Authy Desktop EOL
Authy is a two-factor authentication (2FA) application created by Twilio. A key feature is that it syncs authentication information across multiple devices, and I have used it because a desktop client was also provided. Unfortunately, the desktop client is reaching end of life (EOL) on March 19th.
Two-factor authentication improves security because an attacker needs access to two things to authenticate instead of just one. If a site only requires a password, then an attacker can authenticate if they find your password. Authy implements a time-based one-time password (TOTP) standard that is used by many sites. If a site requires both a password and TOTP for authentication, then an attacker must gain access to your TOTP as well as find your password.
By the same logic, two-factor authentication increases the number of ways that a user may no longer be able to access their own account. A user is “locked out” of their own account if they forget/lose their password or if they no longer have access to their TOTP. For example, if using a TOTP application on a phone, the user cannot authenticate when the phone is not available for whatever reason. A child may be watching a video on the phone, the phone may be forgotten at home, the phone battery may be dead, the phone may be misplaced, the phone may have been dropped in the toilet and died, the phone may be lost, the phone may have been stolen, etc.
With some TOTP applications, losing access can only be resolved by contacting customer support at all of the sites and resetting authentication credentials, which can be a time-consuming and frustrating process. Authy provides a backup service to prevent this. It manages an encrypted backup of the authentication information “on the cloud,” which can only be decrypted using a backup password. (If you store this backup password in the same place where you store your account passwords, it defeats the purpose of 2FA.) If your phone is broken, then you can restore from backup on a new phone, but note that you cannot authenticate until you get a new phone.
A desktop TOTP application provides a good way to use TOTP when you do not have access to your phone. You do not want to buy a new phone or reset authentication credentials just because your phone is missing somewhere in your home, for example, as you will find your phone after a bit more searching. You continue to have access if your phone is broken, lost, or stolen. If your phone is stolen, you may really want that quick access to change passwords!
Twilio provides a user guide with recommendations for desktop alternatives. I decided to migrate to KeePassXC, an open-source application that has TOTP support. I just use KeePassXC for managing my TOTP information, separate from my account passwords. Unfortunately, Authy does not provide a way to export TOTP tokens. I used the authy-migration open-source software to do so.
Using a different desktop application of course means that the TOTP information is no longer synchronized with the Authy phone application. There is no longer a reason to use Authy at all. I went ahead and switched to an open-source application (Aegis) on my phone as well.