11

I've used the authy mobile app for a while for OTP tokens, but have the backup/syncing turned off. I noticed that they have a desktop app, which would be a lot more convenient most of the time, but I'm wondering if there has been any security research into their implementation and if this is a good idea or not.

It looks like in order to use the desktop app you have to enable authy's syncing between devices. This seems exactly the same as a password manager - the OTP seed syncs between devices, encrypted with a master password, the same as my randomly generated 1Password passwords. And I would likely store the authy master password in 1Password anyway so I don't have to remember a new secure password.

So my question is, is this worth using or would it be about the same to just turn off 2FA since it's approximately the same data model and no longer an independent second factor?

Improve this question
1
  • 2
    The smartphone is no real independent factor anyway. If you sync the second factor - which in fact is the OTP seed - first to a global provider and than to your desktop, I would not call it a "factor of possession" anymore. Thus everything boils down to your good password, which you hopefully have not synced...
    – cornelinux
    Commented Sep 8, 2016 at 10:44

2 Answers 2

Reset to default
10

Full disclosure, I'm a Solutions Architect for Authy and am pretty familiar with our product. :)

First off, absolutely DO NOT turn off 2FA! The real use-case you're preventing with 2FA is someone compromising the website's database and running off with the login/password combination. Always use 2FA!

With 2FA enabled, you are also notified that someone is trying to login and you can subsequently deny them access. If you turn off 2FA, you 1) won't be notified and 2) won't be able to deny them access.

Regarding your syncing concerns let me reassure that we've thought about a lot of these issues and have a solid technical solution.

First off, syncing is opt-in (as you've noticed). Secondly, the Authy OTP seeds between each of these devices ARE DIFFERENT. Here is a side-by-side image of the Authy Desktop app and the Authy iPhone app. Notice the values are different!

Authy Desktop and Authy iPhone apps use different seeds!

Google Authenticator seeds which are stored in Authy will be the same as they have only a single seed value which needs to be stored and shared. This is a limitation of the Google Authenticator approach. These seed values are encrypted via your backup password.

If your phone is lost or stolen, you can disable that device's access via any of your other devices.

Removing devices with the Authy Desktop and Authy iPhone apps

For more information on the security around Authy's multi-device support, check out this Q/A exchange: Authy - is my backup secured by only my password or 2FA s well

Hope this helps! Let me know if you have any more questions.

Cheers, - Josh @ Authy

p.s. I use 1Password as well and use a pretty gnarly password for backup & sync.

Improve this answer
1
  • 2
    As always, we really appreciate the full disclosure!
    – schroeder
    Commented Sep 12, 2016 at 22:10
2

As cornelinux notes, this is not true second factor.

However, it is close enough for most people's use cases and definitely much more secure than relying on password alone.

In order to setup Authy in the first place you need a "second factor" verified by phone call/SMS, which is not true second factor either. However, again close enough for most use cases.

Any attacker gaining access to your Authy password would need to intercept the phone/SMS authentication as well, therefore I would say it adds significant security over password alone.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .