Surely having 2FA in 1 password along with your username/password is asking for trouble if 1 password is compromised they with have login details and 2FA all sat waiting for them.??
True, so I separate password/2fa for high risk accounts (passwords on 1Password and 2fa using Okta or Microsoft authenticator) but for most lower risk accounts I keep it all on 1Password
@@SideshowBob44same thing happened with Lastpass when they was compromised so could just as easily happen to 1Password. Not all master passwords are secure and having site passwords and 2FA in the same vault concerns me.
@@SideshowBob44when someone somehow can get into your password managers account, they immediately have access to your 2fa account. It is better to split it so risk is minimized. I do store one 2fa in my bitwarden but it is for a non risk site. And on topic I don’t see why not having a desktop app is that big of a problem, my short term memory is good enough to type 6 numbers over from my phone app.
You are effectively reducing your login to single factor as the password manager is storing both your password and the key to generate the one time passcode. Though, if you use true 2FA for your password manager, there's the argument that if your building is protected by 2FA then everything in your building is protected by 2FA. 🤔 If your chosen password manager is doing everything right, you're likely safe.
I use Keepass for which there is no vault as it is an offline program. That reduces the risk of data breech but increases your obligation to maintain the DB and keep it backuped in multiple places like USB drives, portable drives and other devices.
I am also an Authy user on mobile and desktop. When I saw "Authy Desktop" was going away I deleted "Authy Desktop" and then I installed "Authy" (Version 25.2.7 (20240206.1)) on my desktop and entered my Twilio Authy credentials and have all my TOTP 2FA codes! So - What is this "Authy" (not Authy Desktop") app that is running on my desktop? My desktop is a Mac with an M1 processor. This iOS version of the "Authy" app and it runs perfectly on my macOS desktop system. It looks exactly like the "Authy" that is running on my iPad. Thus, for me, in the Apple ecosystem, I will continue to have Authy on my desktop. By the way, I also use 1Password and have the same Authenticator codes running in 1Password (I'm a belt and suspenders type of computer user).
Having the same code in multiple places maybe "cool" but it's a greater security risk, and I suspect why Twilio is doing it, given Windows is easily the most compromised platform. Backup codes and recovery via email etc. exist for platforms if you lose your phone, utilise those and have your 2FA TOTP code in one place imo. Admittedly I don't use Authy on the desktop but I think it's the right move to stop supporting it. disclaimer: I'm not affiliated with Authy or Twiliio just an IT security guy
I downloaded Twilio Authy on my iPhone. I am not able to move forward because of a multi-device disabled notice. I am trying and trying to find what to do. Help!
So, Authy desktop is going now. Is the entire app going to be eventually scrapped or sold by Twillio or can we be pretty confident that the iOS and Android versions will remain and continue to be supported? II know Twillio is saying it is just the desktop app, but does anyone know the true story?
Does ANYONE know exactly what this sunset entails? I opened my desktop Authy today and nothing seems to have changed. Are they simply discontinuing updates to this app, or are they gonna do an Adobe and do something to make the app unusable? Are they gonna cease all syncing, only allowing manual use? Block all sign-in attempts from desktop? Other than pulling all their installers, WHAT ARE THEY DOING?
They haven't said, but my assumption is that it'll keep working, just no longer be updated. If something breaks it some day (like an OS update), that'll be the end.
I think using the same password manager for both your passwords and 2fa is a bad idea. I wonder if using a second password manager for only the 2fa codes is a possible solution.
Hi Leo, great video. I have more than one account on Authy. How does your procedure give me a 2FA for each account in my Authy if I use your 1Password procedure? What am I missing? thanks
@@askleonotenboom I use Authy to log into my Amazon, Bank, and Instagram accounts. How does 1Password distinguish between these accounts if I add Authy to my 1Password? I hope this helps.
You're not saving Authy to 1Password. You're using 1Password IN PLACE of Authy. Thus each account in your one password vault has its own 2FA listed, just like in Authy.
I feel like they're saying that as a cop-out, but I would not continue to use it under the assumption that it will continue to work. My understanding is that they have intentionally interfered with the operation of their Android apps on emulators in the past. So unless they explicitly claim support for that use case, I could see them blocking it in the future.
@@davidboeger6766 it states on Authy "Note: The iOS app will also be available to download on M1/M2 powered Apple Mac devices. so this suggests that it will be supported if its the iOS app?
With the Keepass password manager it's free. You can turn on TOTP in the tools option for an account entry, enter the secret key, accept the default values for number of digits and time interval or edit and voila, there's your authenticator as a string which can be copied.
used to be banking required you to show up at the counter to get your cash--now ANYBODY can get your "Cash" from ANYWHERE . We've come a long way (from common sense) but young people who don't have any money anyway and who think paying 20% interest on their credit card debt is Cool are the ones running the show
Yubico security keys of series 5 comes with an authenticator downloaded from Yubico and with values inside the key. The Yubico authenticator can then be used on any platform you can use with a Yubi key and that has the Yubico authenticator app installed on it. For me that is a laptop, a desktop and a mobile phone, all of which have the Yubi authenticator installed. Yubico has supplied the feature because many sites only supply an authentication option but no security key option.
