Technology

Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.

That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.

I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.

Call my job and tell them this please. I have to use this shite everyday and it sucks.

I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.

I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.

Wow, it's literally the shazam logo, flipped horizontally and red.

Wonder who got paid to make that logo?

You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file

Bitwarden would be my vote

Aegis

These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.

Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.

Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC

I like 1Password's built in MFA support, if it's a really sensitive account I use Google Authenticator because I haven't bothered researching better local alternative

Edit: Going to try Aegis for the more sensitive logins, looks like what I'm looking for

I use Aegis, which I periodically back up manually off phone.

Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis

Bitwarden has 2FA built in, and you can host it yourself if you want.

If you're talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.

That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.

Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn't need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn't need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with gpg symmetric encryption so you don't have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend's address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you'll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.

The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they're sure it's you. To be more secure, split each code into two halves and have each held by a different person.

They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.

Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack