[guildenstern]

Authy specifically stores your account in the cloud and can be recovered using SMS. They have a 24 hour warning period during which the email address on file receives multiple notifications that a recovery is being attempted with the option to cancel but if someone has control over your phone number for an extended period of time they can absolutely take over your Authy account. I found this out when my Authy account was corrupted somehow and support said, hey no worries just go through the recovery process.

Google Authenticator is offline only and is not vulnerable.

[parliament32]

Yes but your backup is encrypted by a password. So even if someone steals your number for long enough to go through recovery, they still need to be able to decrypt the backup.

>this password is not stored anywhere on Authy's servers! If you forget the password and none of your devices are synched, your tokens are lost and you will need to delete them and start over

https://support.authy.com/hc/en-us/articles/115001750008-Bac...

[sp332]

Storing your account in the cloud is optional with Authy at least.

[tessi3r]

I mentioned this because I know multiple people who've had authy / other authenticators compromised down the line from social engineering attacks. Even if you can be alerted, usually it's too late by the time you realize what's happened to your creds.

[matwood]

Did they not put a password on the Authy backup?