Authy got hacked, and 33 million user phone numbers were stolen - eviltoast
  • 9point6@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    6 months ago

    Right, I get that and that would 100% be part of the solution, but I’m not going to have my cloud storage protected only by a single factor.

    Specifically I’ve kinda happily landed on Authy’s SMS being the 2nd factor in that scenario (and that scenario alone as it’s generally one of the worst 2nd factors) because I know I can get my ESIM reprovisioned with a phone call to my provider. Plus Authy won’t just give me access with an SMS alone, there are verification steps before they will let me access it, which adds piece of mind given the reduced security of an SMS OTP.

    I’m not interested in cobbling together my own “secure” solution, I would happily host something ready to go (seems like bitwarden might be a front runner here), but I’m not going to trust my glue is perfect if I’ve had to do much more than pull a container and set-up a reverse proxy. I cannot guarantee I have the time to patch vulnerabilities manually, etc.

    • AlexanderESmith@social.alexanderesmith.com
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      6 months ago

      Whoa there, I never have - and never would - suggest that anything should be protected by a single factor. Where are you getting that?

      Authy sucks. It’s not just that the TOTP they send you might not be secure (SMS is easily exploited), it’s been shown that they’re leaking other personal data.

      You don’t have to cobble anything together. As you say, self-hosted BitWarden is a good option. As for your “glue”, you should trust it more than a third party, since you know what went into yours, and its not a massive honeypot treasure trove.

      Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.