Bitcoin Forum

Are there Authy 2FA app users here? I guess some of the users here have used this for their 2FA accounts on exchanges and wallets. Recently, there's a report that they've been breached and numbers have been taken by the hackers. So, as what the developers are warning about. The users who have registered their numbers will have to be careful of phishing and text scam attempts if they've used their mobile numbers to the app.


Read more: Twilio alerts Authy two-factor app users that ‘threat actors’ have their phone numbers (https://www.theverge.com/2024/7/3/24191791/twilio-authy-2fa-app-phone-numbers-hack-data-breach)

That's a lot of numbers and Twilio confirmed that breached.  :-\

Thanks for updating their users here, i am not an Authy app user, but their users have to be very careful of unsolicited sms's that they receive from now on. 33 million phone numbers is a lot, this is a crazy data breach; and this numbers will be sold and resold in the dark web, so there are going to be different attacks from this, especially the sim swap or simjacking attack.

Crazy times and pretty scary too to the users of the 2-factor authentication App. I think this is a wake-up call for people to start using much better alternatives like Aegis (available only on android)
It's a bit reliving that they were not able to access all other sensitive data as per the Twilo team claims, but who knows what else they could be hiding?

I'm not a user of Authy though, but early I have heard some good reviews about it. But in any case yeah, anyone should be updating on the latest version and maybe change everything as we don't know what those scammers can do with the phone numbers that they have stolen.

I also read about this topic here: Security Alert: Update your Authy to the latest version. (https://bitcointalk.org/index.php?topic=5501992.0)

So it's time to look for alternatives, many could have been using Google Authenticator or any other 2FA apps.

Google Authenticator is a very bad idea. I wouldn't recommend it to any one

There is this thread that has some very good open source alternatives  ----> Best 2FA applications to use. Open source, free, secure. Better than Google's (https://bitcointalk.org/index.php?topic=5451585.0). I am not sure why the topic was moved to the off-topic board despite being very informative and educated

Also, it's worth noting that andOTP Authenticator is not maintained any more, so it might not be one of the best choices available.

I started using Raivo on iOS, very recommended. Offline, no-ads, totally free, allows you to export yout accounts to a ZIP archive.

Still, I used Authy for some time and had some accounts there (even though I haven't opened the app in months because I migrated to Raivo). :P

One more proof that storing data in a centralized manner is very dangerous and will probably be hacked or leak at some point in the future.
I have heard Authy being recommended as an alternative to Google Authenticator a few times on the forum. To my knowledge, both software are closed-source, so not much of an alternative. If the reports are true and someone leaked over 30 million phone numbers, then the app was very popular. Social engineering schemes are to be expected... 

I used both andOTP and Authy back in the day, I no longer access or need any of the services that's was linked to them though. This reinforces my idea that if a service requests for personal information like email or phone numbers when you create an account, using a burner number and email is the best privacy option.

I am not an iOS user but someone posted that Ravio developers has stopped developing the app. Is that true? Although, if you use it offline, I do not think that would of any problem.

best 2FA app for IOS? (https://bitcointalk.org/index.php?topic=5498185.0)

Since I joined this forum, I have read on many post that Tofu is also good for iOS users. I even saw a post about it by Leo before he left this forum.

They did. In fact, the app was acquired by Mobime and things took quite a twist. I don't think it's the same app as it used to be

From the month of June, they have had so many negative reviews due to an update they messed up user OTP codes.

1. https://apps.apple.com/us/app/raivo-authenticator/id1459042137
2.RaivoOTP iPhone 2FA app sold. Latest update removes access to existing TOTP tokens (https://www.reddit.com/r/Bitwarden/comments/1d48s1c/raivootp_iphone_2fa_app_sold_latest_update/)
3. https://github.com/raivo-otp/ios-application/releases
https://talkimg.com/images/2024/07/05/oNXcd.png
4. I don't think it's open source and non-commercial any more - https://github.com/raivo-otp/marketing-website/pull/22
https://i.postimg.cc/PhFhKJm8/546da92f-78f2-4b6f-9202-ad3df0fa1ba3.png (https://postimg.cc/3d8LLHH6)

Well, that's how good apps get ruined overnight.

That's weird. I have never seen that screen at all, even if I open the app right now there is no option to buy any pro version. Maybe it's only for new users? App is also up to date with no new versions on the app store.

Are you using iOS by any chance? The conversation on GitHub that logfiles presented has a reference where it says that the paywall isn't present (yet?) on the iOS application, so perhaps they are starting out in the Android market to see how it reacts before going into Apple market?

I'm one if their users lol. If the only concern is those future spam sms and phishing attempts it's useless, unless the security was breach to the extent that malicious attackers hold those confidential security data then i'll consider myself to migrate to other app.

Talking about to migrate, whoever have the experience of using Bitwarden, saw it as recommendation from the comments in that article posted in OP.

Bear in mind that this was not the first breach that Authy suffered. There have been a few already[1][2] and, to my books, more than 1 would be enough to convince me that they are not worth to have my data, let alone considering the type of service that they offer. Again, this is purely by personal opinion. The fact that you have to rely on a "non official" tool to export your 2FA codes[3][4] is just ridiculous and shows how deep they want you to be locked in to their app.
I have used Bitwarden in past so if you need help just let me know and I'll try to help you.

---

[1]https://www.twilio.com/en-us/blog/august-2022-social-engineering-attack (https://www.twilio.com/en-us/blog/august-2022-social-engineering-attack)
[2]https://www.engadget.com/twilio-authy-data-breach-202314313.html (https://www.engadget.com/twilio-authy-data-breach-202314313.html)
[3]https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93 (https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93)
[4]https://help.ente.io/auth/migration-guides/authy/ (https://help.ente.io/auth/migration-guides/authy/)

Yes, I'm on iOS.

