Authy Desktop-App Discontinued - Discussion about alternatives and paranoid Security concerns

You may heard that Authy Desktop is discontinued by Twillo (Mobile-Apps remains).

I’ve found a Workflow on Github which helps to export existing TOTP to use it in other applications (e.g. like KeepassXC: Export TOTP tokens from Authy · GitHub

In this Thread I like to discuss a a bit the perspective of Security by having all - user credentials and TOTP in one Application.

Till now I had KeepassXC as Password-Wallet, and used Authy as Second application. I setup it this way, because if you had hacked KeepassXC, you still don’t have the AUTHY TOTP Codes to login. It was an additional Layer of security for me.

As I use many many services (as Web- & App-developer) in my daily work, I prefer to also have a TOTP-Desktop client to easily copy & paste TOTP-Codes in the login forms.

What do you think about this? Is it recommended to keep such an setup, or is it also save enough to have everything in KeepassXC?

Which alternatives are there for “Auth Desktop App” that work on all OS (Linux, Mac, Win, Android, Iphone) ?

I just have everything in KeePassXC synced to my tablet with Syncthing, where I can access it with KeePassDX. I also have Authy on my tablet, so that’s not an issue.

Oh, and everything has 20+ character randomly-generated passwords.

It depends on your attack scenario.

The 2FA is called 2FA because it depends on a second factor. If you have the passwords stored next to the tokens, it is, by definition, not two-factor anymore.

So, you really should not store the 2FA-key next to the passwords on the same device. It is weird that there even was a desktop application.
Someone with access to you kdbx file, typically also has access to the authy-database file, so all is lost anyway.

That being said, I also store the 2fa keys in the keepassxc database, first for convenience, so that the browser plugin can fill the token automatically, and second, my attack scenario is not for someone to copy and decrypt my database file but the massive amount of insecure databases which store my account credentials.
If one losses access to the passwords, it’s not as bad because the login is secured by a second token.

2 Likes

Not really, because Authy had an own PIN you need to enter.
Sure, it might be easier to brute-force this desktop-app if it’s on (same) PC, but it’s still splitted in two sections (keepassXC, authy) where each of them need an own password.

And for sure, this pin should never be in Keepass (else it would be like a Iron-Door with the key below the doormat)

I don’t want to argue the merits of that approach, you decide for yourself.

But I agree with @mithrial that having the authenticator app on the same system is the opposite of 2FA. 2FA is supposed to make it harder to do illegitimately even if it’s protected by a pin, because you can still gain access with access to 1 physical machine, defeating the purposed of splitting the authentication which is not 2FA, because there isn’t 2 different things necessary to authenticate.

But you do you and whatever makes you feel better. I’m not going to argue about it.