Authy and Google Authenticator Setup

[o_e_l_e_o]

If you worry so much about security concern since Authy have account/cloud feature

There is no good reason to ever use Authy. They have the ability to lock your out of your Authy account, thereby locking you out of every account which you use 2FA for, which is a massive red flag. And the only way to unlock your account in such a scenario? Complete KYC with them. Oh, and they track your activity and share that info with third parties.

It's like someone said "Instead of keeping the keys to your house yourself, give them to me and I totally promise I'll let you use them when you need to. But I'll also let a bunch of other people know whenever you use them." It's a massive privacy and security risk. There is no good reason to use Authy when there are a multitude of open source apps which allow you to store your 2FA codes locally.

why don't you use different software such as Aegis[1] and andOTP[2] which only store the data on your device?

Both are Android only, while OP uses iPhone/iOS. This is why I suggested he uses Tofu, which is the best open source 2FA app for iOS: https://www.tofuauth.com/

[1713562853]

1713562853

[1713562853]

1713562853

[taufik123]

There is no good reason to ever use Authy. They have the ability to lock your out of your Authy account, thereby locking you out of every account which you use 2FA for, which is a massive red flag. And the only way to unlock your account in such a scenario? Complete KYC with them. Oh, and they track your activity and share that info with third parties.
-snip-

I just found out the details about the Authy 2FA App, I've been using it for about the last 2 years and still haven't encountered any problems, because I've never deleted the app or moved it or Synced to a second phone.
But if you say that there's no reason to use Authy, maybe I'll give Aegis a try as you suggest.
Currently I am also still using Google Authenticator and Authy.
and now I'm thinking more about securing and updating my 2FA security though still haven't found any issues in Authy.

[jerry0]

I swear, never thought 2fa could get this complicated

jerry0 has a unique ability to make even the simplest things in to unsurpassable mountains of complexity.

I have answered pretty much all his questions in this thread already. Most succinctly here: https://bitcointalk.org/index.php?topic=5379158.msg58861546#msg58861546
I have also told him how awful a choice Authy is here: https://bitcointalk.org/index.php?topic=5379158.msg58858827#msg58858827

Here's what jerry needs to do:

• Ignore all this old accounts and 2FA
• Download Tofu
• Set it up with his new accounts
• Write down the 16 character codes for each account as back ups
• Use iOS Finder to make a back up of his 2FA database

Can you even use tofu with gemini?  With gemini, it seems the only two factor you could use is authy?  It doesn't show any other two factor option you could use when on security page... which is why i choose authy.  I also notice in all those screenshots, tofu seem to show only a 6 number code for the codes?  Gemini does 7 numbers though... that wouldn't be an issue?


I just took a look at tofu on IOS app store.  I never heard of it.  Again for two factor, i only heard of is google authenticator... which i used before and authy.  I heard of microsoft authenticator as well but never heard of other ones.  But can you use tofo on any site that allows two factor?  



I want to use two factor on coinbase and gemini.  At the moment, im using authy now for gemini and it seem to be fine.  But how do i do backup in case something happens to my phone?  Is it what i mentioned where you need to write your 9 digit authy ID and also turn on authenticator backups and write a password and make sure you write that down?  Thus your authy ID and authenticator backup password... is basically your backup in case something happens to your phone?


Is the the correct way to backup authy?


I am currently using it with gemini without an issue.  First... make sure you go to Authy and write down the Authy ID.  


Then turn on Authenticator Backups... then you enter a password.


So you make sure you write down on piece of paper in case anything happens to your phone?


Authy ID
Authenticator Backups Password

[Yamifoud]

Hi.  I would like to set up authy and google authenticator on gemini and coinbase.  I use iphone and use IOS.

I'm not sure if there is a conflict between the two but for me, having any of these two we are already safe. I'd used Google Authenticator for my account and it was fine. But I see a problem with this if I lost my phone as I didn't save the backup/recovery files to access just in case. Now, I was thinking to disable it and enable back to get the recovery phrases if that is possible to get a new one.
Well, the use of email verification will give help just in case 2FA won't work.

[jerry0]

Can someone here confirm in my last post in bold... if that is the correct way to backup authy? 

[jerry0]

Gemini only advertises Authy for their two factor authorization.  How do you even use Tofu for Gemini then?


Also... can someone here confirm that is how I backup authy in what I posted in bold?

[vv181]

Gemini only advertises Authy for their two factor authorization.  How do you even use Tofu for Gemini then?

Seems Gemini is forcing their user to use Authy[1], AFAIK the standard TOTP code usually has 6/8 digit, as does it listed on Tofu:

Compatibility Support for both counter-based and time-based one-time passwords with 6 or 8 digits using the SHA1, SHA256, and SHA512 algorithms

So, I think you can't use Tofu for Gemini 2FA.

[1] https://support.gemini.com/hc/en-us/articles/360030060432-Why-is-it-asking-me-for-a-7-digit-token-upon-login-

Also... can someone here confirm that is how I backup authy in what I posted in bold?

Yes, but you only need to keep the backup password.

[jerry0]

What two factor authentication are you guys using for coinbase?



Previously I used google authenticator.  Should I try to use that again or not?



Could I use authy for coinbase or not?  I want to make sure I have the backup code or whatever backup is needed in case something happens to my phone.  Also I believe google authenticator cannot be installed on multiple devices right?  So is Tofu the best option then for coinbase?

[bitmover]

If you worry so much about security concern since Authy have account/cloud feature

There is no good reason to ever use Authy. They have the ability to lock your out of your Authy account, thereby locking you out of every account which you use 2FA for, which is a massive red flag. And the only way to unlock your account in such a scenario? Complete KYC with them. Oh, and they track your activity and share that info with third parties.

I didn't know that about Authy. I will try to move to a different software. Which one do you recommend?

I prefer to keep my 2FA in the cloud in case I lose my devices (i don't keep funds under those 2FA accounts, just a lot of accounts with basically zero balance).

Can I keep my backup codes in Aegis servers?
Authy is amazing for me, because I keep my 2Fa codes in my android and in my windows devices. I just disable new devices, and I feel very safe about it.

Can Aegis disable new devices?

[RickDeckard]

I prefer to keep my 2FA in the cloud in case I lose my devices (i don't keep funds under those 2FA accounts, just a lot of accounts with basically zero balance).

What is your opinion on making monthly/weekly/daily backups of your 2FA to your windows machine (or to any other machine of your liking?). If you would be open to this idea may I suggest the following:

• 2FA application: Either Aegis Authenticator[1] or andOTP[2] - both of them are free and open source applications. There was a discussion on HackerNews[3] about Aegis where the top comments ended up comparing it to andOTP (which has been alive for more time than Aegis). Both of them also allow you to export an encrypted .json file that could be imported in the respective app (or others) in the event of you losing your device.
• Sync application: My recommendation would be to use Syncthing - a free and open source application - which, according to their website, is "a continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes."

What I choose to do is whenever I add a new 2FA service I export my new updated (and encrypted) .json file generated to at least 3 new locations so that I can ensure there's enough copies kept in the unlikely event of losing access to (for example) 2 of those locations. This, of course, makes me run this procedure everything I add a new 2FA code but I think that the gains that I have of such action totally outperform the risks that I may incur. I'm not sure but I think you could automate this process by exploring the features that Syncthing offers as well...
[1]https://github.com/beemdevelopment/Aegis
[2]https://github.com/andOTP/andOTP
[3]https://news.ycombinator.com/item?id=25803996
[4]https://syncthing.net/

[o_e_l_e_o]

Which one do you recommend?

Aegis for Android, Tofu for iOS.

I prefer to keep my 2FA in the cloud in case I lose my devices

Then you should stick with Authy. Backing sensitive data up to the cloud is a bad idea, and backing 2FA codes up the cloud is an even worse idea, but if you want that functionality then you'll have to stick with Authy to do it smoothly. Good 2FA apps do not back up data to the cloud, instead supporting local encrypted back ups only. You could always upload one of these back ups to the cloud, but I wouldn't recommend it.

Can I keep my backup codes in Aegis servers?

Aegis does not have servers. It is all done locally, which is by far the most secure way of doing things.

Authy is amazing for me, because I keep my 2Fa codes in my android and in my windows devices. I just disable new devices, and I feel very safe about it.

But you place full control of your 2FA codes in the hands of a centralized authority.

Can Aegis disable new devices?

There is no way to "add" new devices without having access to your 2FA app or one of your backs up to copy the shared secret(s) from.

What I choose to do is whenever I add a new 2FA service I export my new updated (and encrypted) .json file generated to at least 3 new locations so that I can ensure there's enough copies kept in the unlikely event of losing access to (for example) 2 of those locations.

I have actually stopped using encrypted back ups at all. Now, instead, whenever I add a new 2FA account, I simply write down the shared secret on paper, just like I would with a seed phrase for a new wallet. If I lose or break my 2FA phone, then I can recover all my 2FA accounts from my paper back up.

[bitmover]

Which one do you recommend?

Aegis for Android, Tofu for iOS.

I prefer to keep my 2FA in the cloud in case I lose my devices

Then you should stick with Authy. Backing sensitive data up to the cloud is a bad idea, and backing 2FA codes up the cloud is an even worse idea, but if you want that functionality then you'll have to stick with Authy to do it smoothly. Good 2FA apps do not back up data to the cloud, instead supporting local encrypted back ups only. You could always upload one of these back ups to the cloud, but I wouldn't recommend it.

Can I keep my backup codes in Aegis servers?

Aegis does not have servers. It is all done locally, which is by far the most secure way of doing things.

The problem in doing things locally is that physical back-ups are risky as well.
A few years ago a thief broke into my house and stole my computer, tablet, external HD, and other valuables.
If my 2FA backup was there, I would lose all of them (only my phone survived this incident). I lost all my photos, for example, except those in the cloud (90% of them, thankfully).

My bitcoin private keys are really safe in physical backups and nobody could really find them, but  they are very important to me and I am not willing to put the same effort in those 2FA codes.

My 2FA codes are important, but I will just have some headaches if I lose them, I won't really lose any money.

I think RickDeckard suggestion, to encrypt files in the cloud, might be a good idea.

I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.

[dkbit98]

• 2FA application: Either Aegis Authenticator[1] or andOTP[2] - both of them are free and open source applications. There was a discussion on HackerNews[3] about Aegis where the top comments ended up comparing it to andOTP (which has been alive for more time than Aegis). Both of them also allow you to export an encrypted .json file that could be imported in the respective app (or others) in the event of you losing your device.

Good thing about andOTP app is that it can work even on very old smartphones, this is only option that still works with below Android 5.
It works even offline without internet connection, and I suggest making offline backup whatever app you use, but I know people are using keepass for backup.
I trust any of this options much more than any cloud service.

[o_e_l_e_o]

The problem in doing things locally is that physical back-ups are risky as well.

No back up will ever be 100% safe, but local back ups are far safer than cloud back ups.

A few years ago a thief broke into my house and stole my computer, tablet, external HD, and other valuables.
If my 2FA backup was there, I would lose all of them (only my phone survived this incident). I lost all my photos, for example, except those in the cloud (90% of them, thankfully).

What about a piece of paper with the codes written down hidden somewhere a thief would never find them? Tape them to the underside of your refrigerator, for example. Or maybe unscrew an electrical socket and hide them inside the wall cavity? There are plenty of places in your house which would a thief would never look.

I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.

Which is why I would never use them. And even if you are never forced to send them your KYC details, they track things like your IP address, geolocation, which sites you are logging in to and when you do so, and share all that with third parties. You are essentially giving them the power to spy on all your crypto-related activities.

[RickDeckard]

I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.

Which is why I would never use them. And even if you are never forced to send them your KYC details, they track things like your IP address, geolocation, which sites you are logging in to and when you do so, and share all that with third parties. You are essentially giving them the power to spy on all your crypto-related activities.

If you let me o_e_l_e_o, I would like to point out what Authy claims[1] that they track (we don't know if it's all of it though) just to give other users an idea of what a "simple" 2FA app can track:

• Your phone number, device information, and email address.
• If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
• We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.
• We do not sell your personal information.
• We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
• Websites and programs that integrate our 2-factor authentication API will be able to see information they sent us about you, your login activity to their website and program, your primary device type, and other device related information relevant to identifying unusual or suspicious activity, but they will not see any other websites or programs for which you use Authy.
• We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
• Your information will be transferred to the U.S.

