They intentionally make it really hard to migrate your data off their app under the premise of "security". Now, they are EOL'ing desktop apps, which are extremely convenient to use, despite the terrible UX.
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
Important point out of that reddit Bitwarden thread:
If you migrate to another app and then delete your authy account, you risk having 2FA removed for some integrated accounts if they're set up to directly use the Authy backend. Twitch in some cases was pointed out.
Twitch refused to return me access to one of my accounts for this exact reason (the account that had subscriptions on it was returned, the one without was not).
I've abandoned a twitch account because of 2FA nonsense. If you set a phone number as your 2FA and then lose access to it you're screwed. They don't care.
In case anyone is looking for a desktop app to replace Authy, the authy-migration tool from token2 supports exporting TOTP seeds in WinAuth compatible format (use .wa.txt for export file name). Then in WinAuth (https://winauth.github.io/winauth/index.html) , just import that file.
I have a rooted Android phone and with a simple su and cp I copied the Authy XML to another folder which you can import into the app Aegis directly (from there you can export further if you don't like Aegis). I'm currently looking at Ente Auth because it's end2end encrypted and also provides a web UI for viewing the codes. Or I use another Keepass file.
I used this and it worked very well. Not perfectly.
Because Authy doesn't have icons for a lot of services, I stored info as twitter:username, google:username, etc. The script dropped about the service name on about 10 of those, just showing the username.
I "imported" the list of QR codes into 2FAS by using my iPhone's camera. Where there wasn't a service, it would say "Service 1", "Service 2", etc.
I then went back through with 2FAS on one device and Authy on another, matching the "Service 1" to "Bubble", for example, because the TOTP codes were the same.
The one service that didn't seem to transfer was Facebook, which I have in Authy but didn't show up in the QR code list.
Several codes in Authy were duplicates, meaning that service:username was the same. 2FAS asked if I wanted to overwrite them. #1, I don't think Authy should allow the same string more than once and #2, again, a simple alphabetization would make maintaining and using Authy more agreeable.
Actually, it looks like Authy will show "twitter:username" in the compact list but doesn't show that (just "username") on the icon view unless I'd manually added them. So it wasn't stripping service names, I hadn't added them.
Still puzzled about why Facebook wasn't transferred.
I have found Authy to be reliable and I like having the TOTP codes on multiple devices. I have a powered-off iPhone at a friend's as one way to access my codes. I don't like the apathy that Twilio has shown it and I don't like the inability to export.
And they try to lock you in to their own ecosystem. If you use sendgrid, it requires an authy specific 2fa code that can only be generated in their app.
I installed Authy on a rooted phone just to yoink the SendGrid token out and put it in our usual shared authentication service. Such a pain in the ass. I would highly recommend against SendGrid in basically all circumstances fwiw.
Yes, and, if you create a SendGrid account and therefore an Authy account, this may immediately enroll other accounts of yours on entirely unrelated websites/services/platforms into Authy, presumably by correlating your phone number. (Even if the email address is different!) This includes big sites like Twitch, and also includes sites where you had selected the "only allow 2FA via security keys" option. Of course some of the blame here probably falls on those platforms, but both the fact that this is possible and the fact that Twilio encourages these patterns are reprehensible.
> I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.
I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?
If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If Bitwarden is compromised, like LastPass was. Of course the vault should still be encrypted, but I don't want to rely on a single company managing everything correctly. It seems much less likely that two different companies will be compromised at the same time.
that's been my attitude, both are keyed to my face id, otherwise encrypted. my phone times out really quickly if i'm not typing away on it. I feel relatively safe. I wonder though how much longer they will maintain the phone apps. All my desktop versions are verified from my phone, so them dropping the desktop sucks but isn't catastrophic.
Generally the threat model that TOTP protects against is not someone breaking into your device. The threat model that it protects against is someone compromising your other credentials. So, although not recommended, you could post your login credentials on twitter and still nobody would be able to get into your account. An attacker hacking into your laptop/desktop/phone with access to install keyloggers and hijack connections is not really what it protects against.
>Generally the threat model that TOTP protects against is not someone breaking into your device.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
> How is it secure if the only thing an attacker needs is a single method of accessing a single device?
You should have two-factor for your password vault as well, and that TOTP is stored on a separate device.
In other words, you replace the model of having password+TOTP for every account, to having one password+TOTP for your password vault, and effectively treat that password vault as an authentication service for yourself.
> I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
Key logger?
I unlock my password vault frequently. I only unlock my TOTP vault to:
1. Add a new secret
2. Recover access to an account if my authenticator has died.
Since I unlock my TOTP vault so infrequently, the number of hashing rounds/etc are tuned to be _much_ slower and require _much_ more memory. It uses an entirely separate set of credentials from my main vault. And you're unlikely to snag the password unless you're watching me for a long time or get very lucky.
