undefined | Better HN

story

0 pointsAdmiralAsshat9y ago0 comments

>So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.

You're required to set a password on your Authy database before you can start adding tokens to it. So when I transferred my Authy database to a new phone (had to send in the old one for a replacement), I had to confirm the password before it would sync to the new device. Authy also bugs you about once a month to confirm your password phrase to make sure you don't forget it.

Additionally, you can set a PIN that Authy will prompt you for any time you try to open the app. I have that set, as well, so that even if someone should get past my lockscreen, they can't reach my 2FA tokens without another PIN.

0 comments

twr9y ago

> You're required to set a password on your Authy database before you can start adding tokens to it.

That's not true. Passwords in Authy are for backup, which is optional. Backup synchronizes offline TOTP secrets between paired devices. Only the offline TOTP secret is encrypted; the token name is not.

"Authy Account" secrets, the ones created by the Authy API, used by Coinbase, Cloudflare, et cetera, are always stored remotely, and can be restored without-password to anyone with possession of your phone number and email account.

I wrote about this a little over here:

https://news.ycombinator.com/item?id=12603380