Google to auto-enroll 150 million user accounts into 2FA

Sky-Knight said:
Authy just doesn't have anyone but their own best interests at heart, and the way they handled the breach that lead to a ton of industry partners, Datto included to abandon them revealed their colors. That's why I bitwarden instead. I used to use the crap out of Authy too, it's really convenient.
Click to expand...
You keep mentioning this with authority, but it's incorrect. It seems (from what I can find) that there was a vulnerability found years ago, but I can't find anything about a breach. And, Datto still uses it. Can't find anything about them dropping it. And certainly not a "ton" of industry partners. The only thing I could find remotely along those lines was Coinbase recommending Google Auth over Authy. But they both work the exact same way, so I'm sure Google coerced them into saying that. And probably your favorite MSM rag, NY Times just last August gave it a rave review. For once, I agree with the NY Times, Authy is great.

I seriously wonder about some of you. No research. Will just listen to anything for your knowledge. And generally just doesn't have a clue as to what you're talking about. I feel bad for your clients.
 
@pctechforhire

1633638704715.png

Do you see Authy in that list? Because I sure don't... When just this time last year it was literally the ONLY SUPPORTED OPTION.

If you have a Datto rep, which I'm suspicious that you do at this point... I suggest you call and ask, because I got an ear full over it.

As for NYT... they don't make calls on tech I use. They don't have a clue WTF they're talking about to be honest. But Datto is just one of the vendors I work with that dropped Authy in the last year. So no, there's no news article backing this up, just me changing authenticators in a mad panic. Because yeah, I used Authy too, it's so easy.

Not that it bugged me too much, Bitwarden has served me better. But from what I've been told by those better than I at such things, Authy is a bad idea. Do whatever you want.
 
Last edited:
Sky-Knight said:
Authy just doesn't have anyone but their own best interests at heart, and the way they handled the breach that lead to a ton of industry partners, Datto included to abandon them revealed their colors.
Click to expand...
Do you have a link for that incident because my Google-fu is failing me?
 
nlinecomputers said:
Do you have a link for that incident because my Google-fu is failing me?
Click to expand...

As I said in the previous comment there is no news event, it was a huge deal for Datto and they were hurt enough to bend over backwards to get all their partners off their platform in a mad panic. Shortly after Datto divorced Authy, I got similar treatments from Continuum, Solarwinds, and Connectwise as I was subcontracting up a storm back then.

I went from Authy being the MFA tool for everything to nothing in 30 days. I don't recall all the details because it's been over a year now.

What I do remember is my Datto rep being really upset Authy wasn't handling things well.
 
Sky-Knight said:
Do you see Authy in that list? Because I sure don't... When just this time last year it was literally the ONLY SUPPORTED OPTION.
Click to expand...
That just sounds like an exclusive contract being dropped. Because the QR code generated can be used with any of the listed authentication apps. The only advantage of Authy is the sync between devices. Which I believe LastPass also does. Microsoft and Google don't. I don't know about Duo or if bitwarden does it. Authy's breach would have to be major for me to move on as it would be a major hassle to recreate the codes.
 
Authy? Datto? Time for me to do my homework. My problem is that in my office, or downstairs in my shop I get no cell service. When ever I access my banking I have to put my phone way upstairs in the window facing the nearest tower and pray. PIA....... Cell service is not so ubiquitous as many providers believe it to be.
 
Diggs said:
Authy? Datto? Time for me to do my homework. My problem is that in my office, or downstairs in my shop I get no cell service. When ever I access my banking I have to put my phone way upstairs in the window facing the nearest tower and pray. PIA....... Cell service is not so ubiquitous as many providers believe it to be.
Click to expand...
Authy is a authentication app like Google Authenticator. It's big advantage is that it can sync between multiple devices including a desktop client.

Not really sure how Datto can "drop" Authy because there's nothing Datto does but generate a QR code which can be used by multiple authentication apps. It's possible that Authy sells the code or service that runs the server side for Datto or any other clients. Perhaps there was a problem that caused Datto to break contract.

As for the cell phone. You need a weBoost.
 
nlinecomputers said:
As for the cell phone. You need a weBoost.
Click to expand...

I've thought about it but not having cell at times is nice and really didn't amount to much since my work number is a Google Voice number that does everything across WiFi on Charter/Spectrum. (I've always been a Wilson fan but it's been awhile since I've compared.)
 
Porthos said:
www.bleepingcomputer.com

Google warns 14,000 Gmail users targeted by Russian hackers

Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...

14K out of God-knows how many hundreds of millions of users. Which brings us back to this statement in the article, which directly backs my earlier assertions:

Huntley says that these warnings are normal for individuals such as activists, journalists, government officials, or people that work national security structures because that’s who government-backed entities are targeting.

