Authy 2FA security app hacked for phone numbers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Authy 2FA security app hacked for phone numbers

Post by B88 »

For anyone who uses this, worth knowing it was hacked losing 33 million phone numbers. Supposedly limited to phone numbers. If you've not updated the app you will want to do so.

https://www.securityweek.com/twilio-con ... e-numbers/

https://thehackernews.com/2024/07/twili ... poses.html

I know my pension forces use of it, and some government sites do as well.
ikowik
Posts: 400
Joined: Tue Dec 23, 2014 5:52 pm

Re: Authy 2FA security app hacked for phone numbers

Post by ikowik »

B88 wrote: Fri Jul 05, 2024 5:47 pm For anyone who uses this, worth knowing it was hacked losing 33 million phone numbers. Supposedly limited to phone numbers. If you've not updated the app you will want to do so.

https://www.securityweek.com/twilio-con ... e-numbers/

https://thehackernews.com/2024/07/twili ... poses.html

I know my pension forces use of it, and some government sites do as well.
Thank you!!!
gavinsiu
Posts: 5372
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

It looks like the hack exposes your phone number, which means you might get increased phishing attacks. The tokens are probably safe. However, since their last hack was 2022, this is not a good luck.
canderson
Posts: 499
Joined: Wed Dec 26, 2012 8:12 pm

Re: Authy 2FA security app hacked for phone numbers

Post by canderson »

Any 2FA app that requires a phone number should be a non starter for everyone.
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

canderson wrote: Sat Jul 06, 2024 12:36 pm Any 2FA app that requires a phone number should be a non starter for everyone.
I would say don't let the perfect be the enemy of the good.

2FA on a phone is highly convenient for many people, and far, far, far better than no 2FA. Security experts regularly write in articles that by far the biggest security enhancement is 2FA. MFA is better still and passkeys even better. Should I comment that using 2FA is a non-starter for everyone because passkeys are so much better?

Yes using a phone number like Authy has its issues vs best practice, but is a giant leap over nothing at all. Security being inconvenient is imo the biggest issue for most people.
LoveTheBogle
Posts: 208
Joined: Tue Aug 13, 2019 5:53 pm

Re: Authy 2FA security app hacked for phone numbers

Post by LoveTheBogle »

Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

LoveTheBogle wrote: Sat Jul 06, 2024 8:53 pm Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

B88 wrote: Sat Jul 06, 2024 10:15 pm
LoveTheBogle wrote: Sat Jul 06, 2024 8:53 pm Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

anagram wrote: Sat Jul 06, 2024 10:31 pm
B88 wrote: Sat Jul 06, 2024 10:15 pm
LoveTheBogle wrote: Sat Jul 06, 2024 8:53 pm Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
So how does that work? If possible I'd like to learn. For instance one bank I had a joint account with, but no longer do only used Authy. So how would one use this open source Ente Auth instead? Seems the bank would have to be in on it at the other end.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

B88 wrote: Sat Jul 06, 2024 10:36 pm
anagram wrote: Sat Jul 06, 2024 10:31 pm
B88 wrote: Sat Jul 06, 2024 10:15 pm
LoveTheBogle wrote: Sat Jul 06, 2024 8:53 pm Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
So how does that work? If possible I'd like to learn. For instance one bank I had a joint account with, but no longer do only used Authy. So how would one use this open source Ente Auth instead? Seems the bank would have to be in on it at the other end.
No. It is an IETF standard. Any app or device that follows that standard will work.

https://en.wikipedia.org/wiki/Time-base ... e_password

https://en.wikipedia.org/wiki/Compariso ... plications
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

anagram wrote: Sat Jul 06, 2024 11:26 pm
B88 wrote: Sat Jul 06, 2024 10:36 pm
anagram wrote: Sat Jul 06, 2024 10:31 pm
B88 wrote: Sat Jul 06, 2024 10:15 pm
LoveTheBogle wrote: Sat Jul 06, 2024 8:53 pm Authy was great before Twilio purchased it. Now most people are in a bind because Authy does not allow exporting of tokens. There was a way around it that required extreme technical knowledge (or ability to follow a guide) but Authy disabled that back door way of exporting.

I would highly suggest anyone using Authy, Google Authenticator or any other of the dozens of 2FA pieces of software out there to take the time now to revoke those tokens from your sites and create new ones to use in an open source 2FA software.

I recently came across Ente Auth which is open source on GitHub and you can use it totally offline. You can export (and import) in a wide variety of formats. It is one of many open source 2FA projects to choose from available for all major platforms (Apple, Android, Windows, Linux, etc). Please take the time and stop using “free” proprietary projects where a tech company owns the software.
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
So how does that work? If possible I'd like to learn. For instance one bank I had a joint account with, but no longer do only used Authy. So how would one use this open source Ente Auth instead? Seems the bank would have to be in on it at the other end.
No. It is an IETF standard. Any app or device that follows that standard will work.

https://en.wikipedia.org/wiki/Time-base ... e_password

https://en.wikipedia.org/wiki/Compariso ... plications
So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
funxional
Posts: 344
Joined: Thu Oct 27, 2022 4:29 pm

Re: Authy 2FA security app hacked for phone numbers

Post by funxional »

B88 wrote: Sun Jul 07, 2024 1:40 am
anagram wrote: Sat Jul 06, 2024 11:26 pm
B88 wrote: Sat Jul 06, 2024 10:36 pm
anagram wrote: Sat Jul 06, 2024 10:31 pm
B88 wrote: Sat Jul 06, 2024 10:15 pm
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
So how does that work? If possible I'd like to learn. For instance one bank I had a joint account with, but no longer do only used Authy. So how would one use this open source Ente Auth instead? Seems the bank would have to be in on it at the other end.
No. It is an IETF standard. Any app or device that follows that standard will work.

https://en.wikipedia.org/wiki/Time-base ... e_password

https://en.wikipedia.org/wiki/Compariso ... plications
So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
They have software that gives you a standard token via a QR code. You have software that stores the token and then gives you a code based on the time and the token received.

