Advice Request Authy/Google 2FA - A privacy nightmare?

[Predrag Radjenovic]

Hey guys,

As I was reading around about password management apps, and was deciding which one to use, I started digging a bit deeper..
After being interested in Dashlane, LastPass, etc. I found out about Bitwarden here on MT. A great concept, OpenSource, nice features... I bought premium, more to donate for keeping up with OpenSource/free concept than for features, but nvm.
Anyway, I wanted to secure it with 2FA, so I started looking around - everybody recommends Authy on the basis of being "better" than the others - when I say everybody, I mean people who reviewed the app(s), or used/using it, etc. One of the arguments caught my eye - better than Google's "spy" 2FA.
Ok, we all know what Google is all about, no point arguing there. As for Authy, they are more open about what are they want from you - straight from their Privacy policy here (the SHORT version):

When you use our app we collect:

• Your phone number, device type, and email address.
• If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
• We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.
• We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
• Websites and programs that integrate our 2-factor authentication API will be able to see information they sent us about you, your login activity to their website and program, and your primary device type, but not any other websites or programs for which you use Authy.
• We also share your data with our third party service providers as necessary for them to provide their services to us. We may also have to share your data with third parties if required to do so by law.
• Your data will be transferred to the U.S.

All this under pretense of providing a better service and in case I need to recover my account?

So, what do you guys think, how could one retain at least a semblance of privacy on the internet? And don't you dare mention TOR after this! There's more about it, just use the search...

Thanks,
Predrag

 

[ForgottenSeer 58943]

Hey guys,

As I was reading around about password management apps, and was deciding which one to use, I started digging a bit deeper..
After being interested in Dashlane, LastPass, etc. I found out about Bitwarden here on MT. A great concept, OpenSource, nice features... I bought premium, more to donate for keeping up with OpenSource/free concept than for features, but nvm.
Anyway, I wanted to secure it with 2FA, so I started looking around - everybody recommends Authy on the basis of being "better" than the others - when I say everybody, I mean people who reviewed the app(s), or used/using it, etc. One of the arguments caught my eye - better than Google's "spy" 2FA.
Ok, we all know what Google is all about, no point arguing there. As for Authy, they are more open about what are they want from you - straight from their Privacy policy here (the SHORT version):



All this under pretense of providing a better service and in case I need to recover my account?

So, what do you guys think, how could one retain at least a semblance of privacy on the internet? And don't you dare mention TOR after this! There's more about it, just use the search...

Thanks,
Predrag

Authy and Google TFA are rubbish.

Use andOTP on F-Droid, I don't even believe it requires ANY app permissions, and you can make a local backup of your recovery keys just in case!

andOTP | F-Droid - Free and Open Source Android App Repository

 

[Electr0n]

I use Microsoft authenticator, last time I checked it's privacy policy isn't that bad.
The key thing about privacy is that if you think that some data is very very confidential for you, don't upload it on the internet. Using password manager for numerous website and forum passwords is good, but it shouldn't contain anything sensitive like bank passwords etc. Because when internet is considered, anything can go wrong. Privacy is hard to find nowadays.

 

[Predrag Radjenovic]

Authy and Google TFA are rubbish.

Use andOTP on F-Droid, I don't even believe it requires ANY app permissions, and you can make a local backup of your recovery keys just in case!

andOTP | F-Droid - Free and Open Source Android App Repository

Nice one, thanks for the suggestion!

I use Microsoft authenticator, last time I checked it's privacy policy isn't that bad.
The key thing about privacy is that if you think that some data is very very confidential for you, don't upload it on the internet. Using password manager for numerous website and forum passwords is good, but it shouldn't contain anything sensitive like bank passwords etc. Because when internet is considered, anything can go wrong. Privacy is hard to find nowadays.

I agree, it is hard to find. On the other hand, this is not just about the data that you have a choice about whether you upload them or not. Take fingerprints for example - every device tied to every account has it's corresponding fingerprint - we don't have to have implants and chips in our skin, we carry them voluntarily. And they are more convenient for us to use than passwords and pins, they are more secure but there's always a catch, no? It's all about trading a bit more of your privacy for a (false?) sense of security, as late George Carlin would say.

edit: grammar

 

[Electr0n]

Nice one, thanks for the suggestion!




