They intentionally make it really hard to migrate your data off their app under the premise of "security". Now, they are EOL'ing desktop apps, which are extremely convenient to use, despite the terrible UX.
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
Important point out of that reddit Bitwarden thread:
If you migrate to another app and then delete your authy account, you risk having 2FA removed for some integrated accounts if they're set up to directly use the Authy backend. Twitch in some cases was pointed out.
Twitch refused to return me access to one of my accounts for this exact reason (the account that had subscriptions on it was returned, the one without was not).
In case anyone is looking for a desktop app to replace Authy, the authy-migration tool from token2 supports exporting TOTP seeds in WinAuth compatible format (use .wa.txt for export file name). Then in WinAuth (https://winauth.github.io/winauth/index.html) , just import that file.
I have a rooted Android phone and with a simple su and cp I copied the Authy XML to another folder which you can import into the app Aegis directly (from there you can export further if you don't like Aegis). I'm currently looking at Ente Auth because it's end2end encrypted and also provides a web UI for viewing the codes. Or I use another Keepass file.
I used this and it worked very well. Not perfectly.
Because Authy doesn't have icons for a lot of services, I stored info as twitter:username, google:username, etc. The script dropped about the service name on about 10 of those, just showing the username.
I "imported" the list of QR codes into 2FAS by using my iPhone's camera. Where there wasn't a service, it would say "Service 1", "Service 2", etc.
I then went back through with 2FAS on one device and Authy on another, matching the "Service 1" to "Bubble", for example, because the TOTP codes were the same.
The one service that didn't seem to transfer was Facebook, which I have in Authy but didn't show up in the QR code list.
Several codes in Authy were duplicates, meaning that service:username was the same. 2FAS asked if I wanted to overwrite them. #1, I don't think Authy should allow the same string more than once and #2, again, a simple alphabetization would make maintaining and using Authy more agreeable.
And they try to lock you in to their own ecosystem. If you use sendgrid, it requires an authy specific 2fa code that can only be generated in their app.
I installed Authy on a rooted phone just to yoink the SendGrid token out and put it in our usual shared authentication service. Such a pain in the ass. I would highly recommend against SendGrid in basically all circumstances fwiw.
Yes, and, if you create a SendGrid account and therefore an Authy account, this may immediately enroll other accounts of yours on entirely unrelated websites/services/platforms into Authy, presumably by correlating your phone number. (Even if the email address is different!) This includes big sites like Twitch, and also includes sites where you had selected the "only allow 2FA via security keys" option. Of course some of the blame here probably falls on those platforms, but both the fact that this is possible and the fact that Twilio encourages these patterns are reprehensible.
> I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.
I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?
If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)
I had the same problem and didn't want to keep all of my eggs in the same basket, plus I lost faith in these backup apps after Google Auth lost user codes at some point.
I decided to create a private backup which I control and so I built a client-side web app that encrypts QR codes (like 2FA codes). It was inspired by a similar CLI based project I saw here on HN. I still use Authy (for now) but now I have encrypted images that I can decrypt and rescan easily. And since they're just images I saved them in various places and even printed out copies should I lose my phone or Authy access.
To 'migrate' my codes out of Authy I just went through each site and regenerated the codes (plus encrypted them). It's annoying that they force you to do this but doesn't take too long.
I'm still polishing it up but it works well and I would love some feedback if there's anyone who finds it useful - https://encrypt-qr-codes.netlify.app/
> not sure how I feel about passwords and totp being in the same app
I felt the same way and I've come to realize that it is not a big deal. One advantage is that with a shared password manager account, you can also share the TOTP along with it. Very convenient for a bunch of usecases.
I've moved over to Proton Pass (you can do TOTP on the desktop through a browser, I figured if I'm authenticating into a site I must have internet) but KeepassXC was a strong contender. Both have excellent mobile support and Keepass has native desktop clients.
Proton Pass isn't free, though, but I already had their services.
KeePass databases with KeepassXC. I like to use Strongbox on macOS/iOS though (still save to Keepass databases though so I don't have to depend on Strongbox).
Getting a user to install software on a desktop is probably one of the hardest things for a company to ask for in 2024. It's wild that you would have built up a userbase of ... tens of thousands? ... of technically knowledgeable people who want your product, get them to install and rely on your product on their actual 2024 desktop computer where they do actual work, then have some decision makers determine "ok time to pull the plug" and you actually follow through with that. It's just incomprehensible.
I agree, seems short-sighted - they could have even just started charging a bit for it to keep it alive if necessary.
No surprise though, after a fantastic start, twilio has turned into a sh*t company, unfortunately - I was a very early adaptor of many of their tools and services, and 1 by 1, they have all gone downhill.
They should have sold the company while it still had a decent reputation, at this rate there will be nothing of worth left.
The downside to this, is that you're tied into Apple's ecosystem. The nice thing about Authy was that I had the same access on Android, iOS, Windows, Mac, and Linux.
I regret immensely that I ever endorsed or recommended Authy.
My experience witnessing the regression and functional decline of this app over the years has utterly wrecked my opinion of Twilio. Although I still have a couple of operational Twilio integrations, I no longer have any desire to use any of their products or services ever again.
Maybe not the only reason, but this was definitely one of the main reasons I used Authy. Over time, the product has been getting progressively worse... When I first started using it there was a Chrome App you could install which was great because it could work on "corporate" machines where I wasn't able to install the desktop app. That went away a long time ago, but at least we had the desktop app on Windows, Mac, Linux. Although, at some point Authy was only available on Linux if using Snap, which ruled it out for me (although there is an unofficial Flatpak now). So now they are getting rid of all desktop apps which will be the end of my Authy journey and this will also be the last Twilio product I use, since I've had recent bad experiences with some of their other products.
That's fair. I should say, it was my main reason for using Authy as there wasn't anything else out there that could do synced mobile and desktop easily for free.
Interestingly, due to how Apple has developed its app ecosystem, it looks like you can still have it on a Mac Apple silicon desktop if you install it via the app store.
> Note: The iOS app will still be available to download on M1/M2 powered Apple Mac devices.
It does work, but it's not first class support, though. You have to enable alternative touch settings if you want do the "drag to the left to delete a token"
Readit News
https://support.authy.com/hc/en-us/articles/1260805179070-Ex...
The process for exporting is doable, but requires fairly deep technical knowledge and it isn't 100% clean. In order to do so, you need that desktop app and a specific version at that.
https://www.reddit.com/r/Bitwarden/comments/116kpvf/export_a...
I stopped using it ages ago because of these reasons, this should be your heads up to do the same.
If you migrate to another app and then delete your authy account, you risk having 2FA removed for some integrated accounts if they're set up to directly use the Authy backend. Twitch in some cases was pointed out.
Because Authy doesn't have icons for a lot of services, I stored info as twitter:username, google:username, etc. The script dropped about the service name on about 10 of those, just showing the username.
I "imported" the list of QR codes into 2FAS by using my iPhone's camera. Where there wasn't a service, it would say "Service 1", "Service 2", etc.
I then went back through with 2FAS on one device and Authy on another, matching the "Service 1" to "Bubble", for example, because the TOTP codes were the same.
The one service that didn't seem to transfer was Facebook, which I have in Authy but didn't show up in the QR code list.
Several codes in Authy were duplicates, meaning that service:username was the same. 2FAS asked if I wanted to overwrite them. #1, I don't think Authy should allow the same string more than once and #2, again, a simple alphabetization would make maintaining and using Authy more agreeable.
Once they got bought out & forced their poorly implemented 2fa with mobile phone requirements, I had no choice but to find different providers.
I also use bitwarden, but not sure how I feel about passwords and totp being in the same app.
I guess this depends on your threat model. In what cases would your password vault be compromised, but your TOTP vault still be secure?
If someone gets access to your unlocked PC/phone, don't they then have access to both? Do you store your TOTP vault password in your password vault (obvious)?
If someone gets into your password vault, why wouldn't the same mechanism also let them get into your TOTP vault? (This applies whether it's brute force, keylogger, hardware exploit, or $5 wrench.)
I decided to create a private backup which I control and so I built a client-side web app that encrypts QR codes (like 2FA codes). It was inspired by a similar CLI based project I saw here on HN. I still use Authy (for now) but now I have encrypted images that I can decrypt and rescan easily. And since they're just images I saved them in various places and even printed out copies should I lose my phone or Authy access.
To 'migrate' my codes out of Authy I just went through each site and regenerated the codes (plus encrypted them). It's annoying that they force you to do this but doesn't take too long.
I'm still polishing it up but it works well and I would love some feedback if there's anyone who finds it useful - https://encrypt-qr-codes.netlify.app/
I felt the same way and I've come to realize that it is not a big deal. One advantage is that with a shared password manager account, you can also share the TOTP along with it. Very convenient for a bunch of usecases.
Proton Pass isn't free, though, but I already had their services.
It does mean you're putting a lot of trust in your password manager, but on the other had, you already kind of were, weren't you?
https://2fas.com/
https://github.com/tadfisher/pass-otp
Others have also said Bitwarden isn't too bad: https://bitwarden.com/
Deleted Comment
Deleted Comment
No surprise though, after a fantastic start, twilio has turned into a sh*t company, unfortunately - I was a very early adaptor of many of their tools and services, and 1 by 1, they have all gone downhill.
They should have sold the company while it still had a decent reputation, at this rate there will be nothing of worth left.
I switched to them after my phone died and I saw how hard accessing my accounts was without a backup OTP device.
Really? What do people use desktops for then? Why doesn't everyone just use phones and Chromebooks?
There's no point in buying a desktop if you aren't going to run software on it.
If you have an ARM Mac you can install the Authy iPad app and use it just like the Desktop app.
If you want to have a desktop backup but aren't ready to migrate yet, this is a fantastic stop-gap solution.
[0] https://news.ycombinator.com/item?id=39360950
https://support.apple.com/guide/iphone/automatically-fill-in...
My experience witnessing the regression and functional decline of this app over the years has utterly wrecked my opinion of Twilio. Although I still have a couple of operational Twilio integrations, I no longer have any desire to use any of their products or services ever again.
https://support.apple.com/en-us/102430
> Note: The iOS app will also be available to download on M1/M2 powered Apple Mac devices.
https://support.authy.com/hc/en-us/articles/17592416719003-A...
> Note: The iOS app will still be available to download on M1/M2 powered Apple Mac devices.
It does work, but it's not first class support, though. You have to enable alternative touch settings if you want do the "drag to the left to delete a token"