Authy Desktop
Echo Wardon
The desktop app will suddenly just stop opening. You click on the exe or shortcut and nothing happens. I've never experienced this with any program ever. This is not an acceptable bug to hand-wave away for any regular application, much less a security application that we rely on for access to our important accounts.
In my understanding, an attacker would need to intercept my password (likely through a keylogger on my desktop machine were I log most) and an access to my phone, or to the key stored on my phone. But I can likely picture that someone able to setup a keylogger could steal enough information to reuse any 2FA system available on my desktop computer.
You made an assumption that affects your outcome, and you cannot forget that you are making this assumption: that one "likely" gets your password via the desktop computer (i.e. keylogger). If that is your threat analysis, that's perfectly fine, just don't forget that you have made this differentiation.
Since your threat analysis is desktop-based, then yes, your conclusion is correct that adding a security function to the already-assumed-to-be-compromised desktop does not add a layer of security. If one can get your password, then one can get your 2FA code.
But, a desktop 2FA option is not useless if we change our assumptions. If we assume that one is more likely to get our passwords from the services we use (instead of our desktops), or even that one can get passwords from our mobile devices, then the desktop security measure legitimately adds a useful security function.
As a secondary note, I use Authy as my authenticator app. There is a chrome desktop version of Authy which runs fine, but the chrome Authy extension does not recognize the Chrome app, and the new instance of the app will not authenticate under Brave.
Some confusing things - All this had transpired on my HP Envy Laptop. This morning I installed Brave on my Dell XPS 8930 desktop. I authenticated the first time through the Lastpass extension. It has stayed authenticated over numerous restarts.
Authy, a free app from Twilio, can generate one-time passwords (OTPs) on your laptop or desktop computer, which you can use when logging into the Savio high-performance computing cluster at UC Berkeley.
Looks like I forgot my backup password on authy for PC however, I can still access all my 2fa accounts on mobile authy for android. I want to know if it is possible to recover or reset my backup password to make it work on the computer again.
I have authy installed on Ubuntu 20.04.2. On my IAM user page I click on the Manage link and Virtual MFA device. I copy the secret key. In Authy I click + to add an account and copy the secret key from AWS. I click Add Account, choose a title and select AWS and leave the token length set to 6. When I submit AWS gives an error showing Invalid MFA device.
Had the same issue, with authy only starting once and then never running again, on at least two different Linux distros, Ubuntu 21.04 and Fedora 34. Also had symlinks in my home folder to a separate partition, because my root partition is small.
I had the same problem with authy 1.8.4 and found the solution before I was aware of this thread.
The problem is indeed the symlinks in your home directory.
Those directories (in my case) are mentioned in:
The replaces makes no sense in the AUR. Only makes sense if you put the built packages in a local repository. If someone has authy-snap installed, the only way to replace it is to install manually authy, but first you need to realize that the package was renamed, and if you have realized that it was renamed, at that point you should be smart enough to uninstall authy-snap.
If a new authy-snap were to be created (which is unlikely because the name is bad), the replaces could be removed. replaces is used to upgrade people from the old package name to the new and is valid in this case. We could ask a TU for an opinion on if the replaces should "expire".
With that knowledge in mind, I started up Charles, added *.authy.com to the SSL proxy list and started a fresh copy of the Authy desktop app. Luckily for us, there is no TLS cert pinning or verification going on in the desktop app, so we can slip our trusted proxy cert in with no complications.
Two of those fields are interesting, api_key is the same value we saw in the x-authy-api-key header on our first request, and indeed it is still present as a header in this request. Not sure why they are including it twice, but there it is.
This yields a list of all connected devices, in great detail. Much, much more detail than would be needed in this UI. I've trimmed the response JSON down to just the Authy desktop device we are currently using, but it is representative of the other entries, and in some cases this is a smaller listing.
The next API call we see is one of the first things the Authy desktop app does when starting up, every time. Just based on the URL, it seems this is a check in to ensure that the device is in good standing and has not been removed from the account by another device.
