• Agent641@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Of course. It was on the office phone that gets passed around to whichever tech is on call. The on-call tech left it at Mcdonalds accidentally.

  • 9point6@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Does anyone have a suggested alternative for authy?

    I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:

    Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.

    At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.

    I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        This is a new one to me, but a quick look at their homepage doesn’t seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        (reposted from another comment mentioning aegis)

        Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?

        • kambusha@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.

          I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.

          • 9point6@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            4 months ago

            Oh, in that case it’s not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.

            I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.

            • WhatAmLemmy@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              4 months ago

              Forget your existing cloud. Your 2FA backup doesn’t need to be protected by 2FA; just encryption and a strong/unique passphrase. Your 2FA backup can’t be used to access any account on its own, without each password. Most OSS E2EE services allow you to create a free account; many without an email. Pick 2 for redundancy, create a new account, and set a NEW passphrase (like your 2nd “master” password). Before you transit upload your OTP backup to both of them.

              This approach is probably more secure than SMS to access 2FA, especially from a closed source provider like Authy. If you’re already using a password manager and unique passwords for everything, you’re already 95% more secure than everyone else, and removed the primary need for 2FA (password reuse and theft). If you’re doing everything else right, 2FA only makes you 5-10% more secure, and covers you for less-likely threats. Sys admins have been raw dogging SSH and PGP keys every day without a 2nd factor, for decades.

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?

        • Enoril@jlai.lu
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          4 months ago

          Do you really need that ?

          Self hosting means you have outside your phone your real vault and the phone is just connecting to it to refresh its local data.

          I’ve setup my vaulwarden in my local network kit’s the local bitwarden server i use), my phone, tablet or simple webbrowser can connect to it when i’m home via the classic bitwarden (with self hosting parameters).

          If i travel, i have just to start my openVpn session and connect to my home but it’s only needed if I want to update something (the encrypted cache it’s enough for consulation). If I have nothing to change, no need to have a vpn. I just use the cached data.

          If my phone is stolen the data are safe (cache is encrypted, source is not on the phone). I revoke the vpn access by precaution and move one. No sms scenario needed here.

          You only need to have a backup phone or computer to setup your new access on the new phone.

          Edit: of course my vpn connection is protected by a passphrase so nobody can connect to my home network without me around. And the bitwarden app is also protected of course.

          • 9point6@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            4 months ago

            Do you have a second factor for your VPN? Or is it literally just a passphrase and you’re in? I also need a shared key to access mine, which puts new back at square one (I will not compromise on this)

            I do really need what I’ve described because it’s literally a situation I’ve been in.

        • ikidd@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          Oops, missed that part. Not that I know of, though SMS is a terrible way to do 2FA. It annoys me so many businesses and banks use it.

          • 9point6@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            4 months ago

            I agree it’s much worse than using a modern OTP app, but I need a way to access my OTP database when the only form of digital identity I have access to is my phone number.

            Authy currently supports this scenario for me (with a load of checks, it doesn’t happen instantly), so I would require a like for like replacement

            • EyesInTheBoat@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              4 months ago

              Bitwarden has a 2FA recovery code possible so you could use a unlabeled hard copy of the code. It cycles after every use so it would get you one recovery and doesn’t use SMS so it’s immune to SMS shenanigans.

              • 9point6@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                4 months ago

                That’s potentially a solution then, as I guess in order to buy a new phone I would need to have not lost my wallet too at least, so I guess I could keep those items together for equivalent recovery possibility

                Okay that may be a goer, I’ll look a bit more into it, thanks!

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?

        • Creat@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don’t even need to self host anything, there is nothing to host.

          Not everything needs to be “in the cloud”. I think this event illustrates nicely why.

          • 9point6@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            4 months ago

            This is specifically a scenario where I’m starting from a single blank device because I’ve just been robbed on the other side of the planet.

            Edit: for added weight, I’ve been in this exact scenario. I was able to get my ESIM reprovisioned to a new phone and recover everything within a day. I don’t want to replace authy with a solution that doesn’t cover that scenario

            • Matth78@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              What I do is using synching to sync my files on my PC when I am at home. You could also manually back it up on a cloud drive.

              Anyway I think it’s best practice to store somewhere recovery codes.

              • 9point6@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                4 months ago

                Do you carry your recovery codes with you at all times?