I would also like to remember that just five years ago, a user reported on r/bitcoin[2] that if you had multi-device setting ON Authy wouldn't protect you in case of a hacker gained access to your number (spoofing probably):

BY DEFAULT Authy allows any mobile device with access to the phone number associated to the Authy account to download and access the private keys for that account.

Even Coinbase published a blog entry advising users to disable this feature as soon as possible:

(...)Once you’ve installed Authy, we recommend disabling the Multi-device option. This means nobody can add a new Authy app to your account. (...)

Although this finding was quickly "fixed" - Authy applied a rule that, by default, would set that option to OFF to prevent abuses down the line.

By now you've probably noticed that I always prefer to use open sourced applications whenever possible and this is one of the reasons why - anyone can actually look into the code, inspect it to see if it does what it claims it does and can be freely audited by whoever feels the need to do it. Authy is like a "black hole in a container" - as most closed source apps are - in the sense that we don't know what kind of information they are actually communicating and we will actually never will know. And considering the goal of it - maintaining access to critical services of mine - I would much prefer to have that information in an application that I know is fully transparent with "me".

Closing note: If you would like to also have a 2FA application that would also provide you with password management services, look no further than Bitwarden - an open source application that can be self-hosted on your own device[4][5] allowing you to be the "holder" of any information that you so desire to keep in it.
[1]https://www.twilio.com/legal/privacy/authy
[2]https://libreddit.spike.codes/r/Bitcoin/comments/6eugqd/authy_by_default_will_not_protect_you_if_a_hacker/
[3]https://blog.coinbase.com/how-to-increase-your-coinbase-account-security-4b7164926631
[4]https://github.com/bitwarden/server
[5]https://bitwarden.com/help/install-on-premise-linux/

[o_e_l_e_o]

If you let me o_e_l_e_o, I would like to point out what Authy claims[1] that they track (we don't know if it's all of it though) just to give other users an idea of what a "simple" 2FA app can track

On those lines, here's a post I made about Authy about a year ago which also picks out some interesting snippets from their Privacy Policy:

I was reading from here: https://www.twilio.com/legal/privacy/authy

If we cannot easily confirm that you are the rightful account holder of the Authy account associated with your old number, we will ask you for your phone account information and a copy of physical identification such as a drivers’ license, national ID, or passport, which we then use to confirm your claim to the account. From time to time, if there are other situations where we need to verify that you are the rightful account holder of your Authy account, our support team may require you to provide identity information like a drivers’ license, national ID or passport.

Emphasis mine. More worrying that just for account recovery, they may also lock you out of your 2FA account (and therefore all of your online accounts which use 2FA) and demand KYC "from time to time". How reassuring.

When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when.

They track your activity across all your accounts, linking that to your email address, phone number, and IP addresses...

Over the last year, we have shared Identifiers and Internet or other electronic network activity information with third parties, as we describe in this section.

...and they share it with third parties.

I don't understand the benefit of this service. It is the equivalent of a web wallet for 2FA: You are letting someone else handle all your codes, have the power to lock you out of your accounts, and invade your privacy, all for something you can do yourself easily, freely, securely, and privately.

I would also like to remember that just five years ago, a user reported on r/bitcoin[2] that if you had multi-device setting ON Authy wouldn't protect you in case of a hacker gained access to your number (spoofing probably)

I did not realize this, though. This is absolutely appalling. This reduces the security of your entire 2FA set up to that of SMS 2FA, which is by far the least secure method and which everybody should avoid at all costs. Phone numbers can be stolen or phished in under 5 minutes and a single phone call to your carrier.

So you go to all this effort to set up Authy, knowing that despite the flashy interface and nice promises, you are only as secure as the worst 2FA method available, they spy on you, and they can lock you out and demand KYC at any time. Unbelievable. Why do people use this trash?

[Bobrox]

Coinbase allows google authenticator but does it allow authy?  Gemini allows authy but does not allow google authenticator?  Is this true?  I did read you could still use authy on coinbase even though coinbase say they no longer allow it?

Looks misunderstanding with authy available for coinbase account, I don't know about new user can't apply with Authy but I have created Coinbase account about four years ago and success connect 2fa with authy, on playtore application have red color and I use that application authy for my coinbase account. Maybe new rule have now allowed but my account still exist with using authy but have great secure with Coinbase exchange not only 2fa code needed but some SMS mobile phone number ask to input and confirm on email when each log in time.