Authy: Difference between revisions

(6 intermediate revisions by 3 users not shown)

Line 12:

'''Authy''' is a free mobile app that generates random six-digit tokens to enable two-factor authentication (2FA) for online services. Authy was acquired by Twilio in 2015.

==Consumer-impact summary==

==Consumer impact summary==

=== User Privacy ===

===User Freedom===

The user account is linked to a mobile phone number

==== Inability to export tokens ====

Authy does not allow the user to export their 2FA tokens to another service in order to "maintain security for our users".<ref>{{Cite web |title=Export or Import Tokens in the Authy app Not Supported Objective |url=https://help.twilio.com/articles/19753420684059 |url-status=live |archive-url=https://web.archive.org/web/20260217105416/https://help.twilio.com/articles/19753420684059 |archive-date=2026-02-17 |access-date=2026-03-06 |work=Twilio Help Center}}</ref> This makes it harder for users to switch to another 2FA application, in return forces them to delete all their 2FA tokens and manually add set them up again in a new app.

===User Privacy===

The user account is linked to a mobile phone number.

==Incidents==

===Data breach (July 2024)===

On July 1, 2024, it was disclosed by Twilio that unauthorized actors accessed customer data "due to an unauthenticated endpoint", but stressed "Authy accounts are not compromised".<ref>{{Cite web|~~url~~=~~https://www.twilio.com/en~~-~~us/changelog/Security_Alert_Authy_App_Android_iOS~~|title=Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) |~~author~~=~~Authy~~|date=~~2024~~-07-01|work=Twilio}}</ref> It would be later discovered the hacker group ShinyHunters breached Authy servers and had access to 33 million phone numbers from Authy.<ref>{{Cite web|url=https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/|~~title~~=~~Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers~~|~~date~~=~~2024~~-07-04|~~first~~=~~Eduard|last=Kovacs~~|work=~~Security Week~~}}</ref>

On July 1, 2024, it was disclosed by Twilio that unauthorized actors accessed customer data "due to an unauthenticated endpoint", but stressed "Authy accounts are not compromised".<ref>{{Cite web |author=Authy |date=2024-07-01 |title=Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) |url=https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS |url-status=live |archive-url=https://web.archive.org/web/20260303173633/https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS |archive-date=2026-03-03 |work=[[Twilio]]}}</ref> It would be later discovered the hacker group ShinyHunters breached Authy servers and had access to 33 million phone numbers from Authy.<ref>{{Cite web |last=Kovacs |first=Eduard |date=2024-07-04 |title=Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers |url=https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/ |url-status=live |archive-url=https://web.archive.org/web/20260213103411/https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/ |archive-date=2026-02-13 |work=[[SecurityWeek]]}}</ref>

===Removing Desktop App (August 2024)===

[[File:Authy Desktop App EOL.jpg|150px|thumb|right|Popup message on March 19, 2024]]

On March 19, 2024, Authy would no longer support their desktop app.<ref>{{Cite web|url=https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app|~~title~~=User guide: End of Life (EOL) for Twilio Authy Desktop app ~~Overview~~|date=~~2024~~-01-01|work=Twilio Help}}</ref> Previously, the EOL date was August 19, 2024, however it was moved to March.<ref>{{Cite web|url=https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/|~~title~~=~~Authy~~ authenticator apps for desktop are being discontinued in ~~March~~ 2024|~~first=Ashwin|last=Karthik|~~date=~~2024~~-01-08|work=ghacks.net}}</ref>

On March 19, 2024, Authy would no longer support their desktop app.<ref>{{Cite web |date=2024-01-01 |title=User guide: End of Life (EOL) for Twilio Authy Desktop app Overview |url=https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app |url-status=live |archive-url=https://web.archive.org/web/20260208222002/https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app |archive-date=2026-02-08 |work=Twilio Help Center}}</ref> Previously, the EOL date was August 19, 2024, however it was moved to March in order to "streamline our focus and provide more value on existing product solutions for which we see increasing demand".<ref>{{Cite web |last=Karthik |first=Ashwin |date=2024-01-08 |title=Authy authenticator apps for desktop are being discontinued in March 2024 |url=https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/ |url-status=live |archive-url=https://web.archive.org/web/20250724152419/https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/ |archive-date=2025-07-24 |work=[[ghacks.net]]}}</ref> It was noted by TheVerge that M1 and M2 Macs can download the iOS version of the app, though Windows and Linux computers are left unsupported.<ref>{{Cite web |last=Roth |first=Emma |date=2024-01-08 |title=Authy is shutting down its desktop app |url=https://www.theverge.com/2024/1/8/24030477/authy-desktop-app-shutting-down |url-status=live |archive-url=https://ghostarchive.org/archive/pwX53 |archive-date=2026-03-09 |work=[[TheVerge]]}}</ref>

~~===Inability to export tokens===~~

~~Authy does not allow~~ the ~~user to export their 2FA tokens to another service in order to "maintain security for our users"~~.<ref>{{Cite web|url=https://~~help~~.~~twilio~~.com/~~articles~~/~~19753420684059|title=Export or Import Tokens in the Authy~~ app ~~Not Supported Objective~~|~~work=Twilio Help Center|access~~-~~date~~=~~2026-03-06~~|archive-url=https://~~web.archive~~.org/~~web/20260217105416/https://help.twilio.com/articles~~/~~19753420684059~~|archive-date=2026-02-17|~~url-status~~=~~live~~}}</ref> ~~This makes it harder for users to switch to another 2FA application, in return forces them to delete all their 2FA tokens and manually add set them up again in a new app.~~

