Argh, what a stupid thing I just did! Authy which is now owned by Twilio is discontinuing their desktop versions. That is a real pain for me as I do so much on the Mac. You are supposed to be able to run the iOS application on Apple Silicon but this didn’t work for me.
Don’t ever do this
The big mistake I made though was that Authy has the concept of a Backup Password which is not resettable. The problem is that when you create a new Authy instance, it says, please save this password and it has a copy box with “*********” and then the last two digits. It looks like you are supposed to copy this and save it, BUT DON’T DO IT.
It’s a complete ugh for the user interface on their discontinued desktop application, it should copy the actual digits, but it doesn’t, so if you just copy and save, you’ve lost your backup password forever. This is a sign from heaven to move off this to someone for whom there is a revenue model đ
It’s a pain but migration 2FA is a good thing
The solution is to note that you don’t have to have one 2FA system. It turns out that the so-called “seed” is critical. Authy unfortunately doesn’t ever display this key, but it is explicit in 1Password. So while I’ve always said I wanted my 2FA provider to be different from the password manager (hence why I use authy and 1Password together), it makes sense to migrate to 1Password because now just about everything has 2FA and it is unmanageable.
Also only having a single 2FA source is pretty scary, so passwords (which I keep in 1Password and iCloud Keychain) need the same sort of backup. So now comes the painful part, for every 2FA that I have regenerating the 2FA seed and then following the three steps:
- 1Password Two Factor Authentication. Add a 1Password key
- 1Password, save the Seed. This is the string you get original, this lets you recreate the key if needed. Put in a separate entry.
- iCloud Keychain. Go to Settings > Password and add these to the entries there
In this way, I have a pair of 2FA sources and a place to recover it all. Of course, doing this means I have to be even more careful about the master passwords for Apple and 1Password, but there is always a price to pay for security and always a way to break in.