The code generation is standardized. The site does not know what app you are using. You could technically do it by hand if you could calculate fast enough.

I have never used Google or Authy other than for work.
lazydavid
Posts: 5434
Joined: Wed Apr 06, 2016 1:37 pm

Re: Authy 2FA security app hacked for phone numbers

Post by lazydavid »

B88 wrote: Sun Jul 07, 2024 1:40 am So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
There's nothing to host. You know that QR code they showed you to set up Authy? Scan it with Ente, Google, Microsoft, LastPass, or literally any other authentication app you care to use.

At the risk of oversimplifying a bit, the QR code is just a very long number. The TOTP algorithm is a fully standardized math equation that takes that number and the current time as terms, and computes a 6-digit number as a result. The equation is 1-way, meaning it intentionally loses fidelity in the computation process, such that it is impossible to calculate the original value even if everything else is known.
Paullmas
Posts: 173
Joined: Sun Mar 18, 2018 2:37 pm

Re: Authy 2FA security app hacked for phone numbers

Post by Paullmas »

B88 wrote: Sat Jul 06, 2024 8:14 pm
canderson wrote: Sat Jul 06, 2024 12:36 pm Any 2FA app that requires a phone number should be a non starter for everyone.
I would say don't let the perfect be the enemy of the good.

2FA on a phone is highly convenient for many people, and far, far, far better than no 2FA. Security experts regularly write in articles that by far the biggest security enhancement is 2FA. MFA is better still and passkeys even better. Should I comment that using 2FA is a non-starter for everyone because passkeys are so much better?

Yes using a phone number like Authy has its issues vs best practice, but is a giant leap over nothing at all. Security being inconvenient is imo the biggest issue for most people.
Aegis does not require a phone number. So why would I consider Authy?
Just say no to international.
canderson
Posts: 499
Joined: Wed Dec 26, 2012 8:12 pm

Re: Authy 2FA security app hacked for phone numbers

Post by canderson »

B88 wrote: Sat Jul 06, 2024 8:14 pm
canderson wrote: Sat Jul 06, 2024 12:36 pm Any 2FA app that requires a phone number should be a non starter for everyone.
I would say don't let the perfect be the enemy of the good.

2FA on a phone is highly convenient for many people, and far, far, far better than no 2FA. Security experts regularly write in articles that by far the biggest security enhancement is 2FA. MFA is better still and passkeys even better. Should I comment that using 2FA is a non-starter for everyone because passkeys are so much better?

Yes using a phone number like Authy has its issues vs best practice, but is a giant leap over nothing at all. Security being inconvenient is imo the biggest issue for most people.
That’s not what I meant - I mean no 2FA that requires a phone number to sign in is a terrible option. 2FA apps that sync with local or what we cloud you prefer automatically without any on-device passcodes are better than Authy.
User avatar
sycamore
Posts: 6692
Joined: Tue May 08, 2018 12:06 pm

Re: Authy 2FA security app hacked for phone numbers

Post by sycamore »

lazydavid wrote: Sun Jul 07, 2024 6:48 am
B88 wrote: Sun Jul 07, 2024 1:40 am So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
There's nothing to host. You know that QR code they showed you to set up Authy? Scan it with Ente, Google, Microsoft, LastPass, or literally any other authentication app you care to use.

At the risk of oversimplifying a bit, the QR code is just a very long number. The TOTP algorithm is a fully standardized math equation that takes that number and the current time as terms, and computes a 6-digit number as a result. The equation is 1-way, meaning it intentionally loses fidelity in the computation process, such that it is impossible to calculate the original value even if everything else is known.
B88, you got some good answers to your question.

At this point it's worth asking why you think Authy is required by a particular bank or whatever? Is there some documentation that said it? Or maybe a customer service rep said so? Possibly what you read or heard was only an example of what app to use, or a dumbing down of how things can work.
User avatar
Blues
Posts: 2528
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Authy 2FA security app hacked for phone numbers

Post by Blues »

I like the convenience that Authy provides in that I can run it on more than one device. So, if your phone, for example, were lost or damaged, you could still use the app on an iPad or similar to log into particular sites. You can also back up the tokens, should you choose to.

I realize that there are concessions to be made for some features, and one has to decide for themselves whether it is warranted.

I left LastPass for another password manager because they lost my confidence. At this juncture, I'm not yet ready to jettison Authy.
blueman457
Posts: 473
Joined: Sun Jul 26, 2015 12:19 pm

Re: Authy 2FA security app hacked for phone numbers

Post by blueman457 »

Within the past couple of months, my Authy account on my iPhone had tried to force me to an expensive paid subscription. When I declined, it "lost" the token to my password manager. Fortunately I had a backup method, but I immediately switched away from Authy to '2FAS Auth' which is open source but also allows for syncing via icloud and exporting of tokens.

I have no problem paying for software, but holding tokens as hostage is anti-consumer.

blueman
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

sycamore wrote: Sun Jul 07, 2024 11:09 am
lazydavid wrote: Sun Jul 07, 2024 6:48 am
B88 wrote: Sun Jul 07, 2024 1:40 am So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
There's nothing to host. You know that QR code they showed you to set up Authy? Scan it with Ente, Google, Microsoft, LastPass, or literally any other authentication app you care to use.

At the risk of oversimplifying a bit, the QR code is just a very long number. The TOTP algorithm is a fully standardized math equation that takes that number and the current time as terms, and computes a 6-digit number as a result. The equation is 1-way, meaning it intentionally loses fidelity in the computation process, such that it is impossible to calculate the original value even if everything else is known.
B88, you got some good answers to your question.

