> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.
> This is not in the spirit of 2FA.
Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.
https://www.twilio.com/docs/sendgrid/ui/account-and-settings/two-factor-authentication
It took them two years to fix it.
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
Today they have incidents almost every week, and now data breaches.
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.
More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.
Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.
Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year. It requires getting the tokens loaded into the desktop app, then downgrading to an older version so you can use the chrome remote debugger to run a javascript function against the desktop app (embedded chromium) which pulls out the raw tokens and gives them to you.
It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.
If you need a cross platform authenticator, do check it out.
FOSS, optional e2ee backups.
https://support.apple.com/guide/iphone/automatically-fill-in...
This is truly unacceptable for an authentication product.
An authentication product that doesn't implement authentication correctly in their own APIs?
I used this project for exporting: https://github.com/alexzorin/authy
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
Like if I crawl hackernews and download all the somethings am I a "hacker"?
To me a hack is some kind of escalation of privilege beyond what I'm truly entitled to (such as stuffing passwords, tricking software to run a payload, crafting a payload for service A so that it tricks Service B) ...
Not using curl on a loop.
If there are any high-profile victims in this list SIM Swapping those phone numbers should be a very attractive approach.
I think security cautious companies should consider turning off multi-device support and start planning for a migration. This leak feels way riskier to me than what media reports it to be.
Tried to do the same on an android phone and it didn’t work.
You can also port your phone to google voice or Fi and give away all your call information to them. Very few spam calls get through their filter.
I like the change phone area code to out of area and block all phone calls from that area that some call services provide.
It's been possible for a very long time now.
Yet, companies keep leaking. And people keep sleeping.
The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!
then, a misconfigured endpoint (or a zero day etc.) can't be exploited by any_actor_on_the_internet - actors need to first complete the provisioning process you choose to enforce to be authorized to use the private overlay.
*not one size fits all, e.g. bad option if endpoints need to accept requests from unknowns.
however, many endpoints only need to accept requests from known (identified, authenticated, authorized) endpoints, and the added friction to id/authN/authZ get use the private overlay is not a business impediment.
there is a stigma here due to the horrors of NAC on private enterprise WANs. but NAC goals can be accomplished without that baggage via internet overlays and modern cryptography.
to be clear, i am by no means advocating to abandon traditional methods of endpoint auth - this it is just another layer which recognizes that single layers are rarely airtight (e.g. what just happened to Authy and Twilio).
For authentication, authorization, and 2FA, run it yourself on-prem or go home.
In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.
For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.
anotherservicetwilioruined.example.com/api/doesthispersonhaveanaccount?phone=+12012000000
and then the service says 'yeah that number has an account' (and nothing else?)? then whomever repeats that for every possible phone number?
or... more than that?
There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.
If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.