• [deleted]

  • Post #9

You have to use an older phone with the genuine OS and Magisk with spoofing if you want to export your seeds from authy.
I tried it a while back and it worked. After that i could import those into Aegis authenticator then delete my authy account.

Rooting is dangerous so make sure you reset your old device to factory state afterwards.

Just came to say that if you're in need of a MFA app that can handle multiple devices simultaneously, unlike Aegis, you can use a KeePassDX/KeePassXC + Nextcloud/Trusted Cloud Service setup.

You have to manually copy and paste the totp seed when creating a new entry instead of scanning a QR code, but that's a minor inconvenience.

Authy is terrible because they hide the seeds from the user, which makes leaving the service difficult. For me, I could switch to Aegis or whatever from keepass in a few minutes if I wanted to. KeePassXC even has a show the seed as a QR code feature that you can scan.

    Just received a reply from Twilio support:

    Thanks for your patience.

    I've received confirmation from our internal Technical Team that GrapheneOS doesn't meet the security requirements for the Authy app to work properly, and this is why it doesn't support it. We're sincerely sorry about that.

    We advise using a mobile device with Android or iOS compatible with our app.

    Once more, please accept our apologies for the created inconveniences.

    Best regards,

    [redacted name]

    Twilio Support

    And yes, among other things I explained, I did explain to them that GrapheneOS is an Android based OS...

    Sbpr Just came to say that if you're in need of a MFA app that can handle multiple devices simultaneously, unlike Aegis, you can use a KeePassDX/KeePassXC + Nextcloud/Trusted Cloud Service setup.

    I don't understand what KeePassDX is needed for here that Aegis can't also do. Aegis can also do multi device by syncing database files...

      Basically different folks have different preferences. You can even store TOTP codes on a security key if that is what you want. Just choose something that is less likely to lock you out from your MFA codes. Of course, that's an easy thing to say. Navigating the app landscape for people can be difficult, and convenience is usually a factor for most people. I posted this thread in the community chat rooms and fortunately it doesn't seem like many people in this community uses, or used, Authy.

      I'm not going to go into a further argument with Authy support on this, I don't have the energy, and I'm honestly not hopeful that my opinion will have an effect at this point, other than going back and forth with Tier 1 support who has already been given a clear conclusion from the development team for Authy. I don't want to end this on a grim note, however. By all means, if you are using Authy, send them a ticket and ask for them to open up for GrapheneOS. If more people do that, there might be a chance they'll consider it! I don't think there are many users who have reached out to them so it's quite expected that they are not willing to consider it at this point.

      I got this response from Twilio support

      Our latest version of the Authy application includes important security improvements designed to protect your data and strengthen the protection of your tokens. According to the details you've provided, your device may not comply with the minimum requirements to run Authy; please follow the suggestions below and try registering it again:

      1. Verify your Android version: Ensure you're using an official version of Android provided and maintained by your device manufacturer. Third party distributions are not supported.
      2. Confirm your device is not rooted: If your device has been unlocked or rooted, unfortunately, you will not be able to use Authy.
      3. Update the Google Play Store: Make sure you have the latest version of Google Play Store. Follow the instructions in How to Update the Play Store & Apps on Android to keep it up to date.
      4. Download Authy from the official Google Play Store: Only download the official Authy application from the Google Play Store. APKs from third-party sources may not function properly.
      5. Ensure you have the latest version of Google Play Services: Verify that Google Play Services is installed and updated on your device. Refer to Keep your device & apps working with Google Play Services for more information.

      If the error persists, we kindly ask you to wait 12 hours before attempting to register Authy once more, and share your device details, like manufacturer and software version with us.

      Keep in mind that we no longer support Authy Desktop, if you're trying to register Authy on a Desktop device, please use an Android or iOS device to do so.

      Additionally, after checking the specifications of the phone that can be found in the web portal [link to Unplugged's website removed by moderator], unfortunately the phone is not supported to use Authy. If you check the following article, you are going to see that the supported operative systems we have for Authy are Android and IOS.

      I said in my ticket that I was using a Pixel with GrapheneOS, an OS modified from Android. I gave all the information they asked for in the initial ticket. I also linked to the attestation guide. I don't even know where they got Unplugged from.

      I'm going to respond that I meet all their requirements besides alternative OS and following the attestation guide will allow them to support GrapheneOS.

        QuietEngineer That's likely a response by Tier 1 support who are going through their standard troubleshooting steps before forwarding the ticket to Tier 2/3. Even though these are not relevant here, Tier 1 likely doesn't understand that and are just doing what their supervisors require of them. It's beneficial to reply to each of their questions to avoid more back and forth with them.

        The Unplugged phone is of course completely irrelevant here. Their response "Third party distributions are not supported." is a line they didn't use when replying to me. Although GrapheneOS is not supported – as in they are not going to offer GrapheneOS users assistance with troubleshooting issues – that's not relevant to the fact that they are blocking alternate OSs completely, including a secure OS. According to the Play Store entry, they are allowing devices with Android 5 – which stopped receiving security updates 8 years ago – to use the Authy app. Security-wise, that of course doesn't make sense.

          I have no idea how to help you. Sorry. Maybe login on a desktop and then export your keys?

          I've switched to Ente Auth myself. It's like Authy except FOSS and actually works.

            wuseman Maybe login on a desktop and then export your keys?

            I think Authy Desktop doesn't support secrets export either. Also, Aythy discontinued the desktop OS support in the last couple of months.

                Oggyo
                There are ways to export it from the desktop. GitHub has several programs for this.

                    wuseman
                    Yeah, I assume some ways do exist. I used such already. I meant the Authy Desktop app, not 3rd party apps. I read your advice on "login on a desktop" as using the desktop version of the app.

                    And again, not sure if the Authy Desktop app can sync the data from your mobile app as the desktop platform has already been discontinued.
                    Anyway, I described my method of migrating above. But it can be irrelevant anymore since the recent changes.

                      A follow-up reply from Twilio support regarding the ticket I filed (now closed):

                      Thank you for your kind reply, clarification and understanding. We understand GrapheneOS, is an Android based OS, however, as you correctly mentioned, the Authy app will only work on a Google-certified OS. We're sincerely sorry about that.

                      You don't have an android device that you can install Authy on to restore your account? Then individually log into each one of those accounts, and reset 2FA this time importing into Aegis. I left 'these people' (Authy) probably 5 years ago. They are as competent as a box of rocks AFAIC.

                        matchboxbananasynergy

                        You should absolutely get in contact with them and complain.

                        I just did this, and was forced to register a Twilio account before being allowed to contact Twilio/Authy Support.

                        I've abandoned Authy for Aegis.

                          Oggyo

                          I used my old rooted phone where I installed both apps.

                          I don't have an old rooted phone. I just went account by account, remove old TOTP, add new TOTP in Aegis. Took some time but I'll never have to do it again as Aegis has proper import/export functionality.

                            horde It's missing the point of the article, though. It's not about Authy, though I imagine some people are forced to use it by their work environment etc.

                            The larger issue here is apps doing this in general, not any one app in particular. Play Integrity itself needs to change or be regulated out of existence.