Popular two-factor authentication (2FA) app Authy, has discontinued its desktop application services and will now be available exclusively only on mobile devices. In January 2024, Authy’s parent company Twilio had announced that the Authy desktop apps for Windows, macOS, and Linux would be shut down on March 19, 2024, and would ultimately be discontinued in August.
Two-factor authentication (2FA) has become an essential security measure for online accounts, adding an extra layer of protection against unauthorized access. While Twilio didn’t publicly disclose the specific reasons behind the decision to shutdown its Authy desktop app, its update suggested that its mobile app “offer similar or better features for securely storing your authenticator account tokens, and are fully supported and regularly updated.”
Cyberattacks Behind Discontinuation of Authy Desktop App Service?
Twilio’s decision to shutdown its Authy desktop app could have emerged following a series of cyberattacks on Authy. Last month, a threat actor leaked sensitive information of 33 million phone numbers registered with Authy’s desktop app. Twilio had then warned that cybercriminals could misuse the stolen phone numbers to carry out phishing attacks and other scams.
In 2022 too, Twilio became a target of a sophisticated social-engineering phishing attack compromising the accounts of several of its Authy users.
Impact on Users of Authy Desktop App
Despite its warning in March, users who continued to use Authy for desktop, had realized that their 2FA accounts became redundant, unless they had earlier synced it with a mobile device.
Several users in the last two weeks complained that their tokens did not synchronize properly, making their associate accounts inaccessible. Twilio too forcibly logged off users from their Authy desktop accounts and did not allow them to log back in with their phone numbers.
Since users are facing synchronization issues, there is a possibility that they did not have the backup feature enabled which ensures that a user’s tokens automatically sync between devices. Twilio has also released a set of instructions for Android, iOS and Windows users to specifically the “Decrypt a 2FA account takeover”.
“Your 2FA secured account tokens can be deleted from Authy at any time. Once marked for deletion, a token will be completely removed from Authy in 48 hours. Users can undelete or recover this token before the 48 hours have elapsed, but afterwards it will be gone for good,” Twilio warned its users.
Alternatives to Authy Desktop App
Users can look into several options when it comes to replacing the Authy desktop app:
- Mobile App: The most obvious alternative is Twilio’s own Authy mobile app, available on iOS and Android. This option offers portability and convenience, allowing users to access their 2FA codes anywhere they have their phone.
- Authenticator Apps: Several other popular authenticator apps offer similar functionality to Authy. Some well-regarded options include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator.
- Security Keys: For users seeking the highest level of security, hardware security keys offer a non-phone-based option. These physical devices require physical possession to generate 2FA codes, adding an extra layer of protection against unauthorized access, even if a phone is compromised.
Way Forward for 2FA Security Measures
The security landscape is constantly evolving, and developers may need to discontinue outdated or vulnerable applications. It’s essential to stay informed about updates and be prepared to adapt. While the Authy mobile app offers a convenient alternative, users can explore other options or consider using a combination of methods to achieve the desired level of protection to prevent cyberattacks.