g-simpleton So, I created a new user profile, and installed Play & Google Services via (Graphene) Apps. Installing Authy in this user, via Play (Aurora not installed in this profile) , I now get an error The device does not meet the minimum integrity requirements

Can reproduce this. It occurs when you are entering your phone number at the setup wizard and press "Submit". My current install of Authy in the Owner profile does not complain about this. If you are already running Authy, do not uninstall it. Use it to sign in to your existing accounts, then set up TOTP with a new MFA service. Ente sometimes gets recommended here, also Aegis.

I will be writing to Authy about this. And also to the well-known ex-podcaster Michael Bazzell, who is recommending users in his books to use Authy along with GrapheneOS, so he can get the opportunity to warn his readers early.

    I'm so glad I migrated out from Authy to Aegis. Authy still works but I installed it a long time ago from Aurora, it shows last updated - Jul 3, 2024. I will uninstall it soon. Currently, in a cooling-off stage - 30 days before my Authy account gets permanently deleted.

    If interested how I exported Authy to Aegis as Authy doesn't support secrets export.

    • So, I used my old rooted phone where I installed both apps. Aegis then can grab/import (using root access) the secrets from Authy.
    • Exported and moved them to my GrapheneOS.
    • Destroyed the temp Authy device account and cleaned the "transitional" phone.
    • Submitted account deletion from https://authy.com/account/delete/.
    • Done. No more a hostage of such providers. Lesson learned.

      g-simpleton
      If you have configured accounts backup and haven't disabled "allow multi-device" you may get a chance to obtain a copy of your secrets to another "normie" phone.

        To be fair, people might have a genuine need to use this app, even if they don't want to be stuck inside Twilio's grasp.

        I wanted to move to a different provider ages ago, but laziness made me postpone it until I had to do it today to avoid account lockouts.

        After having done that. I experimented with downloading previous versions of Authy by using Aurora Store – the idea being that if they worked, they could be verified as legitimate packages using AppVerifier from Accrescent to compare them against the version installed from Play Store. Unfortunately none of the previous versions that could be downloaded was able to proceed any further. So my (uneducated) guess is that checks are being done server side, and not simply in the app.

        I imagine using a rooted phone would also trigger their integrity checks – although it's probably possible to bypass that somehow, I don't know. It doesn't seem like a practical (or secure) approach for most users to do.

        Unless Twilio listens to us and implements attestation for GrapheneOS, for people who are now locked out of their accounts I can't see another viable approach than to either borrow someone's else's phone or flash back to stock OS, re-register the MFA codes for all your accounts to a more reliable provider (Ente has publicly praised GrapheneOS) or one that just supports offline backups. Unless your employer mandates that you use this app. Then I guess you'll have to flash back to stock and keep using it while you wait for Twilio you reply, or get a second phone.

        Do their desktop apps still function? Or is that also a dead end here?

        This is just silly. Shaking my head as to why I didn't predict this would happen.

        Edit: had to get past their birdbrained AI chat bot (apologies to any Twilio employee who might take offense) and found out that I needed to authenticate with MFA using a different phone number than the primary one registered to my account, in order to chat with a human. I don't think they have email? I have written a text that I will send them when I can sign in again.

        • [deleted]

        • Post #9

        You have to use an older phone with the genuine OS and Magisk with spoofing if you want to export your seeds from authy.
        I tried it a while back and it worked. After that i could import those into Aegis authenticator then delete my authy account.

        Rooting is dangerous so make sure you reset your old device to factory state afterwards.

        Just came to say that if you're in need of a MFA app that can handle multiple devices simultaneously, unlike Aegis, you can use a KeePassDX/KeePassXC + Nextcloud/Trusted Cloud Service setup.

        You have to manually copy and paste the totp seed when creating a new entry instead of scanning a QR code, but that's a minor inconvenience.

        Authy is terrible because they hide the seeds from the user, which makes leaving the service difficult. For me, I could switch to Aegis or whatever from keepass in a few minutes if I wanted to. KeePassXC even has a show the seed as a QR code feature that you can scan.

          Just received a reply from Twilio support:

          Thanks for your patience.

          I've received confirmation from our internal Technical Team that GrapheneOS doesn't meet the security requirements for the Authy app to work properly, and this is why it doesn't support it. We're sincerely sorry about that.

          We advise using a mobile device with Android or iOS compatible with our app.

          Once more, please accept our apologies for the created inconveniences.

          Best regards,

          [redacted name]

          Twilio Support

          And yes, among other things I explained, I did explain to them that GrapheneOS is an Android based OS...

          Sbpr Just came to say that if you're in need of a MFA app that can handle multiple devices simultaneously, unlike Aegis, you can use a KeePassDX/KeePassXC + Nextcloud/Trusted Cloud Service setup.

          I don't understand what KeePassDX is needed for here that Aegis can't also do. Aegis can also do multi device by syncing database files...