Wow, this might be the answer to a question that's been bugging me for a while!
It didn't seem right to keep all of my TOTP secrets isolated on one easily lost/stolen/broken device (phone), so when I realized KeePass supported generating TOTP codes I moved all my TOTP secrets into my password database (which is synced around all my devices) then deleted the single-purpose authenticator app as unnecessary.
But then it didn't seem right to have all of my TOTP secrets live in my normal vault with my credentials since that loses the "second factor". Nor did it seem like it would help to make a separate database for TOTP secrets and sync it around too - still no second factor, plus added friction to open both databases on every login.
But as you say, I could keep TOTP secrets in two places - in an authenticator app on my phone with no syncing for daily use (keeps the two-factorness cause it's on a single device, and is low friction cause it piggybacks on the security of my phone and doesn't require a separate login) AND in a TOTP specific password database that's synced around but opened only rarely (in the cases you described).
Thanks for the hint about tuning hashing rounds; didn't know that could be configurable! Looks like KeePass supports that too; I'll look into that.
I use iCloud Keychain because I use a Mac, iPad, and iPhone.
I use Authy with Face ID protecting the entire app on my phone. I don't use the Desktop app because it won't use Touch ID, meaning I have to type in a long master password.
I don't see an attack as likely to happen (I own no Bitcoin, not a billionaire, not in charge of anyone else's secrets) but if there was a flaw that let somebody access the passwords on my Mac or iPhone, they'd still need the 2FA codes from my phone. I think that's more likely to happen on the Mac because I do have apps downloaded from somewhere else besides Apple's App Store.
My guess is that most of the people who worked on Authy have fallen by the wayside after the Twilio acquisition. It's annoying every time I have to search the boxes on my phone or the list on my watch: can't we please have alphabetization?
I had the same problem and didn't want to keep all of my eggs in the same basket, plus I lost faith in these backup apps after Google Auth lost user codes at some point.
I decided to create a private backup which I control and so I built a client-side web app that encrypts QR codes (like 2FA codes). It was inspired by a similar CLI based project I saw here on HN. I still use Authy (for now) but now I have encrypted images that I can decrypt and rescan easily. And since they're just images I saved them in various places and even printed out copies should I lose my phone or Authy access.
To 'migrate' my codes out of Authy I just went through each site and regenerated the codes (plus encrypted them). It's annoying that they force you to do this but doesn't take too long.
I'm still polishing it up but it works well and I would love some feedback if there's anyone who finds it useful - https://encrypt-qr-codes.netlify.app/
> not sure how I feel about passwords and totp being in the same app
I felt the same way and I've come to realize that it is not a big deal. One advantage is that with a shared password manager account, you can also share the TOTP along with it. Very convenient for a bunch of usecases.
The way I see it, your password manager becomes the central point of failure. Therefore, secure your password manager with a hardware security key (yubi). Not all accounts stored in a password manager are created equal... some need more security than others. If there are accounts that you want additional 2FA security on, just use a separate TOTP app. It doesn't have to be an all or none option.
The second factor is not meant or designed to safe you against a compromised PC or phone (your session or cookies could be probably more easily stolen even when second factor on another device). Many people have passwords and totp on the same phone too. The second factor is more meant to verify that you are really you to a web site and safeguard your account on that web site.
I've moved over to Proton Pass (you can do TOTP on the desktop through a browser, I figured if I'm authenticating into a site I must have internet) but KeepassXC was a strong contender. Both have excellent mobile support and Keepass has native desktop clients.
Proton Pass isn't free, though, but I already had their services.
I used to use it, but the author refuses to publish a desktop app. I actually was able to install the iOS app on my desktop, but if I ever remove it, it is gone forever because he revoked it from the appstore. He only wants you to use the desktop receiver.
It is also buggy af and doesn't sync properly. He's pretty much not doing any more updates of the app either.
That experience pushed me off it forever.
Edit: The app has been acquired by a third party. I'd move off it.
I'd say password managers are a (slightly weaker) form of 2FA by design: it's something you have (a device with your password database installed) plus something you know (if using a master password) or something you are (if using biometrics).
Adding TOTP on top of that helps guard a bit more against some kinds of attacks. You can make it even stronger by not storing those keys in the same place and only using your phone, for example, but for some people (myself included) it's one bit too inconvenient. The good thing about using TOTP for 2FA is that you can find your own balance between convenience and security.
KeePass databases with KeepassXC. I like to use Strongbox on macOS/iOS though (still save to Keepass databases though so I don't have to depend on Strongbox).
https://support.authy.com/hc/en-us/articles/1260805179070-Ex...
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
https://www.reddit.com/r/Bitwarden/comments/116kpvf/export_a...
I stopped using it ages ago because of these reasons, this should be your heads up to do the same.