Topic: Authy and Google Authenticator Setup (Read 435 times)

Looks misunderstanding with authy available for coinbase account, I don't know about new user can't apply with Authy but I have created Coinbase account about four years ago and success connect 2fa with authy, on playtore application have red color and I use that application authy for my coinbase account. Maybe new rule have now allowed but my account still exist with using authy but have great secure with Coinbase exchange not only 2fa code needed but some SMS mobile phone number ask to input and confirm on email when each log in time.

On those lines, here's a post I made about Authy about a year ago which also picks out some interesting snippets from their Privacy Policy:

I did not realize this, though. This is absolutely appalling. This reduces the security of your entire 2FA set up to that of SMS 2FA, which is by far the least secure method and which everybody should avoid at all costs. Phone numbers can be stolen or phished in under 5 minutes and a single phone call to your carrier.

So you go to all this effort to set up Authy, knowing that despite the flashy interface and nice promises, you are only as secure as the worst 2FA method available, they spy on you, and they can lock you out and demand KYC at any time. Unbelievable. Why do people use this trash?

If you let me o_e_l_e_o, I would like to point out what Authy claims[1] that they track (we don't know if it's all of it though) just to give other users an idea of what a "simple" 2FA app can track:
I would also like to remember that just five years ago, a user reported on r/bitcoin[2] that if you had multi-device setting ON Authy wouldn't protect you in case of a hacker gained access to your number (spoofing probably):
Even Coinbase published a blog entry advising users to disable this feature as soon as possible:
Although this finding was quickly "fixed" - Authy applied a rule that, by default, would set that option to OFF to prevent abuses down the line.

By now you've probably noticed that I always prefer to use open sourced applications whenever possible and this is one of the reasons why - anyone can actually look into the code, inspect it to see if it does what it claims it does and can be freely audited by whoever feels the need to do it. Authy is like a "black hole in a container" - as most closed source apps are - in the sense that we don't know what kind of information they are actually communicating and we will actually never will know. And considering the goal of it - maintaining access to critical services of mine - I would much prefer to have that information in an application that I know is fully transparent with "me".

Closing note: If you would like to also have a 2FA application that would also provide you with password management services, look no further than Bitwarden - an open source application that can be self-hosted on your own device[4][5] allowing you to be the "holder" of any information that you so desire to keep in it.

---

[1]https://www.twilio.com/legal/privacy/authy
[2]https://libreddit.spike.codes/r/Bitcoin/comments/6eugqd/authy_by_default_will_not_protect_you_if_a_hacker/
[3]https://blog.coinbase.com/how-to-increase-your-coinbase-account-security-4b7164926631
[4]https://github.com/bitwarden/server
[5]https://bitwarden.com/help/install-on-premise-linux/

No back up will ever be 100% safe, but local back ups are far safer than cloud back ups.

What about a piece of paper with the codes written down hidden somewhere a thief would never find them? Tape them to the underside of your refrigerator, for example. Or maybe unscrew an electrical socket and hide them inside the wall cavity? There are plenty of places in your house which would a thief would never look.

Which is why I would never use them. And even if you are never forced to send them your KYC details, they track things like your IP address, geolocation, which sites you are logging in to and when you do so, and share all that with third parties. You are essentially giving them the power to spy on all your crypto-related activities.

Good thing about andOTP app is that it can work even on very old smartphones, this is only option that still works with below Android 5.
It works even offline without internet connection, and I suggest making offline backup whatever app you use, but I know people are using keepass for backup.
I trust any of this options much more than any cloud service.

The problem in doing things locally is that physical back-ups are risky as well.
A few years ago a thief broke into my house and stole my computer, tablet, external HD, and other valuables.
If my 2FA backup was there, I would lose all of them (only my phone survived this incident). I lost all my photos, for example, except those in the cloud (90% of them, thankfully).

My bitcoin private keys are really safe in physical backups and nobody could really find them, but  they are very important to me and I am not willing to put the same effort in those 2FA codes.

My 2FA codes are important, but I will just have some headaches if I lose them, I won't really lose any money.

I think RickDeckard suggestion, to encrypt files in the cloud, might be a good idea.

I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.

Aegis for Android, Tofu for iOS.