            Basically different folks have different preferences. You can even store TOTP codes on a security key if that is what you want. Just choose something that is less likely to lock you out from your MFA codes. Of course, that's an easy thing to say. Navigating the app landscape for people can be difficult, and convenience is usually a factor for most people. I posted this thread in the community chat rooms and fortunately it doesn't seem like many people in this community uses, or used, Authy.

            I'm not going to go into a further argument with Authy support on this, I don't have the energy, and I'm honestly not hopeful that my opinion will have an effect at this point, other than going back and forth with Tier 1 support who has already been given a clear conclusion from the development team for Authy. I don't want to end this on a grim note, however. By all means, if you are using Authy, send them a ticket and ask for them to open up for GrapheneOS. If more people do that, there might be a chance they'll consider it! I don't think there are many users who have reached out to them so it's quite expected that they are not willing to consider it at this point.

            I got this response from Twilio support

            Our latest version of the Authy application includes important security improvements designed to protect your data and strengthen the protection of your tokens. According to the details you've provided, your device may not comply with the minimum requirements to run Authy; please follow the suggestions below and try registering it again:

            1. Verify your Android version: Ensure you're using an official version of Android provided and maintained by your device manufacturer. Third party distributions are not supported.
            2. Confirm your device is not rooted: If your device has been unlocked or rooted, unfortunately, you will not be able to use Authy.
            3. Update the Google Play Store: Make sure you have the latest version of Google Play Store. Follow the instructions in How to Update the Play Store & Apps on Android to keep it up to date.
            4. Download Authy from the official Google Play Store: Only download the official Authy application from the Google Play Store. APKs from third-party sources may not function properly.
            5. Ensure you have the latest version of Google Play Services: Verify that Google Play Services is installed and updated on your device. Refer to Keep your device & apps working with Google Play Services for more information.

            If the error persists, we kindly ask you to wait 12 hours before attempting to register Authy once more, and share your device details, like manufacturer and software version with us.

            Keep in mind that we no longer support Authy Desktop, if you're trying to register Authy on a Desktop device, please use an Android or iOS device to do so.

            Additionally, after checking the specifications of the phone that can be found in the web portal [link to Unplugged's website removed by moderator], unfortunately the phone is not supported to use Authy. If you check the following article, you are going to see that the supported operative systems we have for Authy are Android and IOS.

            I said in my ticket that I was using a Pixel with GrapheneOS, an OS modified from Android. I gave all the information they asked for in the initial ticket. I also linked to the attestation guide. I don't even know where they got Unplugged from.

            I'm going to respond that I meet all their requirements besides alternative OS and following the attestation guide will allow them to support GrapheneOS.

              QuietEngineer That's likely a response by Tier 1 support who are going through their standard troubleshooting steps before forwarding the ticket to Tier 2/3. Even though these are not relevant here, Tier 1 likely doesn't understand that and are just doing what their supervisors require of them. It's beneficial to reply to each of their questions to avoid more back and forth with them.

              The Unplugged phone is of course completely irrelevant here. Their response "Third party distributions are not supported." is a line they didn't use when replying to me. Although GrapheneOS is not supported – as in they are not going to offer GrapheneOS users assistance with troubleshooting issues – that's not relevant to the fact that they are blocking alternate OSs completely, including a secure OS. According to the Play Store entry, they are allowing devices with Android 5 – which stopped receiving security updates 8 years ago – to use the Authy app. Security-wise, that of course doesn't make sense.

                I have no idea how to help you. Sorry. Maybe login on a desktop and then export your keys?

                I've switched to Ente Auth myself. It's like Authy except FOSS and actually works.

                  wuseman Maybe login on a desktop and then export your keys?

                  I think Authy Desktop doesn't support secrets export either. Also, Aythy discontinued the desktop OS support in the last couple of months.

                      Oggyo
                      There are ways to export it from the desktop. GitHub has several programs for this.

                          wuseman
                          Yeah, I assume some ways do exist. I used such already. I meant the Authy Desktop app, not 3rd party apps. I read your advice on "login on a desktop" as using the desktop version of the app.

                          And again, not sure if the Authy Desktop app can sync the data from your mobile app as the desktop platform has already been discontinued.
                          Anyway, I described my method of migrating above. But it can be irrelevant anymore since the recent changes.

                            A follow-up reply from Twilio support regarding the ticket I filed (now closed):

                            Thank you for your kind reply, clarification and understanding. We understand GrapheneOS, is an Android based OS, however, as you correctly mentioned, the Authy app will only work on a Google-certified OS. We're sincerely sorry about that.

                            You don't have an android device that you can install Authy on to restore your account? Then individually log into each one of those accounts, and reset 2FA this time importing into Aegis. I left 'these people' (Authy) probably 5 years ago. They are as competent as a box of rocks AFAIC.

                              matchboxbananasynergy

                              You should absolutely get in contact with them and complain.

                              I just did this, and was forced to register a Twilio account before being allowed to contact Twilio/Authy Support.

                              I've abandoned Authy for Aegis.