==See also==

@@ Line 12: / Line 12: @@
 '''Authy''' is a free mobile app that generates  random six-digit tokens to enable two-factor authentication (2FA) for online services. Authy was acquired by Twilio in 2015.
-==Consumer-impact summary==
+==Consumer impact summary==
 {{Ph-C-CIS}}
-=== User Privacy ===
+===User Freedom===
-The user account is linked to a mobile phone number
+==== Inability to export tokens ====
+Authy does not allow the user to export their 2FA tokens to another service in order to "maintain security for our users".<ref>{{Cite web |title=Export or Import Tokens in the Authy app Not Supported Objective |url=https://help.twilio.com/articles/19753420684059 |url-status=live |archive-url=https://web.archive.org/web/20260217105416/https://help.twilio.com/articles/19753420684059 |archive-date=2026-02-17 |access-date=2026-03-06 |work=Twilio Help Center}}</ref> This makes it harder for users to switch to another 2FA application, in return forces them to delete all their 2FA tokens and manually add set them up again in a new app.
+===User Privacy===
+The user account is linked to a mobile phone number.
 ==Incidents==
 ===Data breach (July 2024)===
-On July 1, 2024, it was disclosed by Twilio that unauthorized actors accessed customer data "due to an unauthenticated endpoint", but stressed "Authy accounts are not compromised".<ref>{{Cite web|url=https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS|title=Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) |author=Authy|date=2024-07-01|work=Twilio}}</ref> It would be later discovered the hacker group ShinyHunters breached Authy servers and had access to 33 million phone numbers from Authy.<ref>{{Cite web|url=https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/|title=Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers|date=2024-07-04|first=Eduard|last=Kovacs|work=Security Week}}</ref>
+On July 1, 2024, it was disclosed by Twilio that unauthorized actors accessed customer data "due to an unauthenticated endpoint", but stressed "Authy accounts are not compromised".<ref>{{Cite web |author=Authy |date=2024-07-01 |title=Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) |url=https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS |url-status=live |archive-url=https://web.archive.org/web/20260303173633/https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS |archive-date=2026-03-03 |work=[[Twilio]]}}</ref> It would be later discovered the hacker group ShinyHunters breached Authy servers and had access to 33 million phone numbers from Authy.<ref>{{Cite web |last=Kovacs |first=Eduard |date=2024-07-04 |title=Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers |url=https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/ |url-status=live |archive-url=https://web.archive.org/web/20260213103411/https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/ |archive-date=2026-02-13 |work=[[SecurityWeek]]}}</ref>
 ===Removing Desktop App (August 2024)===
 [[File:Authy Desktop App EOL.jpg|150px|thumb|right|Popup message on March 19, 2024]]
-On March 19, 2024, Authy would no longer support their desktop app.<ref>{{Cite web|url=https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app|title=User guide: End of Life (EOL) for Twilio Authy Desktop app Overview|date=2024-01-01|work=Twilio Help}}</ref> Previously, the EOL date was August 19, 2024, however it was moved to March.<ref>{{Cite web|url=https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/|title=Authy authenticator apps for desktop are being discontinued in March 2024|first=Ashwin|last=Karthik|date=2024-01-08|work=ghacks.net}}</ref>
+On March 19, 2024, Authy would no longer support their desktop app.<ref>{{Cite web |date=2024-01-01 |title=User guide: End of Life (EOL) for Twilio Authy Desktop app Overview |url=https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app |url-status=live |archive-url=https://web.archive.org/web/20260208222002/https://help.twilio.com/articles/22771146070299-User-guide-End-of-Life-EOL-for-Twilio-Authy-Desktop-app |archive-date=2026-02-08 |work=Twilio Help Center}}</ref> Previously, the EOL date was August 19, 2024, however it was moved to March in order to "streamline our focus and provide more value on existing product solutions for which we see increasing demand".<ref>{{Cite web |last=Karthik |first=Ashwin |date=2024-01-08 |title=Authy authenticator apps for desktop are being discontinued in March 2024 |url=https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/ |url-status=live |archive-url=https://web.archive.org/web/20250724152419/https://www.ghacks.net/2024/01/08/authy-authenticator-apps-for-desktop-are-being-discontinued-in-august-2024/ |archive-date=2025-07-24 |work=[[ghacks.net]]}}</ref> It was noted by TheVerge that M1 and M2 Macs can download the iOS version of the app, though Windows and Linux computers are left unsupported.<ref>{{Cite web |last=Roth |first=Emma |date=2024-01-08 |title=Authy is shutting down its desktop app |url=https://www.theverge.com/2024/1/8/24030477/authy-desktop-app-shutting-down |url-status=live |archive-url=https://ghostarchive.org/archive/pwX53 |archive-date=2026-03-09 |work=[[TheVerge]]}}</ref>
-===Inability to export tokens===
-Authy does not allow the user to export their 2FA tokens to another service in order to "maintain security for our users".<ref>{{Cite web|url=https://help.twilio.com/articles/19753420684059|title=Export or Import Tokens in the Authy app Not Supported Objective|work=Twilio Help Center|access-date=2026-03-06|archive-url=https://web.archive.org/web/20260217105416/https://help.twilio.com/articles/19753420684059|archive-date=2026-02-17|url-status=live}}</ref> This makes it harder for users to switch to another 2FA application, in return forces them to delete all their 2FA tokens and manually add set them up again in a new app.
 ==See also==