Two-factor authentication (2FA) is perhaps the most basic and popular identity and access management security method. It requires two distinct forms of identification to access things ranging from data to social media accounts.

In May, Change Healthcare, which United Health owns, was struck by a cyberattack which was the biggest healthcare breach in the US. The company was rightly slammed for not having a 2FA which could have prevented the massive data breach.

However, as things turn out, even 2FA apps are not always entirely safe. Twilio has revealed that “threat actors” were able to identify the cellphone numbers of Authy, which is a popular two-factor app that it owns. Here’s everything we know about the Authy breach and whether 2FA is really as safe as it is sometimes thought to be.

Twilio Informs Users About Authy Data Breach

In a security alert, Twilio informed users that because of an unauthenticated endpoint, “threat actors” were able to breach data associated with Authy accounts, which includes the phone members associated with these accounts.

Twilio said that it took actions to secure the vulnerability and unauthenticated requests are no longer allowed. It added, “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.”

It urged all users to update their Authy apps to the most recent iOS and Android versions. According to Twilio, “While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”

2FA and Authenticator Apps Lower the Risk of Unauthorized Account Access

Authenticator apps and multifactor authentication are becoming a basic hygiene security factor and most websites and social media accounts insist on one while logging in. Many organizations also mandate that employees use them while logging in to ensure the safety of their systems. 2FAs help in identifying the credentials of the person who’s trying to log in and are pretty helpful especially as password breaches and bot attacks are becoming increasingly frequent.

By using 2FA or an authenticator app, the risk of unauthorized access to accounts can be greatly diminished – if not fully eradicated.

In messaging-based 2FA, the user gets the verification code either through a text SMS or an email (at times both). However, SMS messages can also be redirected or intercepted, plus there is the risk of sim swapping, so this method isn’t ideal.

This is where authenticator apps that generate time-based one-time passwords (TOTPs) come into the picture. These are generally regarded as more secure than the text-based OTPs as the passwords are often stored locally and are rotated at frequent intervals.

Authy is one such app that Twilio users were using for authentication. However, the app itself is at the center of a data breach and last week a list of 33 million phone numbers from Authy accounts was published on the dark web by the threat actor ShinyHunters.

While authenticator apps score better than text-based 2FA, they have their own sets of drawbacks. For instance, users risk getting locked out of their accounts if they accidentally delete the authenticator app or lose the device on which it is installed.

One workaround is the backup codes that some authenticator apps provide. One should save them securely, and on a different device on which the app is installed

How to Stay Safe While Using Authenticator Apps

The following tips could be useful in using authenticator apps safely

  • Use a strong password for the Authenticator app: The Authenticator app often requires signing in through a passcode. A strong password would help keep the authenticator app secure. The device on which the app is installed should also have a strong password.
  • Using the app on a trusted device: Use the authentication app only on a trusted device as using them on a shared/public device could lead to unauthorized access. On a similar note, refrain from sharing the codes generated by the authenticator apps as they could compromise the security.
  • Keep the authenticator app up-to-date: Like with any other app, keep the authenticator app updated to the latest version. The risk of a breach in apps that haven’t been updated to the most recent version is typically higher than in updated apps.
  • Don’t download apps from third parties: The authenticator app should be downloaded through official stores like Google Play Store and Apple App Store. Downloading these from other channels could be risky and could be a potential security threat.
  • Delete apps on old devices: If you download the authenticator app on a new device you should delete it from the older one and follow any guidelines that the app might have set for such cases. For instance, according to Microsoft, “You must both delete the app from your old device AND tell Microsoft or your organization to forget and unregister the old device.”

Use 2FA Apps from Reputed Companies

Finally, it’s important to use authenticator apps from reputable companies. Both Google and Microsoft provide free authenticator apps that are quite secure. That said, there still could be cases of individual authentication apps/devices getting compromised.

The first thing that a user should do in case of a suspected breach is to immediately change the passwords of the associated accounts and then revoke the 2FA authorization. Subsequently, the user can reinitiate the 2FA when the device is secured.

However, in case, you are not able to log in because the 2FA app has been compromised or you don’t have access to the app, you should reach out to the support team of the authenticator app which can then guide you further. While no remedy is 100% secure, following these steps would help you keep your credentials more secure.

As for those impacted by the Authy breach, keep following the updates that the company might provide. Also, Authy advises that if a user has lost access to their account, they should reach out to the company for help.