Basically different folks have different preferences. You can even store TOTP codes on a security key if that is what you want. Just choose something that is less likely to lock you out from your MFA codes. Of course, that's an easy thing to say. Navigating the app landscape for people can be difficult, and convenience is usually a factor for most people. I posted this thread in the community chat rooms and fortunately it doesn't seem like many people in this community uses, or used, Authy.

I'm not going to go into a further argument with Authy support on this, I don't have the energy, and I'm honestly not hopeful that my opinion will have an effect at this point, other than going back and forth with Tier 1 support who has already been given a clear conclusion from the development team for Authy. I don't want to end this on a grim note, however. By all means, if you are using Authy, send them a ticket and ask for them to open up for GrapheneOS. If more people do that, there might be a chance they'll consider it! I don't think there are many users who have reached out to them so it's quite expected that they are not willing to consider it at this point.

I got this response from Twilio support

Our latest version of the Authy application includes important security improvements designed to protect your data and strengthen the protection of your tokens. According to the details you've provided, your device may not comply with the minimum requirements to run Authy; please follow the suggestions below and try registering it again:

  1. Verify your Android version: Ensure you're using an official version of Android provided and maintained by your device manufacturer. Third party distributions are not supported.
  2. Confirm your device is not rooted: If your device has been unlocked or rooted, unfortunately, you will not be able to use Authy.
  3. Update the Google Play Store: Make sure you have the latest version of Google Play Store. Follow the instructions in How to Update the Play Store & Apps on Android to keep it up to date.
  4. Download Authy from the official Google Play Store: Only download the official Authy application from the Google Play Store. APKs from third-party sources may not function properly.
  5. Ensure you have the latest version of Google Play Services: Verify that Google Play Services is installed and updated on your device. Refer to Keep your device & apps working with Google Play Services for more information.

If the error persists, we kindly ask you to wait 12 hours before attempting to register Authy once more, and share your device details, like manufacturer and software version with us.

Keep in mind that we no longer support Authy Desktop, if you're trying to register Authy on a Desktop device, please use an Android or iOS device to do so.

Additionally, after checking the specifications of the phone that can be found in the web portal [link to Unplugged's website removed by moderator], unfortunately the phone is not supported to use Authy. If you check the following article, you are going to see that the supported operative systems we have for Authy are Android and IOS.

I said in my ticket that I was using a Pixel with GrapheneOS, an OS modified from Android. I gave all the information they asked for in the initial ticket. I also linked to the attestation guide. I don't even know where they got Unplugged from.

I'm going to respond that I meet all their requirements besides alternative OS and following the attestation guide will allow them to support GrapheneOS.

    QuietEngineer That's likely a response by Tier 1 support who are going through their standard troubleshooting steps before forwarding the ticket to Tier 2/3. Even though these are not relevant here, Tier 1 likely doesn't understand that and are just doing what their supervisors require of them. It's beneficial to reply to each of their questions to avoid more back and forth with them.

    The Unplugged phone is of course completely irrelevant here. Their response "Third party distributions are not supported." is a line they didn't use when replying to me. Although GrapheneOS is not supported – as in they are not going to offer GrapheneOS users assistance with troubleshooting issues – that's not relevant to the fact that they are blocking alternate OSs completely, including a secure OS. According to the Play Store entry, they are allowing devices with Android 5 – which stopped receiving security updates 8 years ago – to use the Authy app. Security-wise, that of course doesn't make sense.

      I have no idea how to help you. Sorry. Maybe login on a desktop and then export your keys?

      I've switched to Ente Auth myself. It's like Authy except FOSS and actually works.

        wuseman Maybe login on a desktop and then export your keys?

        I think Authy Desktop doesn't support secrets export either. Also, Aythy discontinued the desktop OS support in the last couple of months.

            Oggyo
            There are ways to export it from the desktop. GitHub has several programs for this.

                wuseman
                Yeah, I assume some ways do exist. I used such already. I meant the Authy Desktop app, not 3rd party apps. I read your advice on "login on a desktop" as using the desktop version of the app.

                And again, not sure if the Authy Desktop app can sync the data from your mobile app as the desktop platform has already been discontinued.
                Anyway, I described my method of migrating above. But it can be irrelevant anymore since the recent changes.

                  A follow-up reply from Twilio support regarding the ticket I filed (now closed):

                  Thank you for your kind reply, clarification and understanding. We understand GrapheneOS, is an Android based OS, however, as you correctly mentioned, the Authy app will only work on a Google-certified OS. We're sincerely sorry about that.

                  You don't have an android device that you can install Authy on to restore your account? Then individually log into each one of those accounts, and reset 2FA this time importing into Aegis. I left 'these people' (Authy) probably 5 years ago. They are as competent as a box of rocks AFAIC.

                    matchboxbananasynergy

                    You should absolutely get in contact with them and complain.

                    I just did this, and was forced to register a Twilio account before being allowed to contact Twilio/Authy Support.

                    I've abandoned Authy for Aegis.

                      Oggyo

                      I used my old rooted phone where I installed both apps.

                      I don't have an old rooted phone. I just went account by account, remove old TOTP, add new TOTP in Aegis. Took some time but I'll never have to do it again as Aegis has proper import/export functionality.

                        horde It's missing the point of the article, though. It's not about Authy, though I imagine some people are forced to use it by their work environment etc.

                        The larger issue here is apps doing this in general, not any one app in particular. Play Integrity itself needs to change or be regulated out of existence.

                            a month later

                            I have another potential work around that worked for me. I setup Authy in an Android Emulator called Genymotion. It is naturally rooted (I had already installed Authy a while back, so I don't know if it can be installed now - but I will check on that when I am ready to delete Authy, and try to reinstall it). Within the emulator, I installed Aegis and imported the Authy codes. From there I exported to any app of choice like Ente, or keep with Aegis. However once on Ente, it can sync to your other devices right from the emulator.

                            The emulator is good to have on your PC as another way to access the synced codes without needing your phone (since many of these apps are only mobile apps and not web based or work on PCs).

                            • cr7 replied to this.
                            • cr7 likes this.

                              de0u

                              "I suspect Authy (which recently experienced a breach)..."

                              🤣🤣🤣🤣🤣🤣

                                12 days later

                                csrcsr But how did u get the Authy codes to import them to Aegis? I only had Authy on desktop version