Prohashing Mining Pool Forums

Hi,

Despite our instructions to use Authy for two-factor authentication, a number of customers have been using Google Authenticator to store their authentication private keys.

The reason we recommend Authy is because it prompts the user for a password at installation time, and the password is used to encrypt the keys and store them on Authy's servers. That way, it is simple to recover the keys after reinstalling Authy by entering the password. There has never been a case of a lost two-factor authentication code reported to us when Authy was used.

Google Authenticator doesn't appear to provide a backup feature, at least by default, so many customers have submitted support tickets after they change phones without manually backing up their keys. This is a reminder that we don't provide support for Google Authenticator, so you'll have to either manually back up your keys, or submit a support ticket to Google for assistance to determine your recovery options.

With two-factor authentication, if you lose your keys, then your account is permanently lost.

Thanks,

-Steve

Authy being tied to your phone number is insecure.

No one with any security sense would ever use Authy over Google Authenticator for this reason.

We really shouldn't be promoting poor key management in this industry.

I think the simple solution here is to include the plain text key with the QR code at the time of configuration and a note that the user is responsible for backing up their key. This way you're not pushing liability on another service such as Authy if there is ever an issue with the key.

Yep I ended up disabling all the 2FAs that didnt have a recovery key I could print the QR code for and backup in my firebox in the safe in case I lost the main device. was a good excuse to move some coins around and close off some accounts and exchanges I hadnt used in a while also.

Just an FYI for all:

You can use a QR code reader to translate the QR code graphic into a link and from there you can get your "secret" key to back that up.

you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure

GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure

Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

Mrrt wrote:

GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure

Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.

GregoryGHarding wrote:

Mrrt wrote:

GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure

Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.

I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?

Mrrt wrote:

GregoryGHarding wrote:

Mrrt wrote:
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.

I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?

as i said.. you cannot do ANYTHING with sms confirmation without another master password thats linked to your account