735
Authy got hacked, and 33 million user phone numbers were stolen
(appleinsider.com)
This is a most excellent place for technology news and articles.
Stop. Trusting. Cloud/SAAS. Security. Apps.
Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.
Don't give them your personal details, they don't care about protecting user anonymity.
Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.
"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.
"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.
There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create ~~honeypots~~ catnip for hackers, and making you pay them for the privilege of being an easy target.
Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.
I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.
A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.
This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)
Who said you shouldn't be able to access your backups remotely?
A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it's better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).
The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can't open your storage alone, etc).
Right, I get that and that would 100% be part of the solution, but I'm not going to have my cloud storage protected only by a single factor.
Specifically I've kinda happily landed on Authy's SMS being the 2nd factor in that scenario (and that scenario alone as it's generally one of the worst 2nd factors) because I know I can get my ESIM reprovisioned with a phone call to my provider. Plus Authy won't just give me access with an SMS alone, there are verification steps before they will let me access it, which adds piece of mind given the reduced security of an SMS OTP.
I'm not interested in cobbling together my own "secure" solution, I would happily host something ready to go (seems like bitwarden might be a front runner here), but I'm not going to trust my glue is perfect if I've had to do much more than pull a container and set-up a reverse proxy. I cannot guarantee I have the time to patch vulnerabilities manually, etc.
Whoa there, I never have - and never would - suggest that anything should be protected by a single factor. Where are you getting that?
Authy sucks. It's not just that the TOTP they send you might not be secure (SMS is easily exploited), it's been shown that they're leaking other personal data.
You don't have to cobble anything together. As you say, self-hosted BitWarden is a good option. As for your "glue", you should trust it more than a third party, since you know what went into yours, and its not a massive ~~honeypot~~ treasure trove.
Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.
Syncthing across all of your devices. Use your desktop or other home PC to sync to a secure cloud service using rsync or freefilesync on a schedule. If you know all the words I just said it's like an hour of work, if not it's probably 4-6 (piecemeal, not a block).