On subsequent calls to this endpoint, the desktop app provides a list of apps in the parameters as a comma separated list. These are the unique_id values from the previous listing. Again, I've truncated here, it's a lot.
From the first request we see an auth header, x-authy-api-key. This value remains fixed, it doesn't appear to update, even after we've received what appears to be a device specific API key when completing device registration. The value is often in this header, but is also sometimes in the POST fields, or even in the query parameters. Sometimes it is in multiple locations.
The x-authy-request-id header contains a UUID and, despite the name, does not change on every request. Instead, it appears to be more of a session id. I only observed it changing when moving from an registration to being in an authorized context, as well as on each app open.
The x-authy-private-ip header appears to contain local IP's which reference my device. Buried in a wave of link local IPv6 addresses was my IPv4. Not sure why Authy needs these, perhaps they have a feature (or planned a feature) to do a same network peer-to-peer type of syncing.
The x-user-agent header is a bit weird, since it's value, AuthyDesktop 2.2.3, is embedded (slightly differently) in the standardized user-agent value, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) AuthyDesktop/2.2.3 Chrome/96.0.4664.110 Electron/16.0.8 Safari/537.36. Similarly, x-authy-device-app with a value of authy seems superfluous.
- Multi Device Synchronization:
Are your re-scanning all your QR codes just to add them to your tablet and smartphone? With authy you can simply add devices to your account and all of your 2fa tokens will automatically synchronize.
Authy works on both mobile and desktop with the ability to sync your various devices together. This means that once synced, you can use either the mobile version or your desktop when logging into any site that requires 2FA.
You will be asked to confirm this sync by manually typing OK. Do this and then you will receive a confirmation page. The process is now complete and your desktop Authy is synced with your mobile version.
I am running Windows 11 pro - with 1password desktop and as an extension in MS Edge ( everything is fully updated )
I am using a iphone 13 max with latest ios ( and again all the time and date settings are sync'd up )
Authy is a desktop application for two-factor authentication (2FA). It also works as a security partner and SMS delivery service for websites that need better 2FA. Supported companies can use two-factor authentication for their website logins by sending 2FA tokens to your desktop application.
Below is a brief guide to installing Authy on to a desktop computer. Please note that you will still need access to a phone during the initial setup; this is because Authy needs to know it is communicating with the correct person.
Please be aware that Twilio Authy and the College IT Office do not have any affiliation with the companies mentioned above, so be mindful of potential risks and exercise your own judgment when selecting a replacement desktop authentication app.
The Authy mobile app includes a selection for multi-device use. If selected, you can use Authy on multiple devices, including your desktop, where you can login using your mobile number, and a code sent to that number by SMS. If not selected, trying to get an additional device to login requires enabling multi device access on the original device, or a call to support, with a caveat it could take up to 2 days to authorise the request.
By using a password manager for TOTP, I get broad cross-platform support with aweb client, browser extensions, desktop programs, mobile apps, and even a CLIclient. I also get standard authentication mechanisms, including 2FA support.
If you have switched over from the Mobile Authy app onto the desktop app and face the following error message, "Login request was declined. Make sure you have the latest version of Authy installed with app protection enabled and restart the app on your phone.", then please complete the following steps:
If you're using two-factor authentication (you really should), most likely your mobile phone is the second factor and you copy the security code over to your computer when prompted. Authy eliminates this hassle by putting the security token right on your desktop.
It works as a Chrome app that can be installed on Windows, Mac, and Linux (you don't have to use Chrome as your browser). Any site you can turn two-factor authentication on for and use with Google Authenticator can be added to Authy by copying the code once from Google Authenticator to the app. Then, the next time you have to enter a verification code to one of those sites, you can just copy the code straight from your desktop with the Authy app.
two-factor authentication is still valid regardless of whether the second authentication factor "you have" comes from your cellphone, your tablet, or right from a desktop app in your laptop. For example, RSA Security, the leader in Two-Factor Authentication also has a
356178063d