|
Guy who brought up several of the concerns in yesterday's thread here - and I'm in the same situation. Actually, I went so far as to download the app just to see if I could crack the backups I was criticizing (i.e., are they actually using a key strengthening algorithm or was the founder just straight-up lying after all of the concern was made public), but when I couldn't get past an SMS-based login-wall to test, most of my initial fears were confirmed. My concerns and irritations about Google Authenticator also still stand; they half-implemented the spec[1] and have potentially limited everyone's security as a result. However, they didn't misimplement it, so they just limited the gains rather than actually made things worse. I think the QRCode to import the key is, uh, less safe than it could be, but assuming someone hasn't gone and posted screenshots of it to the internet or scanned it with multiple devices, it's not too bad. I started building a replacement a couple weekends ago to address some of these issues (though primarily because it hasn't been updated to support retina displays, never mind iPhone5), so Authy's timing is rather unfortunate as I've been in the thick of the spec and care deeply about security (I work for WePay; yes, we also have a public rollout of 2FA in the works, it's in internal beta right now). My plan is to give it away for free, if not open-source it completely. [1] the flexible options for the number of digits, time window, and hashing algorithm are all hardcoded in GA, despite their TOTP implementation actually supporting the full spec. The UI simply ignores all fields beside the label and secret, presumably because they decided to make a screen-wide counter rather than entry-wide. Why it's still forced to SHA1 and 6 digits is beyond me. |
I'd be very interested in this, Authy's timing notwithstanding. I think my email is in my profile - please let me know if/when you have something available (whether in beta or general release).