• Wispy2891@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    6 months ago

    They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn’t allow backups.

    Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack

    • Scrollone@feddit.it
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      Also, Google Authenticator now supports backup. Aegis is another free alternative.

      • aard@kyu.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        And as soon as I learned about that I stopped using it. Turns out it was the right choice - since then more then one company had breaches where authenticator seeds extracted from a google account were used to bypass 2fa.

        • Scrollone@feddit.it
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          6 months ago

          It’s completely optional to connect a Google account. You can always back them up using the QR code (just take a picture with another device)

          • Todd Bonzalez@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            Protip: Don’t do any of this, unless you hate your accounts being secure.

            An encrypted backup, and a stash of recovery codes for important accounts is the most secure way.