At this point it's worth asking why you think Authy is required by a particular bank or whatever? Is there some documentation that said it? Or maybe a customer service rep said so? Possibly what you read or heard was only an example of what app to use, or a dumbing down of how things can work.
I have seen examples where a bank or other company says we "require" Authy or Google Authenticator, because they don't know what they are doing.
jebmke
Posts: 27331
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Authy 2FA security app hacked for phone numbers

Post by jebmke »

anagram wrote: Sun Jul 07, 2024 11:37 am
sycamore wrote: Sun Jul 07, 2024 11:09 am
lazydavid wrote: Sun Jul 07, 2024 6:48 am
B88 wrote: Sun Jul 07, 2024 1:40 am So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
There's nothing to host. You know that QR code they showed you to set up Authy? Scan it with Ente, Google, Microsoft, LastPass, or literally any other authentication app you care to use.

At the risk of oversimplifying a bit, the QR code is just a very long number. The TOTP algorithm is a fully standardized math equation that takes that number and the current time as terms, and computes a 6-digit number as a result. The equation is 1-way, meaning it intentionally loses fidelity in the computation process, such that it is impossible to calculate the original value even if everything else is known.
B88, you got some good answers to your question.

At this point it's worth asking why you think Authy is required by a particular bank or whatever? Is there some documentation that said it? Or maybe a customer service rep said so? Possibly what you read or heard was only an example of what app to use, or a dumbing down of how things can work.
I have seen examples where a bank or other company says we "require" Authy or Google Authenticator, because they don't know what they are doing.
Banks especially are known for not knowing what they are doing. and not just security.
When you discover that you are riding a dead horse, the best strategy is to dismount.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

B88 wrote: Sun Jul 07, 2024 1:40 am
anagram wrote: Sat Jul 06, 2024 11:26 pm
B88 wrote: Sat Jul 06, 2024 10:36 pm
anagram wrote: Sat Jul 06, 2024 10:31 pm
B88 wrote: Sat Jul 06, 2024 10:15 pm
I don't disagree with you here. However, that app appears to be for backups and such. I cannot make institutions that only offer Authy or Google to use this. Giving it limited usefulness. I don't see a way to use this with any financial institutions for instance.
You can use any app for TOTP. It does not have to be Google or Authy.
So how does that work? If possible I'd like to learn. For instance one bank I had a joint account with, but no longer do only used Authy. So how would one use this open source Ente Auth instead? Seems the bank would have to be in on it at the other end.
No. It is an IETF standard. Any app or device that follows that standard will work.

https://en.wikipedia.org/wiki/Time-base ... e_password

https://en.wikipedia.org/wiki/Compariso ... plications
So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
I see others have already replied. You don't need to get the bank to host anything. You are free to choose any app that supports TOTP. You can also use a hardware key to do this such as a YubiKey along with their Authenticator app. This is even more secure than an app alone.

I have probably lost you now but the takeaway is you are free to chose any app. If you tell us what device you are using I am sure we can give you good suggestions for an app.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

jebmke wrote: Sun Jul 07, 2024 11:40 am
anagram wrote: Sun Jul 07, 2024 11:37 am
sycamore wrote: Sun Jul 07, 2024 11:09 am
lazydavid wrote: Sun Jul 07, 2024 6:48 am
B88 wrote: Sun Jul 07, 2024 1:40 am So explain it like I am an idiot. I want to use this software for TOTP with a bank. Step by step how can I get them to host their end of it? I don't get it.
There's nothing to host. You know that QR code they showed you to set up Authy? Scan it with Ente, Google, Microsoft, LastPass, or literally any other authentication app you care to use.

At the risk of oversimplifying a bit, the QR code is just a very long number. The TOTP algorithm is a fully standardized math equation that takes that number and the current time as terms, and computes a 6-digit number as a result. The equation is 1-way, meaning it intentionally loses fidelity in the computation process, such that it is impossible to calculate the original value even if everything else is known.
B88, you got some good answers to your question.

At this point it's worth asking why you think Authy is required by a particular bank or whatever? Is there some documentation that said it? Or maybe a customer service rep said so? Possibly what you read or heard was only an example of what app to use, or a dumbing down of how things can work.
I have seen examples where a bank or other company says we "require" Authy or Google Authenticator, because they don't know what they are doing.
Banks especially are known for not knowing what they are doing. and not just security.
Agreed. It is almost true that banks =/ good security at least in the USA.
jebmke
Posts: 27331
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Authy 2FA security app hacked for phone numbers

Post by jebmke »

anagram wrote: Sun Jul 07, 2024 11:43 am Agreed. It is almost true that banks =/ good security at least in the USA.
I think that's true. My bank in Belgium in 2003 had a software MFA system that had to be installed on your PC with their disk in order to access the bank. Cards of course were all Chip & PIN. Checks did not exist.
When you discover that you are riding a dead horse, the best strategy is to dismount.
User avatar
tuningfork
Posts: 924
Joined: Wed Oct 30, 2013 8:30 pm

Re: Authy 2FA security app hacked for phone numbers

Post by tuningfork »

There are some websites that use the Authy API on their servers to implement their 2FA. Twitch is one of those sites. This does not force Twitch users to use the Authy app, but it means if you setup 2FA at Twitch, Authy stores some of your data even if you've never directly used Authy.

