dcowsill.com
# .NET # Linux # Networking About PGP
dcowsill.com

Contents

Don't Use Authy

   787 words   4 minutes 

/images/fuck_authy.png

tl;dr: Authy is a fuck and keeps you from exporting your TOTP tokens to move to a different provider. It’s also closed source and has a checkered past when it comes to security. Do not use Authy - I recommend 2FAS instead.

Consider donating to support 2FAS’s continued development.

Backstory

I started using Authy in 2018 or 2019 when it was one of the few alternatives to the ubiquitous Google Authenticator. It also came with the ability to back up your TOTP tokens to the cloud - a feature Google Authenticator lacked at the time.

Authy is a closed-source MFA app that was acquired by Twilio in 2015. Since then, I think it’s safe to say Authy hasn’t really been a major part of Twilio’s “core offering.” Twilio bills itself as a “cloud communications company” that “provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.”

Another useful feature Authy had was a desktop app, if you preferred that. As it turns out, that desktop app would end up being pretty critical. More on that later.

My MFA authenticator app is not something I spend a great deal of time thinking about. It’s a necessary evil these days, and working in tech means you end up with a lot of TOTP codes on your phone. So the days went on, and over the next four years or so I quietly accumulated more and more tokens in Authy.

Security concerns

I did start thinking about my authenticator app again in June 2024, when Twilio reported a breach that exposed Authy user phone numbers to threat actors. Digging a little further, I found out there had also been a breach in 2022 that allowed attackers to add new devices to Authy accounts. These kinds of breaches point to a lack of basic security controls, and I was about ready to jump ship at this point.

I waited, though, because I’m lazy and the authenticator app I use doesn’t affect my daily life that much.

Fuck Authy

Over the 2024 holiday break - after Twilio rolled out and then proceeded to do-nothing-the-fuck-about an extremely shitty app redesign - I finally started looking into leaving Authy. Imagine my surprise when I learned that, in March 2024, Twilio shut down the last known method to export TOTP codes from Authy: the desktop app.

Some enterprising users had previously figured out a way to back up their TOTP tokens from Authy using that app. There is simply no other way to move your tokens from Authy to another app - and Twilio does not give a fuck about that. They suggest you just go reset all of your MFA codes like an asshole.

This led to much swearing as I began the tedious process of pruning unused accounts and listing out the 30+ accounts I would need to reset in order to get out of this dogshit app.

Alternatives

I spent a bit of time looking around for MFA app alternatives. Google Authenticator seemed like the obvious choice - it now backs up to your Google account and (shocker!) allows you to export your keys to another app. I didn’t like that it was closed-source, though, so that option was out.

Aegis is another highly recommended option, but it has some downsides - like the lack of an “open” backup/export format.

I also considered just using my password manager, since many of them support TOTP these days. But that always struck me as kind of wrong - if your passwords and your TOTP codes are stored on the same device, doesn’t that kind of defeat the purpose?

Finally, I settled on 2FAS. It hit all the right notes for me:

  • The UI is nice - it even shows you the next code when the timer is about to expire, which is excellent.
  • Supports dark mode (Authy got rid of this because fuck you, that’s why).
  • Open-source.
  • Easy export/import.
  • Encrypted local backup with optional Google Drive sync (no proprietary cloud nonsense).

Conclusion

Now it’s April 2025, and I’ve finally finished the process of getting out of Authy. I deleted that fucking app from my phone this morning - and good riddance.

The software and apps you decide to use for your personal privacy and security do, in fact, matter. Whenever you’re evaluating what app to use for critical security functions - like MFA - always consider whether or not it’s easy to get your data out if you need to. Today we’re spoiled for choice, with multiple providers and open-source options for day-to-day apps like authenticators - so make an informed decision!

But please - don’t use fucking Authy.

Updated on 2025-04-30
 security
Back | Home