I agree, it is hard to find. On the other hand, this is not just about the data that you have a choice about whether you upload them or not. Take fingerprints for example - every device tied to every account has it's corresponding fingerprint - we don't have to have implants and chips in our skin, we carry them voluntarily. And they are more convenient for us to use than passwords and pins, they are more secure but there's always a catch, no? It's all about trading a bit more of your privacy for a (false?) sense of security, as late George Carlin would say.

edit: grammar

I don't think it's a false sense of security, question is who is it from whom you're asking for protection. Fingerprint scanners and other security measures on smartphones have definitely made lives of the thieves a bit harder, but of course when the govt is concerned then having a smartphone is a bad idea in the first place. As you can see the alphabet soup agencies don't always need a vendor's assistance to break into a device. A sophisticated system's sophistication is it's major weakness. So using complex tech to evade the govt surveillance isn't much of a great solution. Then comes the ad agencies like Google and FB. Now this is an unfortunate case of living with the vices of the society. Whenever a company grows, it grows the power to change society. Now the general users don't bother with things like "privacy" , the only thing they want is "free". Now when the majority of the society does something that becomes the norm. If we look around our friends and family, you will see most use a Gmail and fb account and aren't bothered at all that the ad agencies are profiling them. To most of them internet is termed as "Google bing". They aren't bothered by targeted ads, rather they prefer it. Now that such things have become a norm, you can't expect to find privacy in consumer products, specifically in "free" products.

 

[Danielx64]

I don't use anything on my phone, I just use WinAuth on my desktop blocked at the firewall. Yes I know it is a little annoying but at least I know that I can have 2FA while feeling safe.

Also there is one handy thing I like about this desktop app:

 

[Marko :)]

Authy and Google TFA are rubbish.

Use andOTP on F-Droid, I don't even believe it requires ANY app permissions, and you can make a local backup of your recovery keys just in case!

andOTP | F-Droid - Free and Open Source Android App Repository

Thank you! I didn't know that 3rd party apps can be used for verification of other accounts. Until now, I had two apps for authentication, Microsoft's for Microsoft account and Google's for Google account. From now on, I'm using Google's for both accounts.

I'm using Google Authenticator because it simple and easy to use. It doesn't ask for a lot of permissions; camera access for scanning QR code and some other non-important permissions.

 

[Atlas147]

I use google authenticator, but I've always had this fear that if I lose my phone I'll lose all the 2FA codes as well, how am I to get back into my accounts then!

 

[AlanOstaszewski]

If you like using the Google Authenticator, you can get the opensource version that Google offers on their Github profile. So I don't think of anything here. I'm using FreeOTP.

I use google authenticator, but I've always had this fear that if I lose my phone I'll lose all the 2FA codes as well, how am I to get back into my accounts then!

It's the wrong approach. The generation of these codes should not depend on other accounts I think.

 

[Ink]

After reading this, Authy by default will not protect you if a hacker gains access to your phone number. • r/Bitcoin. You can set-up a block (prevent SIM number swaps) with your Cell / Mobile service provider.
If you do wish to use Authy, check their blogs for some security tips:
Understanding 2FA, the Authy App, and SMS - Authy

• Install Authy app on more than one device (ie. Phone and Desktop)
  
• Disable multi-device
• Backup password

Microsoft Authenticator is reasonable alternative to Google Authenticator, but it provides no Cloud or Backup features. It does however makes logging into Outlook a breeze.
Microsoft Authenticator app help and support

From reddit comments:
Security Advisory: Mobile Phones

Recommendation:

1. Conduct your own research
2. Factor in the Pros and Cons.
3. Compromise.
4. Use what works best for you.

 

[ForgottenSeer 58943]

I use google authenticator, but I've always had this fear that if I lose my phone I'll lose all the 2FA codes as well, how am I to get back into my accounts then!

With andOTP you can create an encrypted backup of your authentications to an encrypted file, then copy them off your device or store them in an encrypted cloud drive. One of the benefits of andOTP are virtually no permissions, and the capability to backup the primary authentication code pairing so if you lose the device you can re-install andOPT on a new device and you are back in business.

 

[Atlas147]

With andOTP you can create an encrypted backup of your authentications to an encrypted file, then copy them off your device or store them in an encrypted cloud drive. One of the benefits of andOTP are virtually no permissions, and the capability to backup the primary authentication code pairing so if you lose the device you can re-install andOPT on a new device and you are back in business.

Unfortunately only for android and I am an iOS user

 

[Daviworld]

I have used microsoft, google's authy, andOTP, and FreeOTP, I have currently settled on FreeOTP, since I already take an encrypted backup of my phone using TitaniumBackup. It's also open source like andOTP

FreeOTP Authenticator - Android Apps on Google Play

 

[Thales]

I deleted my Authy app and I use KeepassXC in-built TOTP feature.
If you are a Bitwarden premium user you can do the same.
Convenient and no need another 2FA app.

Spoiler: In KeepassXC add this entry and it should work fine!

Spoiler: Bitwarden TOTP

 

[LoLs]

Winauth for Windows & andOTP for Android

Takes time but its worth it. I use this to Export TOTP tokens from Authy. Copied all to txt files.

Then i use Winauth (Portable open-source Authenticator for Windows) Download - WinAuth
Add one by one, and also validating and check to make sure its generate code same as Authy.
And then download and use andOTP for android and just scan-qr all code from winauth.
Delete each token from authy (it will deleted after 48 hours)
All done



Thanks for all above post and @ForgottenSeer 58943 for mentioning andOTP.