https://help.twitch.tv/s/article/authy- ... uage=en_US
2FA protects your account from unauthorized logins. When you enable 2FA on your Twitch account, an Authy account and ID are created for you, and linked to that phone number.
I stumbled upon this while I was migrating from Authy to 2FAS a few months ago. After deleting my Authy account, I was unable to setup 2FA on my Twitch account because my Authy account was "delete pending". I had to wait 30 days for Authy to finish deleting my account before I could setup 2FA on Twitch (which apparently created a new Authy account for me). This is beyond annoying now that Authy has been hacked.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

jebmke wrote: Sun Jul 07, 2024 11:53 am
anagram wrote: Sun Jul 07, 2024 11:43 am Agreed. It is almost true that banks =/ good security at least in the USA.
I think that's true. My bank in Belgium in 2003 had a software MFA system that had to be installed on your PC with their disk in order to access the bank. Cards of course were all Chip & PIN. Checks did not exist.
Notice the almost complete absence of banks that support YubiKeys.

https://2fa.directory/us/#banking
jebmke
Posts: 27331
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Authy 2FA security app hacked for phone numbers

Post by jebmke »

anagram wrote: Sun Jul 07, 2024 12:16 pm
jebmke wrote: Sun Jul 07, 2024 11:53 am
anagram wrote: Sun Jul 07, 2024 11:43 am Agreed. It is almost true that banks =/ good security at least in the USA.
I think that's true. My bank in Belgium in 2003 had a software MFA system that had to be installed on your PC with their disk in order to access the bank. Cards of course were all Chip & PIN. Checks did not exist.
Notice the almost complete absence of banks that support YubiKeys.

https://2fa.directory/us/#banking
Also some cultural differences at play - customers especially but also institutions. When I leased our home, we had to set up a standing EFT to pay the lease. When I gave the bank (in person - couldn't do it online) the lessor details I asked how safe it was. He shrugged and said that all payees are certified in the banking system or the transactions will simply not go through. Hacking wasn't a big thing then but it was clear that they had a rigorous validation of the info I provided and the registered payee.
When you discover that you are riding a dead horse, the best strategy is to dismount.
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

First let's correct the headline of this post, the Authy 2FA app was not hacked but rather there was a data breach from Twilio’s (Authy owners) systems which included at least the account IDs and phone numbers of Authy users.

If the app had been hacked, then the fallout would be much worse and troublesome. At present the biggest risk for Authy users seems to be the possibility of increase phishing and smishing attacks to their phone numbers.

What is Authy? An application which generates TOTP (Time-based One-Time Password) codes used for 2FA.

What is TOTP? At a high level, it is a standardized algorithm which produces a new and unique typically six-digit code every 30-60 seconds based on two things: time of day and a seed/key (shared-secret).

What is a token? Think of this as the TOTP Generator (be it hardware or an application/software) and the seed. Although this term is used in many ways.

Many web sites use the scanning of QR-code to exchange the seed to the TOTP application. Usually, any TOTP application can be used. I often scan the QR-code on my computer with my password manager (Keeper) and with a TOTP app on my phone.

Some web sites will also let copy the seed as text if you which to store it someplace safe like a password manager or you can just store a picture of the QR-code.

Note the security of TOTP, like many cybersecurity mechanisms, depends on keeping your seed/key/shared-secret secure and safe.

Which then brings us to the typical security vs convenience tradeoffs of the syncing of tokens (think seed/key/shared-secret) across devices, online backup, or web-access (which implies cloud storage).

It is best practice to not allow an application’s UI to exposure the seed once it has been set which prevents a manual syncing of seed/tokens across devices.

There are a multitude of ways to deal with syncing and storing of tokens but just remember wherever the seed/token lives, it is another attach-surface which adds an increase security risk of that vendor’s systems and software and your devices.

Why do web sites such as banks often pick and imply only certain TOTP apps are supported? Is it because they do not know what they are doing? Maybe but most likely it is because of testing and if something goes wrong, they will get the support call. I have seen many competent company IT departments restricting the TOTP apps they say they support for this very reason.

And given the confusion on this thread you can understand why. So, for the general public it is easier to pick some of the more popular or stable apps or sometimes it is just the earliest apps and they have never changed the testing environment.
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

Thanks for all the replies.

The bank I once used said I could only use and had to use Authy. Same for my pension. So I never looked into the details of it. So I did know in general how the TOTP works, but did not know it was something of a standard as to how the tokens are generated and used. I mistakenly believed it was some similar slightly proprietary methods by the different offerings.
User avatar
Topic Author
B88
Posts: 58
Joined: Sun Apr 14, 2024 8:05 pm

Re: Authy 2FA security app hacked for phone numbers

Post by B88 »

anagram wrote: Sun Jul 07, 2024 11:41 am I have probably lost you now but the takeaway is you are free to chose any app. If you tell us what device you are using I am sure we can give you good suggestions for an app.
No you did not lose me. I was just away from the forum for a bit. I appreciate the info you and others have provided. I will make use of it.
mark_in_denver
Posts: 524
Joined: Thu Feb 26, 2015 7:36 pm

Re: Authy 2FA security app hacked for phone numbers

Post by mark_in_denver »

Blues wrote: Sun Jul 07, 2024 11:18 am I like the convenience that Authy provides in that I can run it on more than one device. So, if your phone, for example, were lost or damaged, you could still use the app on an iPad or similar to log into particular sites. You can also back up the tokens, should you choose to.

I realize that there are concessions to be made for some features, and one has to decide for themselves whether it is warranted.

I left LastPass for another password manager because they lost my confidence. At this juncture, I'm not yet ready to jettison Authy.
I have Microsoft authenticator running on my and my wife's phone in case I lost my phone.

What I don't like is the required passwordless number matching if I want to use backup. So I turned off backup. I don't understand how passwordless is somehow more secure, I call bs on that.
JBTX
Posts: 11627
Joined: Wed Jul 26, 2017 12:46 pm

Re: Authy 2FA security app hacked for phone numbers

Post by JBTX »

Blues wrote: Sun Jul 07, 2024 11:18 am I like the convenience that Authy provides in that I can run it on more than one device. So, if your phone, for example, were lost or damaged, you could still use the app on an iPad or similar to log into particular sites. You can also back up the tokens, should you choose to.

