Author

Topic: Security Alert: Update your Authy to the latest version (Read 264 times)

legendary
Activity: 2366
Merit: 2054
So far I have never problem using Authy, so when I compared it with Google, Using Authy is simpler when we change cellphones, we can log in again using the same cellphone number and receive a code via SMS. I have experience lost the google 2fa code and can't login on 2fa. because of that, I prefer using authy for beginners who have weaknesses in storing data or code on paper.

From the very beginning I traded using Authy security. I think it's still safe and I feel comfortable with the automatic recovery feature and it can be used on multiple devices. I hope there are no other losses for me and other users later.

Then regarding the update problem, I checked in my application Authy that I have the latest version. I checked from the Play Store. Is this a little different from the one on the play store? Hopefully not. I see the details My update version is already in 25.11.
I never checked my application is updated or not, because I setting up it automatic update on my phone. Just set it on your play store, then all applications installed will automatic update when that aplication ask for it. but if you're not sure, you can check it manually on their site.
legendary
Activity: 1148
Merit: 3117
Of course, this adds to my insights. No matter how strong the security is, there are always gaps that can be exploited by bad people. Not only Authy. I think all GAs, Aegis have weaknesses. So not only from the application and developers but from the user users. But from this condition, isn't Authy likely to develop to fix the vulnerability gap. Actually it is quite strange if there is no problem, or maybe no media wrote it? The media can always make writing and business competition.
I'm not sure that I understood your intervention. Sure that each TOTP/2FA program has positives/negatives aspects of it, but considering that Authy is both closed source, doesn't allow users to export their TOTP's and has been breached multiple times, those factors have to account for something no? I'm not saying that Aegis won't ever suffer such breach, but being open source and developed by the community surely helps in transparency, far more than Authy does.
hero member
Activity: 1400
Merit: 770
If you know about all these breaches in the past and you make your risk assessment regarding Authy, then fine by me. I just don't like seeing users that do not have a full picture of the product that they are currently using.

Of course, this adds to my insights. No matter how strong the security is, there are always gaps that can be exploited by bad people. Not only Authy. I think all GAs, Aegis have weaknesses. So not only from the application and developers but from the user users. But from this condition, isn't Authy likely to develop to fix the vulnerability gap. Actually it is quite strange if there is no problem, or maybe no media wrote it? The media can always make writing and business competition.
legendary
Activity: 1708
Merit: 1280
Top Crypto Casino
I never used this app, since then I've been using Google authenticator because its more convenient no need to create any account just download the app, and its already binded with your device if you are using google well most likely people using google nowadays. That's the essence of having an update with the application, server, and websites because of the vulnerability so better to make sure to read all of the patch notes and updates before committing to make sure there are no bugs and prone to vulnerability. Stay vigilant and safe in the internet.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
So far I have never problem using Authy, so when I compared it with Google, Using Authy is simpler when we change cellphones, we can log in again using the same cellphone number and receive a code via SMS. I have experience lost the google 2fa code and can't login on 2fa. because of that, I prefer using authy for beginners who have weaknesses in storing data or code on paper.

Well, all of us don't have the same experience if the authy is working just fine for you then it's fine I believe you'll understand it better once you've gone through others who have experienced similar to those mentioned in the news but for now, since you believe it safe then we can't change your thoughts since we have difference experienced.

Another thing is I avoid using authy just because they always got breached like the news said posted just a few weeks ago they got breached meaning it happened again so how are you sure that you are safe using authy?
Yes, it is easy to use but the news about breaches alarms me not to use them anymore.
legendary
Activity: 1148
Merit: 3117
So far I have never problem using Authy, so when I compared it with Google, Using Authy is simpler when we change cellphones, we can log in again using the same cellphone number and receive a code via SMS. I have experience lost the google 2fa code and can't login on 2fa. because of that, I prefer using authy for beginners who have weaknesses in storing data or code on paper.

From the very beginning I traded using Authy security. I think it's still safe and I feel comfortable with the automatic recovery feature and it can be used on multiple devices. I hope there are no other losses for me and other users later.

Then regarding the update problem, I checked in my application Authy that I have the latest version. I checked from the Play Store. Is this a little different from the one on the play store? Hopefully not. I see the details My update version is already in 25.11.
I had this discussion on the other thread that is addressing this breach more hands on, but I'll post the intervention here as well:
Bear in mind that this was not the first breach that Authy suffered. There have been a few already[1][2] and, to my books, more than 1 would be enough to convince me that they are not worth to have my data, let alone considering the type of service that they offer. Again, this is purely by personal opinion. The fact that you have to rely on a "non official" tool to export your 2FA codes[3][4] is just ridiculous and shows how deep they want you to be locked in to their app.
(...)

[1]https://www.twilio.com/en-us/blog/august-2022-social-engineering-attack
[2]https://www.engadget.com/twilio-authy-data-breach-202314313.html
[3]https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93
[4]https://help.ente.io/auth/migration-guides/authy/
If you know about all these breaches in the past and you make your risk assessment regarding Authy, then fine by me. I just don't like seeing users that do not have a full picture of the product that they are currently using.
hero member
Activity: 1400
Merit: 770
So far I have never problem using Authy, so when I compared it with Google, Using Authy is simpler when we change cellphones, we can log in again using the same cellphone number and receive a code via SMS. I have experience lost the google 2fa code and can't login on 2fa. because of that, I prefer using authy for beginners who have weaknesses in storing data or code on paper.

From the very beginning I traded using Authy security. I think it's still safe and I feel comfortable with the automatic recovery feature and it can be used on multiple devices. I hope there are no other losses for me and other users later.

Then regarding the update problem, I checked in my application Authy that I have the latest version. I checked from the Play Store. Is this a little different from the one on the play store? Hopefully not. I see the details My update version is already in 25.11.
legendary
Activity: 2366
Merit: 2054
Authy is not the best authenticator since before their data always got breached and it isn't safe anymore to use in any exchange accounts.
So far I have never problem using Authy, so when I compared it with Google, Using Authy is simpler when we change cellphones, we can log in again using the same cellphone number and receive a code via SMS. I have experience lost the google 2fa code and can't login on 2fa. because of that, I prefer using authy for beginners who have weaknesses in storing data or code on paper.
legendary
Activity: 1148
Merit: 3117
You can backup to Google Drive for example[1]. If you want to manually make a backup of your file, then it will be saved on a folder in the local device. However, if you choose to "Export" your encrypted vault the program allows you to save your file in a cloud provider, provided that you have it installed.
I saw the Android cloud backup on Aegis but the manual backup is safer. Online backup is easier, especially during migration from one device to another but it is not safe at all. We heard of LastPass password manager issue since two years ago but later funds were later stolen from LastPass users. The issue can start from somewhere taken for granted until people regret.
I also don't support a backup to a cloud provider, too much of a risk for me, but DYING_S0UL was interested in knowing if the program had that particular feature from someone that has used the program, hence my guidance. Still, nothing beats an offline backup of your TOTP secrets.
legendary
Activity: 1624
Merit: 1200
Gamble responsibly
You can backup to Google Drive for example[1]. If you want to manually make a backup of your file, then it will be saved on a folder in the local device. However, if you choose to "Export" your encrypted vault the program allows you to save your file in a cloud provider, provided that you have it installed.
I saw the Android cloud backup on Aegis but the manual backup is safer. Online backup is easier, especially during migration from one device to another but it is not safe at all. We heard of LastPass password manager issue since two years ago but later funds were later stolen from LastPass users. The issue can start from somewhere taken for granted until people regret.
legendary
Activity: 1148
Merit: 3117
Use Aegis, an open source 2FA. Google Authy is closed source.
Just for the clarification, does Aegis supports online backing up of the 2FA keys? snip
You can backup to Google Drive for example[1]. If you want to manually make a backup of your file, then it will be saved on a folder in the local device. However, if you choose to "Export" your encrypted vault the program allows you to save your file in a cloud provider, provided that you have it installed.

[1]https://github.com/beemdevelopment/Aegis/issues/258
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
Use Aegis, an open source 2FA. Google Authy is closed source.
Just for the clarification, does Aegis supports online backing up of the 2FA keys? Local backups are kinda pain for me! I like to test different OS/Custom Roms, it requires full format of device data. Factory reset, reinstall, backup, import, export all are a hassle when you frequently doing these kind of stuff. That was the only reason why I use Google Authenticator. Even a week ago I changed my android OS to a different build from a different developer.
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
You can also turn off the 2FA synchronization in Google Authenticator if exporting your accounts is too much of a PITA.
I did not understand what you meant here. You mean it is possible to turn off the synchronization on Google authenticator if you do not want to export the authenticator codes that you setup already? You do not need the online synchronization before you can export your Google authenticator account. As for recommendation, any 2fa application that backups online should not be used.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Google Authenticator now supports Google Account synchronization the update was done on the 24th of April last year according to that article.
Synchronization can be start of nightmare.

2-factor authentication application must be an independent one and don't need to be synchronized with your Google account. If Google account is hacked, you will lose many information there includes 2FA backup.

Use Aegis, an open source 2FA. Google Authy is closed source.

https://getaegis.app/

You can also turn off the 2FA synchronization in Google Authenticator if exporting your accounts is too much of a PITA.
hero member
Activity: 1722
Merit: 801
Google Authenticator now supports Google Account synchronization the update was done on the 24th of April last year according to that article.
Synchronization can be start of nightmare.

2-factor authentication application must be an independent one and don't need to be synchronized with your Google account. If Google account is hacked, you will lose many information there includes 2FA backup.

Use Aegis, an open source 2FA. Google Authy is closed source.

https://getaegis.app/
legendary
Activity: 1624
Merit: 1200
Gamble responsibly
I don't think there's an online backup it does have an export option but you can only export them if you are going to move the authenticator to a new device because it would generate a QR code that you need to scan to another device.
It has an online backup. Some people said it was optional but I updated the authenticator last year or 2 years ago and I saw that it has been backed up online. I did not know how it happened until it was too late.

I never tried exporting my authenticator with email I saw this as another option but you can just ignore it and use the QR code option instead if you want to export and move it to a new device.
I do not believe in QR code backups. I backup the secret code generated on the site (like exchanges) which should be backed up. I prefer it that way.
hero member
Activity: 700
Merit: 673
I thought Google authenticator is encouraging online backup. That has been the reason I do not like it.
I don't think there's an online backup it does have an export option but you can only export them if you are going to move the authenticator to a new device because it would generate a QR code that you need to scan to another device. I never tried exporting my authenticator with email I saw this as another option but you can just ignore it and use the QR code option instead if you want to export and move it to a new device.
Actually, there is an online backup where you will be required to permit the authenticator app to synchronise with any Gmail account linked to your device. Most times, it uses your primary email by default to conduct the backup.
 
This has been effective on Google Authenticator since last year. If I can remember correctly, let me search to see if I can find the link to the update.

Edit: Google Authenticator now supports Google Account synchronization the update was done on the 24th of April last year according to that article.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
I thought Google authenticator is encouraging online backup. That has been the reason I do not like it.


I don't think there's an online backup it does have an export option but you can only export them if you are going to move the authenticator to a new device because it would generate a QR code that you need to scan to another device. I never tried exporting my authenticator with email I saw this as another option but you can just ignore it and use the QR code option instead if you want to export and move it to a new device.

However, saving the secret code to an offline device is still the best way to backup your authenticator for future recovery and ignore all export option from the app.
sr. member
Activity: 1288
Merit: 231
Hire Bitcointalk Camp. Manager @ r7promotions.com
Currently using Google Authenticator. Don't know how safe it is. But at least there is no chance of losing the 2FA keys unless my Gmail is lost/hacked/compromised.

Guys any recommendations?  Smiley
Google authenticator is a close source authenticator app which is not advisable for you to use in the first place.

So I will advice you to check out the list of open source recommended authenticator app and use.

Best 2FA applications to use. Open source, free, secure. Better than Google's
I know of a good open source authenticator app (https://github.com/beemdevelopment/Aegis), but I'm not sure if it supports online backups. The last time I checked, I can't remember much, but it didn't have any online backup system. And since Google Authenticator has an online backup system, I am using it even if it's closed source. It's very convenient for me to login and access my keys and codes. I just have to login to my Gmail.
When you want to link your authenticator to any app, exchange, or anywhere at all, there is a code that is being generated. Either you manually type it in to the authenticator or you use the scanner to scan it and then input the generated code to make the linking successful.
 
You can manually write down that code each time for each app and make sure you have it backed up in a safe place so that if you lose access to the app, you can use that signature to restore it.
 
Backing your Google authenticator app to your cloud is a very risky thing for you to do. Once the email linked to that cloud is hacked, the authenticator's data is also compromised, as anyone who has access to the email can access your authenticator too.

Offline backup for anything remains the best for everything as it can’t be hacked by anyone since it’s not not uploaded online.
legendary
Activity: 1624
Merit: 1200
Gamble responsibly
I stopped other 3rd party authenticator apps I kept using Google Authenticator which doesn't ask for a phone number or email you can use it without them just make sure you separately save your backup codes to a safe place so that you can use them in other app or use it for recovery purposes.
I thought Google authenticator is encouraging online backup. That has been the reason I do not like it.

Authy is not the best authenticator since before their data always got breached and it isn't safe anymore to use in any exchange accounts.
I will prefer not to use any authenticator that encourages online backup like Authy like I have said before. The authenticator is as bad as Google authenticator which is also encouraging users data backup.
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
Currently using Google Authenticator. Don't know how safe it is. But at least there is no chance of losing the 2FA keys unless my Gmail is lost/hacked/compromised.

Guys any recommendations?  Smiley
Google authenticator is a close source authenticator app which is not advisable for you to use in the first place.

So I will advice you to check out the list of open source recommended authenticator app and use.

Best 2FA applications to use. Open source, free, secure. Better than Google's

I know of a good open source authenticator app (https://github.com/beemdevelopment/Aegis), but I'm not sure if it supports online backups. The last time I checked, I can't remember much, but it didn't have any online backup system. And since Google Authenticator has an online backup system, I am using it even if it's closed source. It's very convenient for me to login and access my keys and codes. I just have to login to my Gmail.

For example, if I loss my device is there any way to recover my keys again? Because AFAIK for the apps you suggested everything is stored locally.

Aegis was included in your link!!! Opps, I didn't clicked your link and started writing my reply.  Tongue


sr. member
Activity: 1288
Merit: 231
Hire Bitcointalk Camp. Manager @ r7promotions.com
Currently using Google Authenticator. Don't know how safe it is. But at least there is no chance of losing the 2FA keys unless my Gmail is lost/hacked/compromised.

Guys any recommendations?  Smiley
Google authenticator is a close source authenticator app which is not advisable for you to use in the first place.

So I will advice you to check out the list of open source recommended authenticator app and use.

Best 2FA applications to use. Open source, free, secure. Better than Google's
sr. member
Activity: 322
Merit: 318
The Alliance Of Bitcointalk Translators - ENG>BAN
I used Twillio, aka Authy, in the past and had bitter experience using it. For some reasons, I had to factory reset my device and lost Authy login data in the process. After recovering, I was asked for the master password. Basically, all my keys were encrypted in cloud storage, but I couldn't remember what the password was. Without it, the keys cannot be decrypted. Even though I had the original email and number associated with the account, I couldn't reset my password. It's a one way system kind of thing. If you forget it, you can't reset it (I don't remember much, but it was something like that). And in the end, I lost every 2FA keys and had to leave Authy. Luckily, I had manually backed up my keys.

Currently using Google Authenticator. Don't know how safe it is. But at least there is no chance of losing the 2FA keys unless my Gmail is lost/hacked/compromised.

Guys any recommendations?  Smiley
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
You should not have to sign up for an authenticator app or create an account in order to be able to use it. What kind of logic is that anyway? Even Google Authenticator and Microsoft Authenticator don't make me sign into my account before I use them.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
I stopped other 3rd party authenticator apps I kept using Google Authenticator which doesn't ask for a phone number or email you can use it without them just make sure you separately save your backup codes to a safe place so that you can use them in other app or use it for recovery purposes.

Authy is not the best authenticator since before their data always got breached and it isn't safe anymore to use in any exchange accounts.

Look at the old news about this below

- https://www.engadget.com/twilio-authy-data-breach-202314313.html
legendary
Activity: 1624
Merit: 1200
Gamble responsibly
I saw on news like a day or two days ago about how Authy users data (maybe email or phone number) were leaked. I am not an Authy user and I can not use it at all. We have warned people several times not to use the authenticators that will collect some personal information from you. There are better 2FA apps like Authy and Tofu.

Maybe it is online data breach which has been used to have access to Authy users account that we are going to see next on the news. Stop using Authy.
hero member
Activity: 2842
Merit: 772
Twillio, a cloud communication provider recently raises a security bulletin about a unidentified entities was able to take advantage of an unauthenticated endpoint in Authy (a free mobile app for two-factor authentication), to filter out identities of data associated with Authy accounts which include cell phone numbers.



https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS

This is so important for crypto traders as we could have been using Authy as 2FA for our online accounts. So for members who are using Authy, better to update your apps to the latest version as per advisory.
Jump to: