Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Took a while, but this commenter is finally correct:

> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.

> This is not in the spirit of 2FA.

https://news.ycombinator.com/item?id=9100560



I use Authy _because_ it provides cloud sync. At the time, Google Authenticator didn't have it, and when I had to change phones it was a real hassle. Imagine if the phone had been stolen, no way to access the account normally to get a new QR, you'd have to "recover" every account.


I have been transferring Google Authenticator from phone to phone for years though? Going back to at least 2016, and that was 8 years ago. In 2020 I copied it from Android to iOS even by doing an export I had no idea was there.


It was a manual process requiring the phone to be working, which doesn't help when you have an accident that damages the phone.


The trick is to always put the Auth codes on two devices. One you use, one you safely put away.


Good for you. Still doesn't answer gp's question. Why do we have to create a central account?


Yes it did. Authy provided cloud sync via phone number authentication. If you didn't want that, you stuck with Google Authenticator.


The entire use case for Authy is the cloud backup and syncing across devices. If you don’t want that, use any of the other free and more open 2FA apps.


Twilio was forcing users to install Authy. See this thread:

https://1password.community/discussion/116314/sendgrid-requi...


Then make it an independent email+password thing, so in case of a leak, something as critical and personal as a phone number doesn't get involved in the stolen data.

(I know the irony of this in particular being Authy, but nevertheless phone numbers should NOT be risked to be exposed anyhow)


Twilio has an incentive to make "the spirit of 2FA" worse, because SMS-only is how they make money. Either OTP 2FA will be more complicated and adopted less, or they'll own the entire space, like in Sendgrid's case.


Not to go too off-topic, but that post from 2015 has a response from 2019, how is that even possible? I thought HN auto locked posts after x number of days / years.


I don't want to go through the trouble of creating a throwaway to test it, but having worked in webdev long enough makes me believe it's possible that restriction is only on the frontend and some well placed curl may sidestep it


I guess so, but who would force it for a dead thread, that the person you're responding to will never see? Maybe they're using a completely custom HN client tbh.


Facebook regularly shows me "posted 2 hrs ago" posts with comments from 22hrs ago. Lemmy changes the "posted X ago" timestamp when somebody edits their own post. Everyone seems to do something annoying with timestamp.


You can't pick and choose "Not a real scotsman" since 99% of users will be on bigcorp 2FA that does it in most ass-backwards way possible. 2FA as mobile apps locked to hardware is not going to go away without 2FA being replaced by something else.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: