You should remove Authy as recommended 2-FA app [Example; not recommendation]

edited September 3 in Memberships

As I am new to this topic, i was unable to post the topic here (because of containing links).
Please read the security notice/flaw about Authy program:

pastebin(dot)com/raw/K9jqXtbi

and remove it from your recommended apps.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @selnomeria

    Thank you for the suggestion. I've asked our security team to look into this situation.

    Ben

  • Thanks ben for attention! I appreciate!

  • BenBen AWS Team

    Team Member

    And thank you for bringing this to our attention. I've been consulting with our security team and I think there are two important points to be made here:

    1. TOTP is a very small component of what protects a 1Password account. So small in fact that I do not use it to protect my personal 1Password account. With 1Password, TOTP is only used to protect the device authorization process, for which someone also needs both your Master Password and Secret Key. As I'm confident that nobody has either of those things, I don't need TOTP. I've written more about this in the past, e.g. here.
    2. I wouldn't necessarily call the list of authenticator apps in our guide a 'recommendation,' though I do see how some may view it that way. The intention is just to list a few examples of the sorts of apps that can serve this purpose. As far as recommendations go, we recommend storing all TOTP secrets in 1Password, and then only using a 3rd party authenticator for your 1Password account's TOTP secret (if enabled).

    Regardless of those points, we may look into revising that section of our guide. There is certainly an argument that there are other examples of TOTP-capable apps such as Yubico Authenticator, Google Authenticator, etc, and perhaps we could make it more clear that these are simply examples and not necessarily endorsements.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • ben, unfortunately this board just doesn't allow me posting a bit large text answers. so i have again to put the link where you can read my answer: pastebin)dot)com/raw/qatsTFdJ

  • Ben, many thanks for reply.
    i think there are two confusions with regard to my original post.
    1) the first is that (problably i didnt explain it well and there has been misunderstanding) that I didn't mention TOTP/2Fa auth with regard to 1P account. Surely, I have nothing to say with regard to that matter how hard is to break in 1P account. So, my post had nothing with 1P account authorizations. I wrote the inquiry regarding to the use of Authenticator applications out there for any websites in internet. and that's why I said, people who will use one or another (from your 2 recommended auth apps) it means that people will use them as their TOTP program too.
    2) So, to continue the first part, even though this is not your "recommendations" to say such, obviously and out of question, people listening you and reading you mentioning/linking to the "example" authenticator apps, PEOPLE DO think (95%) that those apps are the ones "that could/should be used". Call it recommendation or not, but that is alike GUIDE. I have reported the same problem to other providers (to Authy directly too) but they drastically ignored my report, even the low level support didn't pass that to the upper dept.
    So, as I know 1Password is team of professionals, please confirm the fact or not, that AUTHY has mandatory access to it's account with SMS-way (so, if someone forgots his logic/etc,, looses access, SMS IS ENOUGH to reinstate access into account) and SMS is (given my above link leading to numerous resources of it's wakness and hackability) 5 years ago depreciated by NIST (google this phrase). So, AUTHY IS NOT FOR PROFESSIONALS. IT DOESN'T have an option to completely remove any link to SMS/phone number. So, please mention that in your recommendations page to educate people, to cause the PUSH to service providers to make more attention to security and they didn't think that all people is the same fleet. No, they made mistake, because we are out there who sees the security holes in those apps and the producers of those app just doesn't care. So, they are worth to get the reaction back.

    So, it would be a sign of your prof. concern that you made that clear on that recomendation page, to list there the completely (not dependent on SMS or obsolete, inherently hackable channels), like Microsoft Authenticator or alike (even Google Auth is safer).
    I know Authy is very handly and conventient, but is not secure, which is the main princinple that 1Password stand onto it. So, authy is not compatible concept with 1P due it's weakness. I see no reason why you would still maintain mentioning Authy there (and please, if you will still retain it there, add the note aside it).
    I will be disappointed if my attempt to make the web more-secure will fail with you (1P) too and in such case, i will never have any further motivation to submit any reports to security vendors, because if 1Password ignores such things, then there is no point to try with others.

  • BenBen AWS Team

    Team Member

    @selnomeria

    I'm not sure what the difficulty would be with the length of your post... but I've included it here for reference so folks don't have to follow a link:

    Ben, many thanks for reply.
    i think there are two confusions with regard to my original post.
    1) the first is that (problably i didnt explain it well and there has been misunderstanding) that I didn't mention TOTP/2Fa auth with regard to 1P account. Surely, I have nothing to say with regard to that matter how hard is to break in 1P account. So, my post had nothing with 1P account authorizations. I wrote the inquiry regarding to the use of Authenticator applications out there for any websites in internet. and that's why I said, people who will use one or another (from your 2 recommended auth apps) it means that people will use them as their TOTP program too.
    2) So, to continue the first part, even though this is not your "recommendations" to say such, obviously and out of question, people listening you and reading you mentioning/linking to the "example" authenticator apps, PEOPLE DO think (95%) that those apps are the ones "that could/should be used". Call it recommendation or not, but that is alike GUIDE. I have reported the same problem to other providers (to Authy directly too) but they drastically ignored my report, even the low level support didn't pass that to the upper dept.
    So, as I know 1Password is team of professionals, please confirm the fact or not, that AUTHY has mandatory access to it's account with SMS-way (so, if someone forgots his logic/etc,, looses access, SMS IS ENOUGH to reinstate access into account) and SMS is (given my above link leading to numerous resources of it's wakness and hackability) 5 years ago depreciated by NIST (google this phrase). So, AUTHY IS NOT FOR PROFESSIONALS. IT DOESN'T have an option to completely remove any link to SMS/phone number. So, please mention that in your recommendations page to educate people, to cause the PUSH to service providers to make more attention to security and they didn't think that all people is the same fleet. No, they made mistake, because we are out there who sees the security holes in those apps and the producers of those app just doesn't care. So, they are worth to get the reaction back.

    So, it would be a sign of your prof. concern that you made that clear on that recomendation page, to list there the completely (not dependent on SMS or obsolete, inherently hackable channels), like Microsoft Authenticator or alike (even Google Auth is safer).
    I know Authy is very handly and conventient, but is not secure, which is the main princinple that 1Password stand onto it. So, authy is not compatible concept with 1P due it's weakness. I see no reason why you would still maintain mentioning Authy there (and please, if you will still retain it there, add the note aside it).
    I will be disappointed if my attempt to make the web more-secure will fail with you (1P) too and in such case, i will never have any further motivation to submit any report to any other.

    In response:

    The support page you're referring to is a page about setting up TOTP for 1Password accounts, so it seems relevant to explain what role TOTP actually plays when it comes to 1Password accounts. The only place we reference Authy is as an example of an authenticator app that could store your TOTP secret for your 1Password account. We recommend all other TOTP secrets be stored in 1Password.

    Additionally, as mentioned above:

    Regardless of those points, we may look into revising that section of our guide. There is certainly an argument that there are other examples of TOTP-capable apps such as Yubico Authenticator, Google Authenticator, etc, and perhaps we could make it more clear that these are simply examples and not necessarily endorsements.

    We haven't ruled out re-evaluating the wording on this page. :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file