[Bold emphasis mine]. State-sponsored nefarious actors aren't targeting your average Joe/Jane. There's no desired payoff from doing so. Hence the terms target and targeting; it's not scattershot or "throw out the lines and see who bites" when state-sponsored activity is at play.
 
nlinecomputers said:
@Sky-Knight

This is dated TODAY and still mentions Authy. With respect I think you misunderstood something from your rep.

Two-factor authentication

How to manage your two-factor authentication (2FA) settings for a Datto RMM account.
www.datto.com
Click to expand...
You saw the screenshot, did you see Authy in the list?

This is an old document, that apparently needs better proof reading. Though it is entirely possible that I got bad info from my rep too.

What's even more likely is in the event Authy did have an issue, they've since fixed it. It has been over a year.

Still, I won't use a "free product" to protect my clients. I don't want my passwords easily synced to arbitrary devices. That vault has God level access to all sorts of things, it needs to be a little hard to use.

So, I use Bitwarden, and the TOTP for Bitwarden is built into the Duo Mobile app, because it has a backup in my Google account that can only be accessed via my MFA'd Google Account AND a separate passkey.
 
Last edited:
Sky-Knight said:
You saw the screenshot, did you see Authy in the list?

This is an old document, that apparently needs better proof reading. Though it is entirely possible that I got bad info from my rep too.

What's even more likely is in the event Authy did have an issue, they've since fixed it. It has been over a year.

Still, I won't use a "free product" to protect my clients. I don't want my passwords easily synced to arbitrary devices. That vault has God level access to all sorts of things, it needs to be a little hard to use.
Click to expand...
Perahaps. I did find this: https://help.datto.com/s/article/KB360037269892

The release notes in June of last year mention removing Authy and replacing it with Duo. Authy does offer a PUSH MFA service as does DUO. Click the pop-up on your phone, no f-ing codes, just like M$, Google, and Facebook do. Perhaps there was an issue with it. It's likely an API. If Authy servers went down that could be a problem. TOTP codes should have been the fallback but if that too is provisioned as an API from Authy/Twillo on Datto's servers it could cause login failures.
 
Diggs said:
My problem is that in my office, or downstairs in my shop I get no cell service.
Click to expand...
You don't need cell service to generate a TOTP response. TOTP is an IETF open standard (RFC 6238) and (afaik) all authenticator apps support it and the response code can be generated entirely autonomously, with no access to any service outside the device with the app.
 
Sky-Knight said:
You saw the screenshot, did you see Authy in the list?
Click to expand...
Authy IS Google Authenticator. Just because a website doesn't explicitly list Authy doesn't mean it's not supported. Most websites don't explicitly list Authy as an option because Authy is just an interface for Google Authenticator.
 
sapphirescales said:
Authy IS Google Authenticator. Just because a website doesn't explicitly list Authy doesn't mean it's not supported. Most websites don't explicitly list Authy as an option because Authy is just an interface for Google Authenticator.
Click to expand...
I wouldn't say that Authy IS Google Auth. It uses the same protocol, but Authy is definitely not just an interface for Google Auth. But yes, if a site lists "Google Authenticator" as an option, Authy can be used as well as, or instead of, Google Auth.
 
My last comment on the Authy stupidity. All apps that use TOTP are interchangeable with each other. Just because a site lists one or the other, it doesn't mean the others aren't supported. If they list any of the apps, the site supports TOTP. End users may not understand that, but we techy's should. It's a personal choice as to what you use. If TOTP has flaws, all the apps have that flaw. Don't use SMS 2FA, and you'll be fine and highly secure to use what ever flavor of TOTP you want, including, and especially, Authy.

Back to the thread topic, this link provides exactly what Google is planning on doing. It's technically not 2FA, but 2-step verification, or 2SV. Similar to 2FA, but not exactly. The link explains it.

And it does do what I suggested before. Once you have authenticated on a device, that device will not need 2SV again. End users won't be overly bothered with it, and they will end up being more secure. So, IMHO, it's a win-win.

blog.google

A simpler and safer future — without passwords

On World Password Day, we’re providing a sneak peek at a future in which, one day, you won’t need a password at all.
blog.google blog.google
 
You must log in or register to reply here.

Similar threads

ThatPlace928
31 Million Users Affected by Internet Archives Data Breach
Replies
4
Views
547
ThatPlace928
ThatPlace928
Velvis
Question about 2FA
Replies
11
Views
941
YeOldeStonecat
YeOldeStonecat
Porthos
Google shares “fix” for deleted Google Drive files
Replies
1
Views
522
sapphirescales
sapphirescales
Velvis
Moving a Google Chrome Profile from Mac to PC without a Google password
Replies
5
Views
282
timeshifter
timeshifter
JoelM
Offboarding User in Google Workspace
Replies
0
Views
246
JoelM
JoelM
Back
Top