgensen@lemmy.sdf.org
on 04 Aug 2024 02:32
collapse
It does now–it didn’t in the past.
desktop_user@lemmy.blahaj.zone
on 04 Aug 2024 08:50
collapse
It still does (last time I checked less than two weeks ago) it is just annoying and involves qr codes
BakedCatboy@lemmy.ml
on 02 Aug 2024 20:27
nextcollapse
I like using bitwarden, the selfhosted vaultwarden server stores it with passwords and makes codes available in the app / browser extension. I also keep them backed up on a nas and synced off-site just in case.
kolorafa@lemmy.world
on 02 Aug 2024 20:46
nextcollapse
AndOTP is great. Its free and had simple and easy encrypted backups. I love how its timer counts down, not up like some others and highlights the token in red so you know you need to hustle or wait.
It seems I cannot install it because the app is too old for Android 14…
saiarcot895@programming.dev
on 04 Aug 2024 05:45
collapse
That’s odd, I’m on Android 14 and have andOTP installed.
fart_pickle@lemmy.world
on 02 Aug 2024 20:54
nextcollapse
Bitwarden or Proton Pass.
Fubarberry@sopuli.xyz
on 02 Aug 2024 21:28
nextcollapse
A lot of password managers support 2fa now. I use Enpass because I got a lifetime license a long time ago (it’s also available to people with Google Play pass), but I know some other popular options have it too.
The whole point of 2FA is to keep the second factor separate from the first. If you store both in the same password manager app that defeats the entire point of 2FA.
hikaru755@lemmy.world
on 02 Aug 2024 22:25
nextcollapse
It still protects you from your passwords being compromised in any way except through a compromise of the password manager itself. Yes, it’s worse than keeping them separate, but it’s also still much better than not having 2fa at all.
EngineerGaming@feddit.nl
on 03 Aug 2024 05:57
nextcollapse
You can have a separate database for the TOTP.
Pika@sh.itjust.works
on 04 Aug 2024 13:43
collapse
I only switched to keepass due to the fact that nothing seems to support a desktop application like authy did. Not everyone keeps a phone on them 24/7. If they don’t want that risk they would allow desktop apps. least in my opinion
freecloudgal@discuss.tchncs.de
on 02 Aug 2024 22:28
nextcollapse
Duo, Aegis, Bitwarden, Proton.
mosiacmango@lemm.ee
on 02 Aug 2024 22:37
nextcollapse
Keepass. Standalone FOSS apps for desktop/phone. Has OTP support.
Password/tokens are stored in a small encrypted db file you can copy/paste anywhere you need it. Has hundreds of plugins to do various things.
Use something like syncthing/nextcloud/onedrive to keep the file in sync across devices.
Damage@feddit.it
on 02 Aug 2024 23:32
nextcollapse
I switched to Ente Auth some time ago when bad news about authy started getting out
Eezyville@sh.itjust.works
on 03 Aug 2024 00:06
nextcollapse
I use KeePassXC and a Yubikey 5. You can store a certain number of 2fa on the key but i also back up the secret key and recovery codes on KeePassXC which is backed up on my Nextcloud. When using the Yubikey there is an app on desktop and mobile that reads they key but doesn’t store the codes. Open the app, plug in the key, the TOTP appears, take the key out and the TOTP is gone.
haulyard@lemmy.world
on 03 Aug 2024 01:21
collapse
Along with others already mentioned, 1Password can support 2fa.
batcheck@lemmy.world
on 03 Aug 2024 04:49
collapse
1Password has impressed me. I’ve used KeePassXC, LastPass, Bitwarden (but not extensively and one of the early versions), and even CyberArk (🤮).
1Password is closed source but it’s one of those pieces of software that just works the way you expect it to. Hard to confirm a lot of their security claims. Just rolling with “Have not heard a lot about 1Password breaches” mentality.
We got lucky at work and used it to replace an unmanageable long list of KeePass database files that were sprawling everywhere. With that everyone who uses 1Password at work gets an associate private family account. Made managing my kids passwords and share some of our common family passwords way easier and I still get to lock them out of my passwords I don’t want them using.
I believe modern Bitwarden for enterprise has a similar licensing sweetener with a private family account for each corporate account.
conciselyverbose@sh.itjust.works
on 02 Aug 2024 20:20
nextcollapse
However, those who synced their desktop apps with the mobile versions have discovered that some of their tokens did not correctly synchronize, making their associate accounts inaccessible.
Lol
specialseaweed@sh.itjust.works
on 02 Aug 2024 22:32
collapse
Well that fucking sucks.
conciselyverbose@sh.itjust.works
on 02 Aug 2024 22:38
collapse
Yeah, laughing at the customers (who were making a good decision to make sure they had 2FA enabled) is kind of a dick move.