@@iAnguel Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page “Important Microsoft is ending support for the Windows Subsystem for Android™ (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Until then, technical support will remain available to customers. Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions support Microsoft. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences.”
@@iAnguel - Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page: Important Microsoft is ending support for the Windows Subsystem for Android (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Until then, technical support will remain available to customers. Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions Microsoft support. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences.
@@iAnguel Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page: Important Microsoft is ending support for the Windows Subsystem for Android (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Unti then, technical support will remain available to customers. Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions Microsoft support. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences
A useful tool, broken.
Surely having 2FA in 1 password along with your username/password is asking for trouble if 1 password is compromised they with have login details and 2FA all sat waiting for them.??
True, so I separate password/2fa for high risk accounts (passwords on 1Password and 2fa using Okta or Microsoft authenticator) but for most lower risk accounts I keep it all on 1Password
But 1password has 0 knowledge of passwords right? Especially Master Password so hackers couldn't even get anything.
@@SideshowBob44same thing happened with Lastpass when they was compromised so could just as easily happen to 1Password. Not all master passwords are secure and having site passwords and 2FA in the same vault concerns me.
@@SideshowBob44when someone somehow can get into your password managers account, they immediately have access to your 2fa account. It is better to split it so risk is minimized. I do store one 2fa in my bitwarden but it is for a non risk site. And on topic I don’t see why not having a desktop app is that big of a problem, my short term memory is good enough to type 6 numbers over from my phone app.
@@SideshowBob44 compromised could mean the JavaScript sent to the client has been changed, therefore your master password is stealable
Hi Leo, thank you for another interesting and great material! Just one question: How safe is it to keep passwords and 2FA codes in the same place?
Good point!
You are effectively reducing your login to single factor as the password manager is storing both your password and the key to generate the one time passcode.
Though, if you use true 2FA for your password manager, there's the argument that if your building is protected by 2FA then everything in your building is protected by 2FA. 🤔
If your chosen password manager is doing everything right, you're likely safe.
I use Keepass for which there is no vault as it is an offline program. That reduces the risk of data breech but increases your obligation to maintain the DB and keep it backuped in multiple places like USB drives, portable drives and other devices.
Personally, I would feel uncomfortable storing both security factors in one program.
I am also an Authy user on mobile and desktop. When I saw "Authy Desktop" was going away I deleted "Authy Desktop" and then I installed "Authy" (Version 25.2.7 (20240206.1)) on my desktop and entered my Twilio Authy credentials and have all my TOTP 2FA codes! So - What is this "Authy" (not Authy Desktop") app that is running on my desktop? My desktop is a Mac with an M1 processor. This iOS version of the "Authy" app and it runs perfectly on my macOS desktop system. It looks exactly like the "Authy" that is running on my iPad. Thus, for me, in the Apple ecosystem, I will continue to have Authy on my desktop. By the way, I also use 1Password and have the same Authenticator codes running in 1Password (I'm a belt and suspenders type of computer user).
Authy will continue to work on all Mac desktops with the M1 and M2 processors so there will be no action needed.
Get What ? @Midnightquestions353
Having the same code in multiple places maybe "cool" but it's a greater security risk, and I suspect why Twilio is doing it, given Windows is easily the most compromised platform.
Backup codes and recovery via email etc. exist for platforms if you lose your phone, utilise those and have your 2FA TOTP code in one place imo.
Admittedly I don't use Authy on the desktop but I think it's the right move to stop supporting it.
disclaimer: I'm not affiliated with Authy or Twiliio just an IT security guy
Thanks Leo, the other program I use for years that does the same thing is Keeper Security. Keep up the good work
Excellent. Thanks for letting me know.
I downloaded Twilio Authy on my iPhone. I am not able to move forward because of a multi-device disabled notice. I am trying and trying to find what to do. Help!
I wonder if you can just run the Android Authy on Windows and the iOS Authy on Mac.
So, Authy desktop is going now. Is the entire app going to be eventually scrapped or sold by Twillio or can we be pretty confident that the iOS and Android versions will remain and continue to be supported? II know Twillio is saying it is just the desktop app, but does anyone know the true story?
ok... while the mac DESKTOP application is now EoL, the iPAD version will run on macs running macos 13 or later.
