Authy Is Sunsetting Its Desktop Authenticator Apps on March 19, 2024

[mazz0]

The Windows App requires Windows Hello. Windows Hello requires that you are physically on the device and auto disables over RDP.

Ah, OK, I didn’t know that was a limitation of the Windows app.

And for Android and Linux? I also use Firefox on all of my computers and devices.

True, it’s not a solution for Linux or Android.

I’d say those are all pretty niche use-cases though. Not many people who use Macs will also be reliant on Windows over RPD, Linux or even Android. I wouldn’t be surprised if the Windows app means iCloud works on >99% of the computers Mac users use. But yeah, obviously you guys need a 3rd party cross platform solution.

 

[Westside guy]

If you’re talking about the notes in macOS Keychain I’m not aware this was possible.

Or are you talking about the password protected notes in the Notes app? Or the encrypted notes section at the bottom of each iCloud Keychain password card?

I'm talking about the secure notes in the keychain. I thought they'd finally added that ability to iOS, but apparently I was mistaken. I just went and did a test... nope, it's still not possible. Man, talk about second-rate!

I relied on Keychain for many years - from its earliest days, long before it became "iCloud Keychain". Eventually the limitations got too frustrating, so in mid-2020 I bit the bullet and moved everything over to Bitwarden. Let me tell you, it was a pain in the neck to migrate! But, in the end, VERY MUCH WORTH IT.

 

[CarAnalogy]

OTP on a desktop that contains your passwords is not MFA.

here comes the 'Ackchyually' crowd.

it's better than no 2FA at all.

Alright, elaborate. How is multi-factor authentication not multi-factor authentication just because your 2FA app is accessible from a device that can also access your passwords?

Technically it is two-step rather than two factor.

A factor is a unique category of authentication. Something you know, something you have, something you are, somewhere you are, etc.

Separating the password and the generated OTP code makes it two steps, but they are both “something you know” so it’s not two factors. Technically the fact that you need the app to generate the code makes it “something you have” in the form of an app seeded with the correct key. But if they are both in the same place, it can be a single point of failure.

BUT yes it is better because passwords leak for many reasons, most of which have nothing to do with someone actually having access to your password manager. Leaking the OTP key that’s only good for 30 seconds is a lot harder to do, even intentionally.

So yes, ideally you would have your second factor be something completely different. But having only a password is just asking for trouble.

 

[boss.king]

Technically it is two-step rather than two factor.

A factor is a unique category of authentication. Something you know, something you have, something you are, somewhere you are, etc.

Separating the password and the generated OTP code makes it two steps, but they are both “something you know” so it’s not two factors. Technically the fact that you need the app to generate the code makes it “something you have” in the form of an app seeded with the correct key. But if they are both in the same place, it can be a single point of failure.

BUT yes it is better because passwords leak for many reasons, most of which have nothing to do with someone actually having access to your password manager. Leaking the OTP key that’s only good for 30 seconds is a lot harder to do, even intentionally.

So yes, ideally you would have your second factor be something completely different. But having only a password is just asking for trouble.

You said it yourself, “Technically the fact that you need the app to generate the code makes it “something you have” in the form of an app seeded with the correct key.”

 

[CarAnalogy]

You said it yourself, “Technically the fact that you need the app to generate the code makes it “something you have” in the form of an app seeded with the correct key.”

Right but it’s not two factors because it’s the same device and both are accessed with “something you know.”

Edit: and to be clear, that key is still just text. You can save that text before feeding it to the OTP app. OTP is really just the website assigning you a second password, but you can’t just give it back that same password directly. The real security comes from the fact that that second password is never directly exposed again (ideally.)

A generous interpretation of Authy’s refusal to support export might be that they are trying to keep it as more of a second factor in that you must possess that app in that configuration.

But any really good systems offer a more secure option anyway, something that truly is two factor like a security key with a read only certificate, which is what Authy is trying to approximate.

 

[TJFDenver]

… IKeyChain w/passcode/passkey for the apple eco system + bitwarden ($10/year) for the non-apple eco system (also serving as a backup should my apple keychain become compromised … bitwarden integration is sweet and simple

 

[topdrawer]

I’ve found that every app that suggests Authy or Google Authenticator also works with the iCloud Keychain authenticator.

does discord work?

 

[Obioban]

Thanks, however unless I'm misunderstanding then this isn't going to do what I want. "Account Options" only appears once you go into a specific website. I'm hoping to replace Microsoft Authenticator, which I need to use when I open apps like Teams or Remote Desktop (i.e. not websites). Is the Apple one not going to do the trick here?

I don't use them, so don't know if microsoft is doing something to only allow their apps to work with their authenticator or if they're playing by the standards. I'd try, and see how it goes.