But from the perspective of the company fucking up that bad it’s funny.
specialseaweed@sh.itjust.works
on 02 Aug 2024 22:40
collapse
I use their phone app. I sure have a weekend chore to get the fuck off that app.
femtech@midwest.social
on 02 Aug 2024 23:22
nextcollapse
Yeah, I told everyone at my company about it 2 months ago. I moved everything to bit warden.
orca@orcas.enjoying.yachts
on 03 Aug 2024 02:06
collapse
I’ve been moving over to Okta’s app. Wondering if I should pick something else though. All of my credentials are in 1Password, but I don’t want my 2FA in the same place.
tja@sh.itjust.works
on 03 Aug 2024 12:34
nextcollapse
Yes, I wouldn’t know where to move to.
subtext@lemmy.world
on 03 Aug 2024 13:07
nextcollapse
Well to give you another option, Bitwarden made a standalone authenticator app that is presumably secured with the same care as the regular Bitwarden password manager app.
Pika@sh.itjust.works
on 04 Aug 2024 13:56
collapse
this is what I did, syncthing syncs the DB across all my devices(including my phone), and it uses a certificate key + password for the master. It lets me secure all my stuff in one location without having to mess with my phone.
I know it’s less secure but, nobody has a desktop app anymore, so I would rather just have it all in one place then have to dedicate another mobile app for it.
Armand1@lemmy.world
on 03 Aug 2024 13:50
nextcollapse
This prompted me to move away from Authy, and looking it up, it doesn’t allow you to export your TOTP tokens. There were some workarounds but then have been plugged, I tried.
Mostly switched over to Bitwarden’s equivalent. I’ve been using their password manager for many many years now and am very happy with it. They have an export feature in a few different formats.
rekabis@lemmy.ca
on 03 Aug 2024 15:29
nextcollapse
I only ever used Authy as a single-item TOTP vault for BitWarden, but I moved off of it long before they ever mentioned the Windows app shutdown due to dissatisfaction with the UI. I just didn’t like their “card-like” interface, and they never offered a super-compact list-like interface. The card interface just wasted too much screen real estate, even on a desktop, and it just got immeasurably worse under mobile.
Yeah, I did that, but then it refused to let me log in, telling me the version was not secure or something.
Older versions appear to refuse to talk with their servers, at least that was the case for me.
zer0squar3d@lemmy.dbzer0.com
on 03 Aug 2024 21:04
nextcollapse
Welp, time to finally migrate one at a time to Proton.
EngineerGaming@feddit.nl
on 04 Aug 2024 06:52
collapse
That would be repeating the same mistake. You don’t change one company for the other, you choose an app that is not dependent on an account, like KeepassXC.
zer0squar3d@lemmy.dbzer0.com
on 07 Aug 2024 02:11
collapse
I moved from keepassxc to bitwarden then to proton pass when it was released. I’m not going back. I keep my recovery codes separate to prevent a complete lockout. But thanks for the suggestions.
threaded - newest
I hope you all freed your 2fa secrets from this un-service.
I did when the news first broke.
I did that when they leaked my phone number to hackers, as happened to other millions of users. Using authy is a security threat
Whoa
What are some good multi-platform alternatives/ replacements?
I switched to Aegis
I switched to Aegis when google authenticator didn’t allow exports. It’s simple and it works.
Wait, google auth doesnt allow exports? For me it dies…? Am I missing something…?
It allows exports but only is a stupid QR-code based format.
Aaahh, you mean that. Yeah, it’s annoying.
It does now–it didn’t in the past.
It still does (last time I checked less than two weeks ago) it is just annoying and involves qr codes
I like using bitwarden, the selfhosted vaultwarden server stores it with passwords and makes codes available in the app / browser extension. I also keep them backed up on a nas and synced off-site just in case.
andOTP + bitwarden for me
AndOTP is great. Its free and had simple and easy encrypted backups. I love how its timer counts down, not up like some others and highlights the token in red so you know you need to hustle or wait.
It seems I cannot install it because the app is too old for Android 14…
That’s odd, I’m on Android 14 and have andOTP installed.
Bitwarden or Proton Pass.
A lot of password managers support 2fa now. I use Enpass because I got a lifetime license a long time ago (it’s also available to people with Google Play pass), but I know some other popular options have it too.
The whole point of 2FA is to keep the second factor separate from the first. If you store both in the same password manager app that defeats the entire point of 2FA.
