-
same, was looking to move from last pass for a while but needed a push, interface is crap, autofill didn't work half the time, seems like no dev for a few years and the logmein thing wasn't sitting comfortable with me. had been using keepass forever before lastpass a few years ago.
moved to 1password, family plan and 5 days in no glitches. only thing I miss is attaching photos to entreis, you can do it via linked docs, but they didn't transfer & it's slow. useful for passports, credit cards etc.
-
I got an email today from Coinbase saying they are dropping support for Authy, (apparently due to concerns about phone porting attacks).
How would they even know I'm using Authy over, say, Google Authenticator?
-
I didn't get anything similar from them, and there's no notice on their site.
Are you sure it's not a scam? Did you follow any links in the mail?Edit - they do say that security keys are preferred over authenticator apps. But there's no notice, I didn't receive a mail, and there's no obvious reason they should know which authenticator you're using anyway.
-
May have been on the cards for a while:
https://www.reddit.com/r/CoinBase/comments/aa3nqu/why_is_coinbase_in_my_authy_app/ -
It's weird. I didn't click any links, and I googled for news instead. And I found a bunch of stories, but I just noticed all the stories are from 3-4 years ago.
Hippy just linked to an article on their website which says they support GA and Duo, which is what the email said I should move to.
-
I found one article which said they don't like Authy because it's more vulnerable to porting than GA.
But thinking about it now, I'm pretty sure there's no way they can tell which application was used to generate a token.
...aaaand I can still log in with Authy. I'm just going to ignore it.
-
That email again...
I'm really curious how they know I'm using Authy. As far as I'm aware, there's no way they could tell. Maybe during the signup process I indicated that I was using Authy.
It seems totally bogus though. "We don't support Authy any more because we have concerns about account porting, so we're going to fall back to SMS".
That makes absolutely no sense at all.
1 Attachment
-
-
Well, either way, I deactivated 2FA then re-enabled it again, and this time Coinbase seems blissfully unaware that I'm using Authy.
-
The seeds for Authy codes are registered on the server, and Authy charges companies for running their TOTP. TOTP is trivial, but Authy thrived on companies being intimidated by the idea of running this in a reliable way, and so companies pay them. The lock-in is huge as for companies to change their system they need to get every customer to update.
For Coinbase, it's just a lookup on the database for the Authy seeds to know who is still using an Authy 2FA. Once you update it, the seed changes and it's all good.
NB: Authy uses a 7-digit TOTP, but actually so could all of the others because the length is merely a truncation of the actual value and most people settled on 6-digits as it's complex enough and easy to remember when you have to copy and paste it mentally... Authy merely chose 7-digits as a differentiator. This has actually proven useful because it's enabled companies to run 2 systems through the same UI... 7-digits entered? Check Authy, else 6-digits entered, check the standard TOTP. Normally it's the seed that identifies the TOTP function to use, but Authy made it possible to use the input to identify the function... accidentally giving customers a migration path away from Authy.
-
That's interesting. That explains why the codes from my Authy app changed from 7 digits to 6.
hamrack
aggi
Kirth
JB
cyclotron3k
hippy
useless
skinny
-
Post a reply
About
Encrypt all the things!
Posted by
@Velocio
Ah yes
https://nextdns.io/?from=2s32dk9n