                I guess I could do this, but it seems like a downgrade from my current situation

            • Creat@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              Well I thought this was kinda obvious what I meant, but I guess not. What you say is a requirement (sms recovery of a cloud account) is just one of many solutions to your specific problem. I’ll just list off a few solutions below that involve neither SMS (the most insecure communication method in common use today) and only optionally a cloud account. For cimplicity sake I’ll stick to Aegis, where you can create password-protected local backups you can then put wherever you want. This password needs to be very strong for obvious reasons: I would recommend a long sentence (40 characters or more) that you can just remember, like a quote from a movie/tv show/book/poem or something, including normal punctuation as a sentence for example.

              Solution 0: This is more of a trivial solution I wouldn’t actually recommend. You can allow account recovery via eMail and have your eMail not use 2fa, but a long/good password so you can login from memory (see above). This is probably more secure than SMS for the recovery-case, but less secure for the everyday use case of eMail, therefore “not recommended”.

              Solution 1: USB Sticks are tiny, as in the size of a USB port (slightly longer but slimmer for USB-C). If you want to have a backup “on you”, I’m sure you can find a place where it wouldn’t get robbed with the phone/wallet. A tiny pocket somewhere, a string around your ankle, make a compartment in your shoe, or just have it with your luggage at the hotel. I’m sure you get the point. You get your new phone, you plug in the USB, you install Aegis and restore the backup.

              Solution 2a: Dedicated “online” storage. This can be self hosted, or a free account of any cloud provider, but the important part is that it does NOT require 2FA and you do NOT use it for anything else. You have the backup in there. It also needs a very secure password (again: long, but easy to remember, no garbled letter nonsense), but obviously not the same as the Aegis-Backup. So you now need to remember 2 long passwords. You get your new phone, you log in, get the backup and proceed as usual.

              Solution 2b: If not having 2FA is not an option for the solution above, you can have a friend/family store the 2FA on his phone. To log in, you go to the login page and enter your password (which your friend doesn’t need to know), and you ask him over the phone for the current 2FA-Code, which he tells you and you can log in, download the backup and proceed as above. I assume such a high security isn’t that critical, since you have been using something involving SMS. Restore then goes as per usual.

              Solution 3: Store the whole backup with a friend and when you need it he just temporarily puts it somwhere you can access, and removes it again after. Since the backup is protected by a monster of a password, and the accessibility is temporary anyway, this isn’t security critical.

              Solution 4: If you absolutely must, you can find a cloud-provider for 2FA, and use it only as the “first stage”. The only 2FA code in there is the one you need to get access to your main online storage/account where you then have your real Aegis-Backup and/or other files. Obviously this service would need to allow you to login without 2FA, and the usual password rules resulting fom that apply. You can just add the 2FA of your primary service to more than 1 app or service, or if it allows for this, you can generate multiple authenticators so you can also revoke them serperately if needed.

              • 9point6@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                edit-2
                4 months ago

                Well I thought this was kinda obvious what I meant, but I guess not.

                Alright, drop the sass, if it was obvious your post wouldn’t be the length it is. Now chill, I genuinely appreciate your response

                0, no go

                1, also a no go, I can’t guarantee I’ll have an extra thing

                2a. No 2fa, so this is a reduction in my current security

                2b, this could be workable, I already self-host a number of services, but I want to be sure situational neglect (i.e. life is too busy for me to pay attention) cannot compromise this, therefore it’s gotta be a turnkey solution that I can configure to auto update, which is what I’m asking for in my comment. I need your specific solution for this, generalisms are useless here.

                3: Not workable, I can’t rely on someone else being able to help in every possible scenario (and tbh I wouldn’t want to put that responsibility on someone)

                4: This is a pretty good one tbh, though I guess if I’m going to pick holes, if the first stage is good enough as the gate, it diminishes the reason to have the second stage, so I’d wonder what you would suggest that could tick all the boxes for that first gate.

                Edit: weird numbering formatting to combat lemmy formatting doing weird things

                • Creat@discuss.tchncs.de
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  4 months ago

                  2a. No 2fa, so this is a reduction in my current security

                  That’s open to interpretation. Your current solution you thought was secure, but you used a service that as it turned out had bad security practices, which you just didn’t know (arguably couldn’t know). ANY online/cloud service that you don’t host yourself has this issue with being a black box of unkown quality. Any online service you do host has to be secured by you (or you need to trust that the base setup of that tool is “sufficiently secure”), and is in essence limited by your knowledge of the tool and technology used. Also if you’re reusing any passwords, anywhere, just stopping that practice is likely more secure in practice compared to 2fa in isolation.