I realize that there are concessions to be made for some features, and one has to decide for themselves whether it is warranted.

I left LastPass for another password manager because they lost my confidence. At this juncture, I'm not yet ready to jettison Authy.
+1. Stuck with lastpass until it became obvious they had serious problems.

Not being an expert, many people recommended Authy years ago so I chose that. Now that I have several dozen thinks hooked up to it I’d rather not switch unless I have to.
gavinsiu
Posts: 5372
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

Authy is an rather ugly app. The Gui looks significantly different on each platform. When you rename something for example, it actually shows up twice until the old value disappear later on. The reason a number is needed is that the phone number is part of the setup workflow. In my opinion, it is also more secure design-wise than Microsoft Authenticator, the closest product in functinoality, though I heard 2FA is also a competitor, but I have not tried it.

The extra feature in Authy is that you can turn off the ability to add a new client using one of the existing clients. Once you have setup an authy client, you can switch off the "allow multidevice". Once disable, hackers can't setup a new authy client even if they connect to the authy cloud service. It also work on different platform. However, they got rid of the desktop client so its value added proposition has decreased. The typical workflow was to setup authy on both your phone and your PC, so if you lose your phone you can use the PC to add authy to the new phone, now you have to have a tablet or another phone. I think there may be a backup option.

I do not use Authy, but my mom does. There are other options like Aegis or AndOTP but they are mostly single platform. I think it would be a pain to get her to retrain on a different app. While the system was hacked, the encryption seems to have kept it from being exploited and the multi-device prevents someone from adding a client. I am thinking that it's still secure.

However, having Authy get hack twice in the last couple of years is not a good look.
lazydavid
Posts: 5434
Joined: Wed Apr 06, 2016 1:37 pm

Re: Authy 2FA security app hacked for phone numbers

Post by lazydavid »

mark_in_denver wrote: Sun Jul 07, 2024 4:41 pm What I don't like is the required passwordless number matching if I want to use backup. So I turned off backup. I don't understand how passwordless is somehow more secure, I call bs on that.
It absolutely is. TOTP verifies that you have the shared secret. Passwordless verifies that you have the shared secret AND are using the ONE device that you specifically enrolled with the service, AND you have verified yourself to the device using the security factors (usually biometrics) you set up on that device.
mark_in_denver
Posts: 524
Joined: Thu Feb 26, 2015 7:36 pm

Re: Authy 2FA security app hacked for phone numbers

Post by mark_in_denver »

lazydavid wrote: Mon Jul 08, 2024 7:38 am
mark_in_denver wrote: Sun Jul 07, 2024 4:41 pm What I don't like is the required passwordless number matching if I want to use backup. So I turned off backup. I don't understand how passwordless is somehow more secure, I call bs on that.
It absolutely is. TOTP verifies that you have the shared secret. Passwordless verifies that you have the shared secret AND are using the ONE device that you specifically enrolled with the service, AND you have verified yourself to the device using the security factors (usually biometrics) you set up on that device.
The biggest issue is if the good guy is using passwordless for their email, for example, the bad guy can go to their email login page enter then good guys email address and the good guy will get a push to either approve/deny or match numbers.

I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.

If I use a password I can use a complex password that is impossible to guess. Even if the bad guy manage to get through the password step, totp prevents any further progress. Also what I like about totp is it takes extra steps and effort to do so. I have to get my phone out, open the authenticator app, look at the numbers and enter it on the computer screen. I can't be push bombed. I'll gladly accept inconvenience in guarding my financial and email accounts.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

mark_in_denver wrote: Mon Jul 08, 2024 11:23 am The biggest issue is if the good guy is using passwordless for their email, for example, the bad guy can go to their email login page enter then good guys email address and the good guy will get a push to either approve/deny or match numbers.

I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.
Can you explain what MS is doing with their passwordless for their email? I'm not following. Thanks!
lazydavid
Posts: 5434
Joined: Wed Apr 06, 2016 1:37 pm

Re: Authy 2FA security app hacked for phone numbers

Post by lazydavid »

mark_in_denver wrote: Mon Jul 08, 2024 11:23 am I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.
I have the "three numbers" variety for my ancient hotmail account, but for my work O365 account I actually have to type the onscreen number into my phone. It is literally impossible to spoof. It also can be used as a true second factor. So the login to my work account goes something like this:
  1. Enter username and (long, complex) password
  2. Push notification sent
  3. Unlock phone with fingerprint
  4. Find notification and click on it
  5. Unlock authenticator with fingerprint
  6. type in 2-digit code and touch "Yes"
  7. Confirm operation with fingerprint
  8. Logged in
So even if you take the actual password out of the equation, I still have to take out my phone, open a push notification that I was not expecting, successfully guess a 2-digit number that I can't see, confirm my choice, and pass biometric authentication three times (twice if my phone was already unlocked). If I can mistakenly do all that, I deserve to get thoroughly pwned.
User avatar
Blues
Posts: 2528
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Authy 2FA security app hacked for phone numbers

Post by Blues »

Wow, I'm tired from just reading all those steps. You need to change your user name from "lazydavid".
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

gavinsiu wrote: Sun Jul 07, 2024 10:47 pm Authy is an rather ugly app. The Gui looks significantly different on each platform. When you rename something for example, it actually shows up twice until the old value disappear later on. The reason a number is needed is that the phone number is part of the setup workflow. In my opinion, it is also more secure design-wise than Microsoft Authenticator, the closest product in functinoality, though I heard 2FA is also a competitor, but I have not tried it.

