Finally Getting Away from Authy for 2FA

As an experienced Software Engineer, keeping my systems secure is crucial. However, when the tools I rely on stop meeting my needs, it’s time for a change. Recently, I faced this dilemma with Authy. Authy, a popular two-factor authentication (2FA) app, recently discontinued its desktop application. For someone who spends most of their time glued to a desktop, this was more than just an inconvenience—it was a productivity killer.

Why should I have to pick up my phone every time I need a 2FA code? That's the whole reason I have a desktop in the first place! Additionally, Authy’s proprietary nature really started to bug me. It’s a closed-source application, and they make exporting your secrets harder than trying to nail jelly to a wall. Seriously, the lack of portability for my own 2FA data felt like a form of digital hostage-taking.

Before I found my current solution, I considered just controlling my Android phone from my desktop, similar to the iPhone mirroring announced recently at WWDC (source). I used scrcpy for this, which initially seemed amazing. After minimal setup, especially if you're familiar with adb I could see my phone's screen and control it from my Linux desktop. However, it emerged that banking apps and other 'secure' apps have features to stop them from being streamed over wireless debugging sessions. To my chagrin, Authy was included in this list.

I also considered using Genymotion to run a full Android VM, but this option wasn't portable between my various desktops and required an enormous amount of resources - typically the amount of resources that the phone itself has in real life. So, this wasn't a viable long-term solution either.

My journey to break free from Authy’s clutches was rocky, to say the least. Initially, I tried a number of outdated articles and hacks, including a frustrating attempt with mitmproxy. Spoiler alert: it doesn't work anymore. After several frustrating hours and a few choice words, I finally stumbled upon a lifeline: a Go library by alexzorin (check it out here).

This library was a game-changer. It impersonates a new Authy device being added to your account, allowing it to intercept and extract your 2FA secrets. Using the library was straightforward and, dare I say, almost enjoyable. I had my secrets out in no time, feeling like I’d just pulled off a great escape.

With my secrets in hand, the next step was finding a new authenticator app. Enter 2FAS. 2FAS is open source and promises no proprietary lock-ins—exactly what I was looking for. The mobile app is great, offering all the functionality I need without locking me in. It also has a browser extension which I thought would satisfy my desktop needs. Unfortunately there's a little quirk: the extension doesn’t show codes directly but requests them from your mobile. This means you still have to touch your phone every time you need a code. For me this defeats the purpose of having a desktop extension.

To migrate my newly liberated secrets to 2FAS, I used Stefan Sundin's Offline QR Code Generator (you can find it here). This nifty tool generates QR codes for 2FA secrets, making the import process a breeze. I scanned the codes into 2FAS, and voilà, I was halfway to 2FA nirvana.

Despite the improvements, I still didn’t have a perfect solution for desktop access. But here's where things get better. I found OTPClient, an open-source 2FA app for Linux desktops. It’s basic and requires a manual import of the 2FAS database, which means updating the backup every time I add a new key. But hey, it's a small price to pay for freedom from proprietary software.

Now, I’m using an open-source mobile app for 2FA, and my secrets are easily exportable. The sense of control and transparency is liberating. Sure, the current desktop solution with OTPClient isn’t perfect, but it works. I can access my 2FA codes on my desktop without touching my phone, which is a significant improvement.

Looking ahead, I’m optimistic. The 2FAS team is active, and I hope they’ll develop a fully-featured desktop app soon. A seamless, cross-platform solution would be the cherry on top of this 2FA sundae. For now, I’m content with my setup. I’ve regained control over my 2FA secrets, and my productivity is back on track.

Breaking away from Authy wasn’t easy, but it was worth it. If you’re in a similar situation, I highly recommend considering 2FAS and OTPClient. The process might require a bit of elbow grease, but the end result—a secure, open-source 2FA solution that respects your data freedom—is more than worth it. Plus, you’ll have a great story to tell about your digital jailbreak.