                  2fa in general isn’t just plaing “better” than not having it, security is rarely this black and white. It also depends on what is allowed to be the “second factor”, and since yours included SMS, it really wasn’t secure at all (like others have also mentioned in this thread). And it depends on the password of course. For example if you use a really secure password (30+ characters), and don’t reuse it, it will in practice be more secure than a short(ish) password and a 2nd factor that allows SMS. Generally 2 factor is used as a term for 2 categorically different athentication methods: one thing you know (password, pin) and one thing you own (phone, physical device/key, or a file works too). The problem is that SMS doesn’t require your phone. It’s incredibly easy to get the SMS without having your phone (even easier with physical proximity) or flat out faking owning your phone number (dpends on a lot of factors how easy or hard that is in practice, doesn’t require physical proximity). Basically, if someone actively targets you and/or that account secured by SMS 2fa, it isn’t overly hard, but it’s good enough at preventing giving access through a data leak for example.

                  So, back to the security of “solution 2a”: how would someone get access to a long password you don’t use anywhere else, that isn’t written down anywhere (or nowhere accessible), and where you essentially never need to use/access the account in the first place? Nobody would even know that whole account exists unless you specifically tell them, let alone knowing how to get in. Note that this can also be combined with the concept in solution 4, so you’re then using it to only restore a single 2fa code. So that “safety net fallback account” very rarely needs to be updated with a newer Aegis-Backup, making it even more obscure/unknown. That 2fa code then lets you access your normal account and backups, and you restore the full suite of 2fa you need.

                  It boils down to this: local 2fa with a backup means you need to get access to a single file to securely restore full access to everything. That file can be transmitted insecurely (due to strong cryptography and hopefully a good password not used anywhere else), but I wouldn’t store it out in the open either. On the other hand, any cloud based solution is an inherent black box. You trust them to properly do things, and you only know they didn’t once it’s too late (like Authy). It also means they are, by nature of what they do (storing account access information), a target and if the attacker is successful, you’re the collateral without having been explicitly targeted. Maybe there are sevices out there that let third parties audit their security and publish the results, but I don’t know of any and it would probably increase the price by an prohibitive amount for most people.

    • Infernal_pizza@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      4 months ago

      I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source

    • notabot@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      If you’re talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.

      That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.

      Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn’t need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn’t need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with gpg symmetric encryption so you don’t have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend’s address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you’ll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.

      The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they’re sure it’s you. To be more secure, split each code into two halves and have each held by a different person.

    • ruse8145@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Ente auth is new, but open and cross-plat, unlike aegis. Aegis still wins on Android but ente can import aegis encrypted backups.

    • ITGuyLevi@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Like many others in this thread I love Aegis, I regularly back it up to my nas and it hasn’t failed me yet, but I also selfhost Vaultwarden. Recently I’ve found myself copying a lot of my secrets over so if I don’t have my phone, I still have a way to use TOTP.

  • bleistift2@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    I hate, hate, hate that companies force 2FA on me just because goddamn Susans use ‘password’ as their password on every goddamn fucking app. My passwords are safe. They’re long and they contain ALL THE CHARACTER CLASSES. Fuck off with your fucking 2fa!

    • Serinus@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      My passwords are safe.

      No, they’re really not. No matter how good your password is, it can absolutely be compromised. If you use a password manager, just look at how often sites tell you that you “forgot” your password, despite knowing you haven’t.

      Use 2fa for things that are absolutely vital. Whether you use it for your Blizzard account or Steam account is less important. (Though I’m pretty sure Blizzard has leaked passwords at least once, many years ago.)

      • emptiestplace@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        just look at how often sites tell you that you “forgot” your password, despite knowing you haven’t

        wtf are you talking about?

        • anonymouse2@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          For a few months, I had been getting emails from booking.com saying that I had forgotten my password. Probably scammers with my Gmail username futilely attempting to use the forgotten password link to get at stored payment info. Once I set up 2FA on the account, the emails stopped.

            • anonymouse2@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              I was wrong. It wasn’t the forgotten password link. It was one of those sites that sent a login link instead asking for a password when you put in your username. That changed once I set up 2FA.

  • Scrollone@feddit.it
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Companies need to stop using Authy. It’s stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.

    • lazynooblet@lazysoci.al
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.

      I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.

  • kitnaht@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    ‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

    • just_another_person@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.

      • kitnaht@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        4 months ago

        Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.

        It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.

        Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended.

        • Natanael@slrpnk.net
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          Hacking is the entire process including figuring out if something is or is not rare limited

          • ___@lemm.ee
            link
            fedilink
            English
            arrow-up
            0
            ·
            4 months ago

            A system fault is not the same as a vulnerability. These would have different baseline CVSS 3.1 scores, with the temporal and environmental reducing over time. A medium/low at best for a public endpoint exposing PII.