The extra feature in Authy is that you can turn off the ability to add a new client using one of the existing clients. Once you have setup an authy client, you can switch off the "allow multidevice". Once disable, hackers can't setup a new authy client even if they connect to the authy cloud service. It also work on different platform. However, they got rid of the desktop client so its value added proposition has decreased. The typical workflow was to setup authy on both your phone and your PC, so if you lose your phone you can use the PC to add authy to the new phone, now you have to have a tablet or another phone. I think there may be a backup option.

I do not use Authy, but my mom does. There are other options like Aegis or AndOTP but they are mostly single platform. I think it would be a pain to get her to retrain on a different app. While the system was hacked, the encryption seems to have kept it from being exploited and the multi-device prevents someone from adding a client. I am thinking that it's still secure.

However, having Authy get hack twice in the last couple of years is not a good look.
I am sorry but I do not understand under what circumstances this option provides increased security over options allowed in Microsoft authenticator. Can you explain?

Maybe it is that your TOTP app provider login on the web is compromised and with this there is a way to allow if this option is not turned off for a hacker to add a device to your account (Get Account Verification Via) without processing a current “trusted device” (“Use Existing Device”). Note you cannot turn this feature on unless you are on a current “trusted device”. Is that it?

Seems like the more secure and right solution is to secure your web login utilizing state of the art phishing-resistant passwordless MFA like FIDO2 Discoverable Credentials (i.e., passkeys), which Microsoft allows, does Authy?

Note: if my Microsoft account is comprised, I have bigger problem than my TOTP app being comprised.

I am not sure what encryption has anything to do with this, unless you have more information that I have seen disclosed.

All Twilio/Authy has disclosed so far is:
https://www.twilio.com/en-us/changelog/ ... ndroid_iOS
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”

Although I will point out in 2022 it took them almost a month to disclosed:
https://www.twilio.com/en-us/blog/augus ... ing-attack
“In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users - out of a total of approximately 75 million users - and registered additional devices to their accounts.”

I will also point out that, as we saw with LastPass, encryption is only as good as how safe your keys are or how secure your key derivation function algorithm is which includes how complicated your secret is. And we have yet to explore how and where all of these apps store your seed/token for your TOTP Generator.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Authy 2FA security app hacked for phone numbers

Post by anagram »

StrongMBS wrote: Mon Jul 08, 2024 2:22 pm will also point out that, as we saw with LastPass, encryption is only as good as how safe your keys are or how secure your key derivation function algorithm is which includes how complicated your secret is. And we have yet to explore how and where all of these apps store your seed/token for your TOTP Generator.
This is why it is best bot to rely on anyone storing your seed/token and using a YubiKey which stores the seed/token in your hardware. The TOTP is generated by the YubiKey and displayed in the Yubico Authenticator. All performed locally.

Of course it is even better if the login is secured with the YubiKey itself using FIDO2.
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

mark_in_denver wrote: Mon Jul 08, 2024 11:23 am
lazydavid wrote: Mon Jul 08, 2024 7:38 am
mark_in_denver wrote: Sun Jul 07, 2024 4:41 pm What I don't like is the required passwordless number matching if I want to use backup. So I turned off backup. I don't understand how passwordless is somehow more secure, I call bs on that.
It absolutely is. TOTP verifies that you have the shared secret. Passwordless verifies that you have the shared secret AND are using the ONE device that you specifically enrolled with the service, AND you have verified yourself to the device using the security factors (usually biometrics) you set up on that device.
The biggest issue is if the good guy is using passwordless for their email, for example, the bad guy can go to their email login page enter then good guys email address and the good guy will get a push to either approve/deny or match numbers.

I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.

If I use a password I can use a complex password that is impossible to guess. Even if the bad guy manage to get through the password step, totp prevents any further progress. Also what I like about totp is it takes extra steps and effort to do so. I have to get my phone out, open the authenticator app, look at the numbers and enter it on the computer screen. I can't be push bombed. I'll gladly accept inconvenience in guarding my financial and email accounts.
Over the years Microsoft has had several different Mobile push-notification-based MFA mechanisms which try to add some phishing mitigation if a phishing-resistant MFA cannot be implemented.
Yes, there are known issues with any push-notification-based MFA but I think the latest Microsoft functionality is well done and minimizes fault approvals. Here is a CISA pdf on the subject.
https://www.cisa.gov/sites/default/file ... s-508c.pdf
Note the biggest issue with password/TOTP MFA is that it has no phishing resistance, which today is the most common mechanism used to compromise accounts.
mark_in_denver
Posts: 524
Joined: Thu Feb 26, 2015 7:36 pm

Re: Authy 2FA security app hacked for phone numbers

Post by mark_in_denver »

lazydavid wrote: Mon Jul 08, 2024 12:16 pm
mark_in_denver wrote: Mon Jul 08, 2024 11:23 am I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.
I have the "three numbers" variety for my ancient hotmail account, but for my work O365 account I actually have to type the onscreen number into my phone. It is literally impossible to spoof. It also can be used as a true second factor. So the login to my work account goes something like this:
  1. Enter username and (long, complex) password
  2. Push notification sent
  3. Unlock phone with fingerprint
  4. Find notification and click on it
  5. Unlock authenticator with fingerprint
  6. type in 2-digit code and touch "Yes"
  7. Confirm operation with fingerprint
  8. Logged in
So even if you take the actual password out of the equation, I still have to take out my phone, open a push notification that I was not expecting, successfully guess a 2-digit number that I can't see, confirm my choice, and pass biometric authentication three times (twice if my phone was already unlocked). If I can mistakenly do all that, I deserve to get thoroughly pwned.
Yes, from my understanding the enterprise version is "different" then the public version. The enterprise version, you have to input your password and the two digit number. Imo that makes it much more secure.
mark_in_denver
Posts: 524
Joined: Thu Feb 26, 2015 7:36 pm

Re: Authy 2FA security app hacked for phone numbers

Post by mark_in_denver »

StrongMBS wrote: Mon Jul 08, 2024 2:43 pm
mark_in_denver wrote: Mon Jul 08, 2024 11:23 am
lazydavid wrote: Mon Jul 08, 2024 7:38 am
mark_in_denver wrote: Sun Jul 07, 2024 4:41 pm What I don't like is the required passwordless number matching if I want to use backup. So I turned off backup. I don't understand how passwordless is somehow more secure, I call bs on that.
It absolutely is. TOTP verifies that you have the shared secret. Passwordless verifies that you have the shared secret AND are using the ONE device that you specifically enrolled with the service, AND you have verified yourself to the device using the security factors (usually biometrics) you set up on that device.
The biggest issue is if the good guy is using passwordless for their email, for example, the bad guy can go to their email login page enter then good guys email address and the good guy will get a push to either approve/deny or match numbers.

I tried this using Microsoft passwordless option years ago, I was surprised how easy someone could get in. At that time they were using approve/deny on their push. So all it took was me to accidently fat finger the bad guy in. Now they've switched to matching one of three numbers which makes it more difficult to fat finger but it could still mistakenly hit the correct number and boom, they're in.

If I use a password I can use a complex password that is impossible to guess. Even if the bad guy manage to get through the password step, totp prevents any further progress. Also what I like about totp is it takes extra steps and effort to do so. I have to get my phone out, open the authenticator app, look at the numbers and enter it on the computer screen. I can't be push bombed. I'll gladly accept inconvenience in guarding my financial and email accounts.
Over the years Microsoft has had several different Mobile push-notification-based MFA mechanisms which try to add some phishing mitigation if a phishing-resistant MFA cannot be implemented.
Yes, there are known issues with any push-notification-based MFA but I think the latest Microsoft functionality is well done and minimizes fault approvals. Here is a CISA pdf on the subject.
https://www.cisa.gov/sites/default/file ... s-508c.pdf
Note the biggest issue with password/TOTP MFA is that it has no phishing resistance, which today is the most common mechanism used to compromise accounts.
But, the cisa document you linked stated that the password still gets entered. This is my main argument. When I tried Microsoft passwordless, all I was presented with was matching from three numbers displayed. I can't see how that is secure. It seems like a giant step back. How is that any better for phishing attempts?
gavinsiu
Posts: 5372
Joined: Sun Nov 14, 2021 11:42 am

Re: Authy 2FA security app hacked for phone numbers

Post by gavinsiu »

StrongMBS wrote: Mon Jul 08, 2024 2:22 pm I am sorry but I do not understand under what circumstances this option provides increased security over options allowed in Microsoft authenticator. Can you explain?

Maybe it is that your TOTP app provider login on the web is compromised and with this there is a way to allow if this option is not turned off for a hacker to add a device to your account (Get Account Verification Via) without processing a current “trusted device” (“Use Existing Device”). Note you cannot turn this feature on unless you are on a current “trusted device”. Is that it?

Seems like the more secure and right solution is to secure your web login utilizing state of the art phishing-resistant passwordless MFA like FIDO2 Discoverable Credentials (i.e., passkeys), which Microsoft allows, does Authy?

Note: if my Microsoft account is comprised, I have bigger problem than my TOTP app being comprised.

I am not sure what encryption has anything to do with this, unless you have more information that I have seen disclosed.

All Twilio/Authy has disclosed so far is:
https://www.twilio.com/en-us/changelog/ ... ndroid_iOS
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”

Although I will point out in 2022 it took them almost a month to disclosed:
https://www.twilio.com/en-us/blog/augus ... ing-attack
“In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users - out of a total of approximately 75 million users - and registered additional devices to their accounts.”

I will also point out that, as we saw with LastPass, encryption is only as good as how safe your keys are or how secure your key derivation function algorithm is which includes how complicated your secret is. And we have yet to explore how and where all of these apps store your seed/token for your TOTP Generator.
TOTP is not phishing resistent, so if you want that feature as a 2FA, you do not want to use TOTP. However, in many cases you do not have a choice. You use whatever the vendor gives you. I want fido, but banks won't give me fido. If they offer fido, they offer it with a weaker recovery option, which means if a hacker wants to hack my account they will just target the SMS fallback.

Encryption does play a part in securing the 2FA. Your 2FA needs to be stored in an ecrypted manner that the vendor do not have a key to it. If someone hacks a password manager company, all they get is a encrypted data, which they can't decrypt because they don't have a key. For best protection, the vendor themselve should not have a key either. The downside is that if you forget your key, the vendor cannot recover your data.

The way the Authy security works is that no one can add a new client as long as the multidevice client option is turned off. Unless someone physically steal a physical device that you are currently using, they cannot add a new device. Even if you add another device, you have to enter a master password to decrypt the TOTP. There is no web client for you to look at the totp. In contrast, to add MS authenticator. you would install the app, then select the recovery option, the recovery option have you log into your MS email and enter the recovery code and the vault is populated. My issue with MS account is you must have a SMS or email recovery as a option, and you cannot turn it off. If you use SMS recovery, they can gain access to your MS account via sim hijack and change your password. Your mitigation is to use google voice or use the email recovery. In my case, my email recovery is a google account protected by hardware keys. In my opinion, the weak point in MS account is the account recovery. You cannot remove the recovery option.

As for disclosure, I think no one wants to disclose that they have been hacked. Like I said the fact that Authy has been hacked twice is not good. Of course MS has also its share of hacks as well. In the case of the recent MS hack they were targetting software that MS was developing.

Personally, I do not want to too many things associated with one account. I don't want for example to store my password on the same account I used to login. I have a separate password manager that uses a different account. What I am trying to avoid is that if they hack my one user account, be it google or MS, they will have all my password and 2FA.
mark_in_denver
Posts: 524
Joined: Thu Feb 26, 2015 7:36 pm

Re: Authy 2FA security app hacked for phone numbers

Post by mark_in_denver »

Why is yubi key any better than a complex password? Lastpass (and most likely most password managers) will salt your password with your email address and then use a one way hash function multiple times (a number you can specify) to create the vault key. It will then perform one more hash function and use that output as your login key. So if I'm already using a complex password, how does using yubikey help that process?
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

mark_in_denver wrote: Mon Jul 08, 2024 3:36 pm Why is yubi key any better than a complex password? Lastpass (and most likely most password managers) will salt your password with your email address and then use a one way hash function multiple times (a number you can specify) to create the vault key. It will then perform one more hash function and use that output as your login key. So if I'm already using a complex password, how does using yubikey help that process?
Because FIDO2 Discoverable Credentials (i.e, passkeys) which is passwordless and the earlier FIDO/U2F which has a password-based what often Yubi keys (which are multi-protocol devices FIDO2/OTP/Smart Card/OpenPGP 3) are used for are phishing-resistant (they will not authenticate unless you are at the web site used to register the device at).
If you wish to know how this works, go here: https://fidoalliance.org/how-fido-works/
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

gavinsiu wrote: Mon Jul 08, 2024 3:28 pm
Encryption does play a part in securing the 2FA. Your 2FA needs to be stored in an ecrypted manner that the vendor do not have a key to it. If someone hacks a password manager company, all they get is a encrypted data, which they can't decrypt because they don't have a key. For best protection, the vendor themselve should not have a key either. The downside is that if you forget your key, the vendor cannot recover your data.
Sorry I was not clear, what does encryption have to do with the recent Twilio/Authy data breach?

You wrote “While the system was hacked, the encryption seems to have kept it from being exploited and the multi-device prevents someone from adding a client. I am thinking that it's still secure.”

Just did not understand how you reached that conclusion.
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

gavinsiu wrote: Mon Jul 08, 2024 3:28 pm
The way the Authy security works is that no one can add a new client as long as the multidevice client option is turned off. Unless someone physically steal a physical device that you are currently using, they cannot add a new device. Even if you add another device, you have to enter a master password to decrypt the TOTP. There is no web client for you to look at the totp. In contrast, to add MS authenticator. you would install the app, then select the recovery option, the recovery option have you log into your MS email and enter the recovery code and the vault is populated. My issue with MS account is you must have a SMS or email recovery as a option, and you cannot turn it off. If you use SMS recovery, they can gain access to your MS account via sim hijack and change your password. Your mitigation is to use google voice or use the email recovery. In my case, my email recovery is a google account protected by hardware keys. In my opinion, the weak point in MS account is the account recovery. You cannot remove the recovery option.
I agree that in most account authentication systems the recovery option is the weak link.

So, it seems the choices here are the security of my mobile device for Authy or the security of my Microsoft account and my Gmail account as a recovery option both using FIDO2 keys (which will wipe itself if my PIN is entered incorrectly 8 times).

To each his own but I will take the later.
User avatar
Blues
Posts: 2528
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Authy 2FA security app hacked for phone numbers

Post by Blues »

The iPhone has an option to wipe itself as well after a number of incorrect PIN entries.
AI Overview

An iPhone with a 4- or 6-digit passcode will erase all data after 10 consecutive failed passcode attempts. Before the data is erased, the iPhone will disable itself after five failed attempts. An alert on the lock screen will let you know when your iPhone is disabled.
StrongMBS
Posts: 82
Joined: Sat Jan 14, 2017 1:38 pm

Re: Authy 2FA security app hacked for phone numbers

Post by StrongMBS »

Blues wrote: Mon Jul 08, 2024 4:51 pm The iPhone has an option to wipe itself as well after a number of incorrect PIN entries.
AI Overview

An iPhone with a 4- or 6-digit passcode will erase all data after 10 consecutive failed passcode attempts. Before the data is erased, the iPhone will disable itself after five failed attempts. An alert on the lock screen will let you know when your iPhone is disabled.
I seldom use my FIDOO2 keys in a public place and when I do, I'm very careful about entering the pin to prevent shoulder surfing, can you say the same when you're unlocking your phone 100 times a day?

Before it gets brought up, do you really think that face ID that passed while you were wearing a mask during COVID is so secure?
User avatar
Blues
Posts: 2528
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Authy 2FA security app hacked for phone numbers

Post by Blues »

StrongMBS wrote: Mon Jul 08, 2024 5:12 pm
Blues wrote: Mon Jul 08, 2024 4:51 pm The iPhone has an option to wipe itself as well after a number of incorrect PIN entries.
AI Overview

An iPhone with a 4- or 6-digit passcode will erase all data after 10 consecutive failed passcode attempts. Before the data is erased, the iPhone will disable itself after five failed attempts. An alert on the lock screen will let you know when your iPhone is disabled.
I seldom use my FIDOO2 keys in a public place and when I do, I'm very careful about entering the pin to prevent shoulder surfing, can you say the same when you're unlocking your phone 100 times a day?

Before it gets brought up, do you really think that face ID that passed while you were wearing a mask during COVID is so secure?
I never made claims to being a zealot when it comes to this subject. I use Authy, I use Bitwarden, I take reasonable precautions with my settings and activity and call it good. I was simply making a point about the iPhone in case one of our members was unaware.

Having spent my adult life in federal law enforcement, I know that there's only so much we can do to protect our virtual and actual lives. I do what I feel is reasonable and accept responsibility for the rest.
Post Reply