
Authy is joining Twilio - troydavis
https://www.authy.com/twilio
======
zacwest
> "There are few companies who share our dedication to excellence…"

Authy is one of the worst-designed iOS applications I have ever used. It has
been this way for a very long time. They are actively hostile to people who
try to criticize their poor design choices. I would not classify it as
"dedicated to excellence."

CloudFlare forces me to keep it installed, so I have to interact with it on
occasion. If you have more than about 3 services set up, you have to first
scroll to expand the scrolling list of icons, then scroll multiple times to
find and read the 10pt font name of a service, etc. It's awful. Compare it to
Google Authenticator, which has a nice, big scrolling list of numbers and
names. The one advantage Authy has is encrypted backup, which I like, and
service lock-in, which annoys me.

Perhaps there's hope in somebody else taking over. Please, Twilio: prioritize
_usability_.

~~~
kmfrk
Has anyone gotten the Bluetooth stuff to work on OS X? I tried hard, but never
managed to.

To be fair, Bluetooth pairing between iOS and OS X hasn't been the most
pleasant experience in general.

\--

Authy is a fine app, but the main selling point to me has basically always
been the typical "anything but Google's half-abandoned BS".

~~~
sleepyhead
No it just doesn't work. It is still available on the Mac App Store and when I
contacted them on Twitter they said "oh, we will look into the problem you are
having" but at the same time their website says it says the OSX app is
discontinued due to bugs in OSX Bluetooth driver
[https://authy.zendesk.com/hc/en-
us/articles/202760296-Having...](https://authy.zendesk.com/hc/en-
us/articles/202760296-Having-trouble-with-Bluetooth-)

I would not trust such liars with credentials to my most important services.

------
tomasien
Lots of hostility toward Authy on here, I'm shocked. I'm an Authy user and
I've always liked the service in that I've barely noticed it existed. Super
glad to use 1 app for most services I have 2FA on.

~~~
madsushi
Yeah, my sentiment on this acquisition is "one company I like/use buying
another company I like/use, I hope it goes well".

I switched to Authy when Google Auth 'forgot' all my tokens in one of its
updates (which ended up being restored later), and Authy has worked flawlessly
since then.

------
oms1005
Interesting acquisition, glad to see authy as a service living in Twilio
instead of just using it. Can't wait to see it in the portal. Make sure you
read Jeff's post as well.

~~~
reustle
Jeff's Post

[https://www.twilio.com/blog/2015/02/ahoy-authy-joins-
twilio....](https://www.twilio.com/blog/2015/02/ahoy-authy-joins-twilio.html)

------
danielpal
Founder of @Authy here. Happy to answer any questions.

~~~
feld
Why does Authy require I provide my cell phone number and email address? Why
do I have to have a user account? This is completely ridiculous. I do not need
nor want cloud syncing or backup. You are making Authy a potential target for
attacks by associating a user to cloud stored 2FA information.

This is not in the spirit of 2FA.

~~~
danielpal
Hi, good question. The reason for the phone number is that we depend on your
phone number as part of your identity. Almost all 2-FA systems today use the
phone number as a way to send you the code via text/phone call. If you read my
blog post: blog.authy.com/twilio you'll see we decided to build our
infrastructure on top of the telecom infrastructure because it was ubiquitous.

I also understand why some people don't like clouds backups. The good news is
that backups are off by default and optional. If you don't need them, you can
keep them disabled.

~~~
feld
This tweet indicates you're using TOTP, slightly modified from Google's
implementation:

[https://twitter.com/authy/status/498244613766139904](https://twitter.com/authy/status/498244613766139904)

    
    
      @benmcginnes Yes we are RFC 6238 TOTP compatible. 
      Same algorithm as GAuth but 7 digits, 256 bit keys and 10 seconds window.
    

So why do you still need my phone number? There's no network connection or SMS
required to generate those TOTP codes. I'm not buying the story that you need
to text me or call me unless you're storing the seed/token centrally and
sending it to users upon request which I strongly disagree with. That should
only be stored on the user's device.

~~~
mcdoug
For those interested in how TOTP is implemented, here it is in Python [1] and
Ruby [2]. It is really simple and understandable. Oh, and did you know you can
secure your SSH connections using TOTP [3]?

This stuff is no more complicated than storing password hashes. Having a nice
client app is good, but Google Authenticator is good enough. So instead of
using authy and relying on a third party, why not get something like [4] and
be done with it?

[1] [https://github.com/nathforge/pyotp](https://github.com/nathforge/pyotp)

[2] [https://github.com/mdp/rotp](https://github.com/mdp/rotp)

[3] [http://delyan.me/securing-ssh-with-totp/](http://delyan.me/securing-ssh-
with-totp/)

[4] [https://github.com/mtigas/django-
twofactor](https://github.com/mtigas/django-twofactor)

~~~
thu
Oh thanks for mentioning [4], I always thought 2FA using PAM disabled the key-
based authentication and used passwords.

------
philip1209
When I first tried Authy, I was amused by bluetooth sync for OTPs. Then, when
I tried hardware TSV like yubikeys, I realized that Authy was only a marginal
improvement in technology, while it would take a complete rethinking of the
system - e.g. Yubikey - to scale to dozens of accounts, multiple devices, and
corporate adoption.

------
lmg643
I stopped using Authy a few weeks ago after I upgraded phones and lost access
to all the tokens I had on my own phone.

Perhaps I should have read the instructions more carefully, perhaps I am an
idiot. But I thought the purpose of an app linked to my cell phone number is
that these codes would port automatically.

As a result, I will never use Authy again.

SMS validation seems to work fine, which is good business for Twilio. Not sure
I understand the acquisition, unless Authy has some good math in their code
generation process.

~~~
tjohns
In my experience, Authy does port your OTP tokens between devices.

The ones that use their backend infrastructure are tied to your phone number,
and are ported automatically.

Ones that you import from other TOTP-based systems via a QR code (like Google
Authenticator) are private to your device by default. But if you really want,
you can turn on the optional "backup" feature in settings, which will upload
them to your Authy account and automatically port them between phones.

Sure, it requires an extra step... but to be fair, normal behavior for TOTP
codes is to keep them 100% local to the device. I'd argue this is a reasonable
default, given that security is involved. TOTP services almost always require
a backup method (SMS or scratch codes) in case you switch phones, anyway.

------
austinlyons
Can anyone with experience give an estimate of the acquisition price?

~~~
bitsweet
Somewhere between $1.00 and 16 billion

------
peterkelly
You spelt "was acqui-hired by" wrong

------
feld
What is the reason for all of these 2FA apps? This is completely unnecessary.
If you're going to offer 2FA, _please_ offer at least the following:

    
    
      * TOTP
      * Yubikey
      * SMS
    

If you want to partner with someone and ram unnecessary apps down our throats,
optionally add the following:

    
    
      * Authy
      * RSA
      * etc
    

I have places where I want 2FA but I will _not_ install the Authy app, so I go
without. Sorry. Let me use TOTP or my Yubikey.

~~~
rtpg
You do realise that with authy you're just registering TOTP stuff right? It's
not on the same level as what you're mentioning. It's like complaining about
having to use Firefox instead of google.com

~~~
feld
Then why do they need an account or my phone number to do TOTP?

~~~
mmebane
Yes, that's definitely unfortunate. I don't remember it being required with
older versions of the Authy app. I really hate forced cloud service
integration, especially in applications that deal with sensitive material.