        • just_another_person@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          Sure. Except you’re wrong and have absolutely idea of what people in this community say about things. Let me be a dick and literally googz this for you and find an embarassing answer because you couldn’t do it yourself.

              • stephen01king@lemmy.zip
                link
                fedilink
                English
                arrow-up
                0
                ·
                4 months ago

                But they are using a loophole to gain sensitive data. They did not gain unauthorised access to the system.

                • Guest_User@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  4 months ago

                  They absolutely gained unauthorized access to the data. Their access was not intended or sanctioned. If it was intended to be public and accessible like it was, this wouldn’t be a story and they wouldn’t have locked down the access.

        • 0xD@infosec.pub
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          A missing rate limit is a vulnerability, or a weakness, depending on the definition. You’re playing smart without having an idea of what you’re talking about. Here you go:

          https://cwe.mitre.org/data/definitions/799.html

          YouTube videos are public, and as such it’s not really hacking. If you were able to download private videos, for example, it would be a vulnerability like “Improper Access Control”. It does not matter in the least whether you use an “exploit” in your definition (which is wrong) or “just increment the video ID”.

          The result is a breach of confidentiality, and as such this is to be classified as a “hack”.

    • Cornelius_Wangenheim@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      4 months ago

      That’s what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn’t be able to do.

  • Tregetour@lemdro.id
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Bell curve meme:

    Grug: A file on my computer (/Desktop/passwords.txt) Matty Midwit: Cloud connectivity! Phone numbers! Biometrics! Just install the app! Less than a cup coffee per month! Backed by FAGMANTM! The monk: A file on my computer (KPXC)

    • Wispy2891@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn’t allow backups.

      Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack

      • Scrollone@feddit.it
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        Also, Google Authenticator now supports backup. Aegis is another free alternative.

        • aard@kyu.de
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          And as soon as I learned about that I stopped using it. Turns out it was the right choice - since then more then one company had breaches where authenticator seeds extracted from a google account were used to bypass 2fa.

          • Scrollone@feddit.it
            link
            fedilink
            English
            arrow-up
            0
            ·
            4 months ago

            It’s completely optional to connect a Google account. You can always back them up using the QR code (just take a picture with another device)

  • Mio@feddit.nu
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.

    Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.

  • ___@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.

    • COASTER1921@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      The problem is so many services requiring SMS to be that second factor. From what I’ve heard it’s easy enough to steal a sim that if you’re being explicitly targeted it’s basically the same as no second factor. Yet even if using an authenticator app most services require you to still have SMS/phone as another option for the 2FA.

      For Authy specifically they’d need to guess your master password and then hijack your phone number, and for users of Authy I suspect their passwords are not easily guessed as it’s already a step above the standard SMS only 2FA most services require.

  • ugjka@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    I realized long time ago that I don’t want my 2FA be tied to my phone number. And then i found you can’t export your data from Authy because they know they are scummy fucks and don’t want to anyone to leave

      • Contravariant@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        Use TOTP wherever possible. It’s standardized, and typically can be found somewhere if you keep digging hard enough.

        Plenty of services push their own proprietary systems hard though. Looking at you M$

        • Tryptaminev@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          I also find this infuriating. I had a service offer TOTP for authentication. Installed an open source TOTP Aap, scanned the QR and voila.

          The service meanwhile can control whether they want to generate a new token or give out the old one again, for instance when a device was lost.

          It is the most easy, most convenient solution both for the service provider and the client. There is no excuse for any other 2FA system to be used.

      • canadaduane@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        4 months ago

        On Android, I replaced Authy with the open-source Aegis app. It’s just as functional, allows exporting, and doesn’t tie your data to your phone number (nor store it on a central system–not sure if Authy does this or not).

    • Gestrid@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      4 months ago

      then i found you can’t export your data from Authy

      Exporting data from a 2FA app sounds like the opposite of secure. Not to mention you don’t want your 2FA codes on Authy (or any other 2FA app) to remain valid if you’re not using it.

      When I switched from Google Authenticator to Authy years ago, I went through each 2FA-enabled account one by one to disable 2FA and then re-enable it using Authy. It’s a long process depending on how many accounts you have 2FA enabled on, but it’s worth it.

      Reading the OP, looks like it’s time to generate new keys for all my 2FA accounts.

      • fine_sandy_bottom@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        If you can’t export / save / transfer codes then you need to regenerate all your 2fa codes every time you switch to a new device.

        2FA doesn’t need to be infallible, it just needs to be a second factor.