I was vaguely aware that some things were changing with Authy, but this is … unacceptable to me.
I understand that a phone is the right starting point for an OTP app, but this is absolutely ridiculous in terms of continuity planning. Lose your phone, lose access until you get it replaced?
They’ve helpfully listed some alternatives:
Authenticator.cc is just a browser extension. StepTwo is good for those who are all Apple. Secrets.app is also pure Apple. KeePassXC isn’t even 2FA, but it IS cross platform and supports encryption of your password database. This doesn’t replace Authy, but it is interesting. 1Password’s site makes my head hurt, I think that’s a bad sign.
So that’s five options and five nopes.
Criteria:
I think what we want in an OTP app is this:
Works on multiple mobile devices simultaneously.
Offers desktop app for Linux/Mac/Windows.
Works with Google Voice numbers.
And based on some quick Googling and parsing of Reddit threads … nothing else does what Authy did.
LastPass might have decent features, but it’s payware at the level needed and not FOSS, so that’s a nope. andOTP was once pretty good, but it’s now orphanware.
One of the most hopeful thing thus far is 2FAS - works on Android and iPhone, and there’s a browser extension. This is going to require some testing - I hope it’s not like the Threema leash, where you cell phone has to be on and network accessible. That would pretty much defeat the whole purpose of having a desktop backup.
Google Authenticator is similar to 2FAS - apps for both types of phones and a browser extension. I avoid Google as much as possible, but this might be one of those “hold your nose and use it” scenarios.
And as a late entry, FreeOTP is FOSS and seems to work everywhere.
Conclusion:
I started this thinking I’d be writing about an obvious solution to replace Authy. Instead I find I’m going to have to evaluate 2FAS, FreeOTP, and Google Authenticator. I like doing evals in general, but I had other things on my mind besides spending a day on this.
Like Gist, which perished within RIM, or Keybase, which is suffering a lingering death at the hands of Zoom, Authy is passing into the void. However I think what I’m seeing here is that both 2FAS and FreeOTP are NOT married to a specific mobile device. And if this all works smoothly, that’s actually going to be an upgrade over Authy in terms of continuity planning, albeit with the added complexity of doing backups.
I wonder which one is considered best by those who already have GrapheneOS …