Then you should stick with Authy. Backing sensitive data up to the cloud is a bad idea, and backing 2FA codes up the cloud is an even worse idea, but if you want that functionality then you'll have to stick with Authy to do it smoothly. Good 2FA apps do not back up data to the cloud, instead supporting local encrypted back ups only. You could always upload one of these back ups to the cloud, but I wouldn't recommend it.

Aegis does not have servers. It is all done locally, which is by far the most secure way of doing things.

But you place full control of your 2FA codes in the hands of a centralized authority.

There is no way to "add" new devices without having access to your 2FA app or one of your backs up to copy the shared secret(s) from.

I have actually stopped using encrypted back ups at all. Now, instead, whenever I add a new 2FA account, I simply write down the shared secret on paper, just like I would with a seed phrase for a new wallet. If I lose or break my 2FA phone, then I can recover all my 2FA accounts from my paper back up.

What is your opinion on making monthly/weekly/daily backups of your 2FA to your windows machine (or to any other machine of your liking?). If you would be open to this idea may I suggest the following:

• 2FA application: Either Aegis Authenticator[1] or andOTP[2] - both of them are free and open source applications. There was a discussion on HackerNews[3] about Aegis where the top comments ended up comparing it to andOTP (which has been alive for more time than Aegis). Both of them also allow you to export an encrypted .json file that could be imported in the respective app (or others) in the event of you losing your device.
• Sync application: My recommendation would be to use Syncthing - a free and open source application - which, according to their website, is "a continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes."

What I choose to do is whenever I add a new 2FA service I export my new updated (and encrypted) .json file generated to at least 3 new locations so that I can ensure there's enough copies kept in the unlikely event of losing access to (for example) 2 of those locations. This, of course, makes me run this procedure everything I add a new 2FA code but I think that the gains that I have of such action totally outperform the risks that I may incur. I'm not sure but I think you could automate this process by exploring the features that Syncthing offers as well...

---

[1]https://github.com/beemdevelopment/Aegis
[2]https://github.com/andOTP/andOTP
[3]https://news.ycombinator.com/item?id=25803996
[4]https://syncthing.net/

I didn't know that about Authy. I will try to move to a different software. Which one do you recommend?

I prefer to keep my 2FA in the cloud in case I lose my devices (i don't keep funds under those 2FA accounts, just a lot of accounts with basically zero balance).

Can I keep my backup codes in Aegis servers?
Authy is amazing for me, because I keep my 2Fa codes in my android and in my windows devices. I just disable new devices, and I feel very safe about it.

Can Aegis disable new devices?

What two factor authentication are you guys using for coinbase?



Previously I used google authenticator.  Should I try to use that again or not?



Could I use authy for coinbase or not?  I want to make sure I have the backup code or whatever backup is needed in case something happens to my phone.  Also I believe google authenticator cannot be installed on multiple devices right?  So is Tofu the best option then for coinbase?

Seems Gemini is forcing their user to use Authy[1], AFAIK the standard TOTP code usually has 6/8 digit, as does it listed on Tofu:

Yes, but you only need to keep the backup password.

Gemini only advertises Authy for their two factor authorization.  How do you even use Tofu for Gemini then?


Also... can someone here confirm that is how I backup authy in what I posted in bold?

Can someone here confirm in my last post in bold... if that is the correct way to backup authy? 

I'm not sure if there is a conflict between the two but for me, having any of these two we are already safe. I'd used Google Authenticator for my account and it was fine. But I see a problem with this if I lost my phone as I didn't save the backup/recovery files to access just in case. Now, I was thinking to disable it and enable back to get the recovery phrases if that is possible to get a new one.
Well, the use of email verification will give help just in case 2FA won't work.

Can you even use tofu with gemini?  With gemini, it seems the only two factor you could use is authy?  It doesn't show any other two factor option you could use when on security page... which is why i choose authy.  I also notice in all those screenshots, tofu seem to show only a 6 number code for the codes?  Gemini does 7 numbers though... that wouldn't be an issue?


I just took a look at tofu on IOS app store.  I never heard of it.  Again for two factor, i only heard of is google authenticator... which i used before and authy.  I heard of microsoft authenticator as well but never heard of other ones.  But can you use tofo on any site that allows two factor?  



I want to use two factor on coinbase and gemini.  At the moment, im using authy now for gemini and it seem to be fine.  But how do i do backup in case something happens to my phone?  Is it what i mentioned where you need to write your 9 digit authy ID and also turn on authenticator backups and write a password and make sure you write that down?  Thus your authy ID and authenticator backup password... is basically your backup in case something happens to your phone?

---

Is the the correct way to backup authy?


I am currently using it with gemini without an issue.  First... make sure you go to Authy and write down the Authy ID.  


Then turn on Authenticator Backups... then you enter a password.


So you make sure you write down on piece of paper in case anything happens to your phone?


Authy ID
Authenticator Backups Password

I just found out the details about the Authy 2FA App, I've been using it for about the last 2 years and still haven't encountered any problems, because I've never deleted the app or moved it or Synced to a second phone.
But if you say that there's no reason to use Authy, maybe I'll give Aegis a try as you suggest.
Currently I am also still using Google Authenticator and Authy.
and now I'm thinking more about securing and updating my 2FA security though still haven't found any issues in Authy.

There is no good reason to ever use Authy. They have the ability to lock your out of your Authy account, thereby locking you out of every account which you use 2FA for, which is a massive red flag. And the only way to unlock your account in such a scenario? Complete KYC with them. Oh, and they track your activity and share that info with third parties.

It's like someone said "Instead of keeping the keys to your house yourself, give them to me and I totally promise I'll let you use them when you need to. But I'll also let a bunch of other people know whenever you use them." It's a massive privacy and security risk. There is no good reason to use Authy when there are a multitude of open source apps which allow you to store your 2FA codes locally.

Both are Android only, while OP uses iPhone/iOS. This is why I suggested he uses Tofu, which is the best open source 2FA app for iOS: https://www.tofuauth.com/

jerry0 has a unique ability to make even the simplest things in to unsurpassable mountains of complexity.

I have answered pretty much all his questions in this thread already. Most succinctly here: https://bitcointalksearch.org/topic/m.58861546
I have also told him how awful a choice Authy is here: https://bitcointalksearch.org/topic/m.58858827

Here's what jerry needs to do:

• Ignore all this old accounts and 2FA
• Download Tofu
• Set it up with his new accounts
• Write down the 16 character codes for each account as back ups
• Use iOS Finder to make a back up of his 2FA database

Hi.  Well is it better to have authy installed on two devices or just one?  Because if you have it on two devices.. can you still disable multi-device or not?  I thought the answer to the second part is no... but you saying its yes?


So most people have authy installed in one device... and disable multi device right?  But they make sure they write a password and thus... you would need both the authy ID and the password in order to restore authy on another device in the future if something happen to your device?  I thought I read you should disable multi device so that way... someone can't do the sim swap since that would still be possible?



My confusion here is... how can you even disable multidevice... if you go and have authy in two of your devices?  Thus imagine new phone and old phone.  I thought you could only disable multi device only if you have authy installed in one device.

---

What about your Authy 9 digit ID?  Don't you need to write that down?  What about the password that you can create?  Don't you have to do that regardless of how many devices you install authy on?


But can you do this... Have authy installed on two devices... new phone and old phone.  Then turn on authenticator backups.  Then create your password.  Make sure you write that down.  But if you do this... would you disable multidevice or not?  Can you even disable multidevice?


I heard someone mentioned they have authy installed on two devices... and has a password for authenicator backup written down along with the Authy ID.  They did not disable multi-device.  So they basically have multiple backups?  Thus if one phone doesn't work, they have the other.  But if both phones doesn't work... as long as they have the Authy ID and authenticator backup password they created... they are fine?




But could you do the same above... but disable multi-device?  Then if something happens to both their phones... do they still have their backup of that Authy ID and authenicator backup password if they have that written down?

Confirm what? You just typed a wall of text below, a just 3 consecutive posts before that.

We are trying to help you, but you write too much and it is confuse to understand.

yes. You should use your old phone as a back up.


If you lose both devices and disable multi device feature, you cannot access your back up.


You should disable multidevice when you have at least 2 devices logged into your alt account.
It can be your new phone and an old phone or a computer, etc.