But now that I closely check the links, I found a comment with a screenshot that looks like iOS and had the payment screen. Maybe they reverted it? https://www.reddit.com/r/apple/comments/1d402za/raivootp_iphone_2fa_app_sold_latest_update/l6cttvm/

I might just migrate everything to Bitwarden, didn't do it before because I prefer to keep my passwords and TOTP separated (I already use them as password manager), but idk... :P

Whatever road that Raivo is about to follow, considering all those shady updates, for sure it will take the wrong turn. If not now, it will come eventually. Perhaps it is indeed better for you to consider another TOTP provider.
I understand your fears - if a malicious actor gains access to your Bitwarden account then he/she has total access to your accounts because both your passwords and TOTP's are generated there. Perhaps consider other open source options for the TOTP codes?

I actually consider moving, i already downloaded aegis and bitwarden. I remember some people here recommends using aegis as their 2fa manager. I would love to hear thoughts on those who have experienced of using of both app (aegis and bitwarden).

To be honest, I'm not sure how it works when it asks for personal mobile numbers because other 2FAs don't work like that. But still, those that have it need to be careful.

Yeah, it's aegis that's being used by the reputable people here and suggesting to use it. People should avoid using Google Auth and Authy nowadays.

That seems to be the only threat but still, once these bad actors got people's numbers. They'll pass it on to the others and who knows what else they can do. As for bitwarden, I guess that I've read that in some other recommendations but haven't really used it. So aside from aegis, there goes bitwarden. I do hope that the others are reading this thread for their reference.

I've used both and I would recommend both (be aware that Aegis is just a TOTP generator, it can't hold any passwords). Bitwarden has the possibility that you can self-host it but you have to consider what is safer : Are you able to provide a more secure environment than Bitwarden infrastructure? If you are then you should run your own version so that you are in full control. Otherwise you will just have to trust that Bitwarden will protect your encrypted vault better than you would. They use AES-CBC 256-bit encryption for your vault and PBKDF2 SHA-256 to make a derivation of your private key[1] (using 200,001 rounds both on the server side and client side) so it ends up being better than the encryption implemented by Authy (which is almost the same, but it only uses 1000 rounds[2]). The integration of the TOTP within the app works really well and if you have the browser extension running then it is a seamless experience when you are logging in to any service. Do note that you only have access to TOTP integration if you pay their premium plan - which I consider quite affordable at $10 per year - plus you'll also get 1GB of encrypted file storage and access to Bitwarden Send[3] for both text and files.

If it was me what would allow me to rest better at night would be a combination of the two - Bitwarden for my password needs and then Aegis for my TOTP needs. Like I said to TryNinja I wouldn't feel safe having all of them stored in Bitwarden - if by any random chance a malicious actor would gain access to my vault then he/she would have total control of my accounts.

---

[1]https://bitwarden.com/help/what-encryption-is-used/ (https://bitwarden.com/help/what-encryption-is-used/)
[2]https://authy.com/blog/how-the-authy-two-factor-backups-work/ (https://authy.com/blog/how-the-authy-two-factor-backups-work/)
[3]https://bitwarden.com/products/send/ (https://bitwarden.com/products/send/)

I have never used such apps because I simply never considered them safe, just as I do not consider my smartphone to be a safe device, regardless of all the security measures. At some point, all these programs and apps, instead of preventing risks, turn into risks.

I totally understand your feeling. I wonder, however, how do you manage your passwords and TOTP secrets (if you have them), could you share what is your methodology? There are also offline programs that you can use (such as KeePassXC[1]) that eliminate the risk that exists in having your vault sent to the cloud...

---

[1]https://keepassxc.org/ (https://keepassxc.org/)

I stick to the old proven methods of pen and paper, along with some of my own ideas on how to protect such data even if someone were to get hold of it. In the decades I've been using computers and the internet, I've never had a case of someone hacking me - that's why I'll always trust myself more than any program or application that might do its job, but I still think I'm safer without such help.

I do the same thing as you, just as i back up my seed phrases on paper, i also manage my passwords or any sensitive data on paper. However, for some reasons i know some people may not like the idea of writing their passwords on paper, so i also recommend open source password managers to them, i.e. KeePass, but for now i am yet to see a need to use them, since paper and pen works fine for me.

my favourite one is Google authentication you lose your phone and everything gone I don't knew it was hacked  thank you for letting me knew I used couple of authenation there , what I love about authy is that it provide linking it with Google but these news of sensitive information leaked I still can't believe it, but do I need to change the key and password I am wondering what can I do more ??

You should read the reviews of other members from this thread about Google Authenticator. While it's a good feature of Authy and probably other 2FA apps that it can link to Google Authenticator, we have to be careful at most times as these breaches aren't simple things to ignore.

Based on this update: https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS
You have to update to the latest software updates, iOs and android.

If you want to save passwords and TOTP than you have the option of using KeePass password manager and some of it's forks like KeePassXC and KeePassDX for mobile devices.
I think that Aegis is still better option if you want to use it only for TOTP, but both of them are good open source options.
Everything is stored and encrypted locally and there is no use of cloud services aka computer of someone else.

This is why I prefer no login/sign-ups unless absolutely necessary and prefer encrypted backups (although, I keep these backups on cloud); this way even if cloud service were to get breached (always expect worse, no matter how secure they call themselves) and hacker were to get access to my file, nothing would happen since they would require password to access the content and it's password that only I know.

If they can guess the password, they deserve all the monies :P

p.s: I use Aegis myself, and make encrypted backups.