Does ANYONE know exactly what this sunset entails? I opened my desktop Authy today and nothing seems to have changed. Are they simply discontinuing updates to this app, or are they gonna do an Adobe and do something to make the app unusable? Are they gonna cease all syncing, only allowing manual use? Block all sign-in attempts from desktop? Other than pulling all their installers, WHAT ARE THEY DOING?
They haven't said, but my assumption is that it'll keep working, just no longer be updated. If something breaks it some day (like an OS update), that'll be the end.
i am wondering too still working
I think using the same password manager for both your passwords and 2fa is a bad idea. I wonder if using a second password manager for only the 2fa codes is a possible solution.
Hi Leo, great video. I have more than one account on Authy. How does your procedure give me a 2FA for each account in my Authy if I use your 1Password procedure? What am I missing? thanks
I'm not sure I understand the question. You have each account in 1Password, and you just store that accounts 2FA credentials with it.
@@askleonotenboom I use Authy to log into my Amazon, Bank, and Instagram accounts. How does 1Password distinguish between these accounts if I add Authy to my 1Password? I hope this helps.
I fail to understand how my Authy saved in 1Passwords can distinguish my Amazon, Instagram, and bank accounts with one code.
You're not saving Authy to 1Password. You're using 1Password IN PLACE of Authy. Thus each account in your one password vault has its own 2FA listed, just like in Authy.
@@askleonotenboom Thank you for the clarification
Excellent video. Are you also ok with Bitwarden ?
Yup. 👍
there a scripts to export all you authy token so you can import them to other tools...
It will still work on Macs with the M1 or M2 chips after the deadline so these users will be ok and can carry on using Authy on their desktops.
I feel like they're saying that as a cop-out, but I would not continue to use it under the assumption that it will continue to work. My understanding is that they have intentionally interfered with the operation of their Android apps on emulators in the past. So unless they explicitly claim support for that use case, I could see them blocking it in the future.
@@davidboeger6766 it states on Authy "Note: The iOS app will also be available to download on M1/M2 powered Apple Mac devices.
so this suggests that it will be supported if its the iOS app?
@@davidboeger6766yeah it's blocked
Is this available on free or paid 1Password accounts? If paid, which tier?
With the Keepass password manager it's free. You can turn on TOTP in the tools option for an account entry, enter the secret key, accept the default values for number of digits and time interval or edit and voila, there's your authenticator as a string which can be copied.
Bitwarden paid does that too, but some websites stop accepting TOTP codes after initial flawless setup. @@coweatsman
used to be banking required you to show up at the counter to get your cash--now ANYBODY can get your "Cash" from ANYWHERE . We've come a long way (from common sense) but young people who don't have any money anyway and who think paying 20% interest on their credit card debt is Cool are the ones running the show
So funny, I just move away from Authy last week exactly because of this reason. And very few 2FA platforms exist for Desktop and mobile simultaneous.
Yubico security keys of series 5 comes with an authenticator downloaded from Yubico and with values inside the key. The Yubico authenticator can then be used on any platform you can use with a Yubi key and that has the Yubico authenticator app installed on it. For me that is a laptop, a desktop and a mobile phone, all of which have the Yubi authenticator installed. Yubico has supplied the feature because many sites only supply an authentication option but no security key option.
How bout running Authy through BlueStacks on Windows?
Not familiar with BlueStacks, but if that allows you run Andoid (or iPhone) apps, then that should work.
Actually there is also an official Android Subsystem for Windows, just found out that it will be also discontinued soon 😟
@@iAnguel Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page
“Important
Microsoft is ending support for the Windows Subsystem for Android™ (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Until then, technical support will remain available to customers.
Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions support Microsoft. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences.”
@@iAnguel - Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page:
Important
Microsoft is ending support for the Windows Subsystem for Android (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Until then, technical support will remain available to customers.
Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions Microsoft support. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences.
@@iAnguel Microsoft just killed Windows Subsystem for Android. From the Microsoft Windows Subsystem for Android page:
Important
Microsoft is ending support for the Windows Subsystem for Android (WSA). As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025. Unti then, technical support will remain available to customers.
Customers that have installed the Amazon Appstore or Android apps prior to March 5, 2024, will continue to have access to those apps through the deprecation date of March 5, 2025. Please reach out to our support team for further questions Microsoft support. We are grateful for the support of our developer community and remain committed to listening to feedback as we evolve experiences
It defeats the purpose if you save the password and 2fa code in same vault.
My thoughts on that: askleo.com/isnt-putting-two-factor-codes-in-my-password-vault-less-secure/
What do you do other than making videos on youtube for living?
askleo.com/
@@askleonotenboom Were you a engineer in Microsoft?
@@AlphaMale_24 1983-2001 leo.notenboom.org/how-it-began-and-ended/
I didn't know this was a thing. Sorry, I find out about it when it's going away. #SorryLeo
LD PLAYER ON DESKTOP HAS AUTHY
It was a good tool.