undefined | Better HN

0 pointsncann5y ago0 comments

+1 for Authy. Just get a used cheap Android phone for like $30 and use it as the backup device for Authy and never fear about losing your 2FA device again.

0 comments

4 comments · 2 top-level

lukeschlather5y ago· 2 in thread

Does Authy actually offer 2FA? It sounds like the security boils down to your encryption passcode used to encrypt the 2FA secret, so you aren't actually using 2FA at the end of the day.

For personal use it probably is a good compromise for services which don't implement 2FA properly (that is to say, services that don't allow you to register multiple 2FA devices.) But realistically you might want to just disable 2FA and rely on your password manager.

ncannOP5y ago

> Does Authy actually offer 2FA

I'm not sure what you meant by this, Authy certainly provides TOTP, and the encryption password is only used when you need to sync the 2FA secret to other devices, which by the way also requires confirmation using SMS to your phone number as well.

lukeschlather5y ago

I usually take 2FA to mean that you have to use two of (something you have, something you know, or something you are.) If the "2FA secret" (TOTP secret?) is stored on multiple devices it doesn't actually prove ownership of "something you have" it's effectively no different from a password stored within a password manager which is considered simply "something you know." So basically the TOTP secret is a second password with some obfuscation that protects the password. But software running on one of your devices could easily steal the secret.

It does seem like this is somewhat more secure, in some sense, but it weakens the security that TOTP is intended to provide.

1 more reply

mavhc5y ago

Or just copy your TOTP codes to a second device without going via the internet.

I'm annoyed Google Authenticator makes it so easy to transfer accounts to a new phone, how will you know if someone's cloned your TOTP private key while you were sleeping?

j / k navigate · click thread line to collapse