It still protects you from your passwords being compromised in any way except through a compromise of the password manager itself. Yes, it’s worse than keeping them separate, but it’s also still much better than not having 2fa at all.
You can have a separate database for the TOTP.
I only switched to keepass due to the fact that nothing seems to support a desktop application like authy did. Not everyone keeps a phone on them 24/7. If they don’t want that risk they would allow desktop apps. least in my opinion
Duo, Aegis, Bitwarden, Proton.
Keepass. Standalone FOSS apps for desktop/phone. Has OTP support.
Password/tokens are stored in a small encrypted db file you can copy/paste anywhere you need it. Has hundreds of plugins to do various things.
Use something like syncthing/nextcloud/onedrive to keep the file in sync across devices.
I switched to Ente Auth some time ago when bad news about authy started getting out
Same here, have no problems so far.
I use KeePassXC and a Yubikey 5. You can store a certain number of 2fa on the key but i also back up the secret key and recovery codes on KeePassXC which is backed up on my Nextcloud. When using the Yubikey there is an app on desktop and mobile that reads they key but doesn’t store the codes. Open the app, plug in the key, the TOTP appears, take the key out and the TOTP is gone.
Along with others already mentioned, 1Password can support 2fa.
1Password has impressed me. I’ve used KeePassXC, LastPass, Bitwarden (but not extensively and one of the early versions), and even CyberArk (🤮).
1Password is closed source but it’s one of those pieces of software that just works the way you expect it to. Hard to confirm a lot of their security claims. Just rolling with “Have not heard a lot about 1Password breaches” mentality.
We got lucky at work and used it to replace an unmanageable long list of KeePass database files that were sprawling everywhere. With that everyone who uses 1Password at work gets an associate private family account. Made managing my kids passwords and share some of our common family passwords way easier and I still get to lock them out of my passwords I don’t want them using.
I believe modern Bitwarden for enterprise has a similar licensing sweetener with a private family account for each corporate account.
Lol
Well that fucking sucks.
Yeah, laughing at the customers (who were making a good decision to make sure they had 2FA enabled) is kind of a dick move.
But from the perspective of the company fucking up that bad it’s funny.
I use their phone app. I sure have a weekend chore to get the fuck off that app.
Yeah, I told everyone at my company about it 2 months ago. I moved everything to bit warden.
I’ve been moving over to Okta’s app. Wondering if I should pick something else though. All of my credentials are in 1Password, but I don’t want my 2FA in the same place.
Yes, I wouldn’t know where to move to.
Well to give you another option, Bitwarden made a standalone authenticator app that is presumably secured with the same care as the regular Bitwarden password manager app.
bitwarden.com/products/authenticator/
Nice, thanks! This is what I was looking for. Something that handled solely 2FA.
Aegis on Android is also very nice (and open source).
I used Authy a couple years ago, do I need to be worried?
Only if you use it currently. Otherwise no worries.
Thanks. I couldn’t understand if there was a data breach that led to this or if it was just current users.
Well that’s already my Monday morning gone. I use Authy desktop for all of my work 2FA tokens.
KeePass has native TOTP support now
this is what I did, syncthing syncs the DB across all my devices(including my phone), and it uses a certificate key + password for the master. It lets me secure all my stuff in one location without having to mess with my phone.
I know it’s less secure but, nobody has a desktop app anymore, so I would rather just have it all in one place then have to dedicate another mobile app for it.
This prompted me to move away from Authy, and looking it up, it doesn’t allow you to export your TOTP tokens. There were some workarounds but then have been plugged, I tried.
Mostly switched over to Bitwarden’s equivalent. I’ve been using their password manager for many many years now and am very happy with it. They have an export feature in a few different formats.
I only ever used Authy as a single-item TOTP vault for BitWarden, but I moved off of it long before they ever mentioned the Windows app shutdown due to dissatisfaction with the UI. I just didn’t like their “card-like” interface, and they never offered a super-compact list-like interface. The card interface just wasted too much screen real estate, even on a desktop, and it just got immeasurably worse under mobile.
The work around did work however you needed to download an older archived version that was unpatched.
Yeah, I did that, but then it refused to let me log in, telling me the version was not secure or something.
Older versions appear to refuse to talk with their servers, at least that was the case for me.
Welp, time to finally migrate one at a time to Proton.
That would be repeating the same mistake. You don’t change one company for the other, you choose an app that is not dependent on an account, like KeepassXC.
I moved from keepassxc to bitwarden then to proton pass when it was released. I’m not going back. I keep my recovery codes separate to prevent a complete lockout. But thanks for the suggestions.
Just spent a week manually moving everything off Authy. Total pain, but there are lots of better solutions out there now.