First time I hear the word "smishing". I hate it. It's an ugly word.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed
- Thread starter MacRumors
- Start date
- Sort by reaction score
you should've been like me and been using 2FAS Auth for the last 2 years, so this never would've happened! Also every account I use has a different password, no two are the same thanks to password managers like bitwarden baby yeah!!!
It's plenty avoidable if these companies would take security of user data seriously, but they know nothing more than a slap on the wrist happens so they cheap out.
I was a big fan of Authy until they killed off the desktop version which was a major inconvenience to me. I've since switched over to the Step Two app https://steptwo.app/
It does pretty much the same thing but it's better integrated with Safari, and it uses iCloud to sync vs. some third-party. And it's free up to 10 accounts.
So long Authy!
It does pretty much the same thing but it's better integrated with Safari, and it uses iCloud to sync vs. some third-party. And it's free up to 10 accounts.
So long Authy!
Thanks, I’ll be switching away from Authy (have a few accounts on there for 2FA).
You could have installed the iPad version if you have an M series machine. Took me 15 seconds and I had my desktop application back again, not that using my phone was a burden mind you.
Curious, what did you and the people who ditched it switch to? Not that I plan to move.
I don’t discount this as a possibility but with universal apps from Apple - it shouldn’t be a problem for the Mac ecosystem.
I switched to another app and deleted my account with them. I switched to 2FAS and they don't need an account at all--they use your icloud drive to store the data--which is only known to you.
This really sucks! I've been an Authy user ever since I set up my first 2FA. I intentionally kept my 2FA's separate from my passwords app.
Is there a way to easily migrate or do you have to go through and setup 2FA again for all accounts?
Any recommendations on alternatives?
Is there a way to easily migrate or do you have to go through and setup 2FA again for all accounts?
Any recommendations on alternatives?
I really regret ever using it, but early on it was one of the only options for two factor. And they didn’t used to be so bad, it was only after the acquisition. As usual.
My problem with Authy is their native tokens are based solely on SMS authentication.
Many people think Authy protects tokens behind a client side password but this applies to Google Authenticator TOTP Tokens backed up only. When you setup a new Authy install on a new device, you will see after completing SMS authentication, your Authy native tokens are unlocked.
The Google TOTP tokens are not unlocked until you type in a further password. This is a huge risk to Authy tokens which is why services like Coinbase already shifted away from Authy and require the standard RFC 6238 token.
Many people think Authy protects tokens behind a client side password but this applies to Google Authenticator TOTP Tokens backed up only. When you setup a new Authy install on a new device, you will see after completing SMS authentication, your Authy native tokens are unlocked.
The Google TOTP tokens are not unlocked until you type in a further password. This is a huge risk to Authy tokens which is why services like Coinbase already shifted away from Authy and require the standard RFC 6238 token.
There only unlocked if you don't have a backup password added to your account. I just reinstalled authy today on a new device and even though I was able to log in and see what authenticator accounts I had, I was not able to use them until I entered my backup password which is different then the account password that is used to log in.
It's a SMS service widely adopted for 2FA and other text messaging services. They list Lyft, Netflix, and Airbnb as their users, so you can imagine how many other large companies are using them. Chances are your number is among those 33 million.Never even heard of Twilio, should we be concerned?
I wonder why these large databases allow large across accounts downloads and or copies. Seems it would be a rather easy fix, no copies over one. If internally a large move or copy needed, would require several layers of approval. Always bugged me how access allows unlimited activity.
It's ridiculous that companies let this happen and then face zero consequences.
Thanks and yes. I do have the iPad version on my Mac - I just figured that it is a matter of time before they close this off.
I switched to Step Two (it was linked in my post above).
I hope Apple's new Passwords app will help with this too, but mainly so that my less techie family members can implement better security. Too many of them use the same weak password everywhere.
Gave it a test spin the other day. Liked it but it currently does not encrypt the data file that is stored in iCloud. Supposedly will encrypt the file in the next major release.
iCloud encryption · Issue #43 · twofas/2fas-ios
I would love it if the backups to iCloud for iOS could be client side encrypted as I believe by default it is not e2ee encrypted by advanced data protection even, and also support (https://2fas.com...
github.com
I also have been using Authy and have been doing some research on replacements. I'm down to 3 to choose from:
1) Ente Auth (Cross platform sync, end-to-end encrypted, desktop app)
ente.io
- Recommended by Privacy Guides and Techlore
www.privacyguides.org
www.techlore.tech
- Free
- Open source
2) OTP Auth (Cross platform sync, end-to-end encrypted, apple watch app)
- Recommended by Steve Gibson from GRC and Security Now podcast
- Free and one time payment $3.99 for Pro version
- Not open source
3) 2FAS (Cross platform sync, apple watch app, desktop app)
2fas.com
- Free
- Open source
** Could have better encryption
discuss.privacyguides.net
github.com
1) Ente Auth (Cross platform sync, end-to-end encrypted, desktop app)
Ente - Private cloud for your photos, videos and more
Protect your photos and videos with Ente - a secure, cross-platform, open source, encrypted photos app. Automatic backups, end-to-end encryption, collaborative albums, family plans, library-sync, 1-click import, human support, locked photos, live photos, descriptions, private sharing, search and...
ente.io
Multi-Factor Authentication - Privacy Guides
These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
www.privacyguides.org
Techlore: Privacy Resources & Recommendations
Privacy & security tools, resources, and recommendations to keep you safe.
www.techlore.tech
- Open source
2) OTP Auth (Cross platform sync, end-to-end encrypted, apple watch app)
OTP Auth
OTP Auth adds support for two-factor authentication to your iPhone and iPad. It can be used with Dropbox, Facebook, GitHub, Google Mail and many more. Make your accounts safe again! Features: - Ads free - Encrypted iCloud Sync - Siri Support - Apple Watch support - Notification Center widget -...
apps.apple.com
- Free and one time payment $3.99 for Pro version
- Not open source
3) 2FAS (Cross platform sync, apple watch app, desktop app)
2FAS - the Internet's favorite open-source authenticator
Meet your favorite 2FA app. We are an open-source, community-driven, private and simple solution for Internet's biggest threat - security breaches.
2fas.com
- Open source
** Could have better encryption
Add 2FAS (Authenticator App)
GPLv3 Cross Platform Well Designed Zero Access Cloud Sync Transparent Team Easy Export & Import Options What more do you need? They do collect some data via Google Crashlytics although I don’t think this is a major issue as they don’t require account creation and they have an opt out...
discuss.privacyguides.net
iCloud encryption · Issue #43 · twofas/2fas-ios
I would love it if the backups to iCloud for iOS could be client side encrypted as I believe by default it is not e2ee encrypted by advanced data protection even, and also support (https://2fas.com...
github.com
This one isn't. Probably from previous phone number leaks from other companies. This is a very old scam. I've had these messages show up like 3 years ago.
Never even heard of Twilio, should we be concerned?
Twilio is a BIG player in the communications area, but not really a consumer-facing service. They are geared more towards developers that need to integrate communication tech into their apps and services.
Gravitating towards well-known brands doesn't mean you're getting a better deal. Think: Chrome.
Twilio is a big well-known player, just not consumer-facing.
I've been moving to iCloud Passwords with Verification Codes. Works great, and automatically available on all devices once added to one. Slowly replacing Google Authenticator with this.
It can be a couple of extra steps to setup or get a code for some sites, but not a show-stopper, and better than grabbing the phone constantly. I'm much preferring iCloud Passwords due to the cross-device convenience.