[dguido]

Nope, nope nope nope nope. Authy's latest "innovation" where bluetooth on the host can grab a new code from your mobile device provides a direct link between your two factors (reducing them to one). I don't think their team understands much about the problem they're trying to solve and they seem to be watering down the security of the product to attract new users instead. DUO and plain TOTP are really the only ways to go.

[dguido]

[replying to my own post] Just a note, I talked with Authy on Twitter and they indicated they're making Bluetooth an opt-in feature in the future and that their management console has the ability to restrict all use of it by managed clients. I'm still not happy about it, but those are positive steps.

[chimeracoder]

Agreed.

For those who missed it before, from a previous discussion on Authy:

> You're correct - there are serious security concerns with Authy's product, which were pointed out on an earlier HN thread: https://news.ycombinator.com/item?id=4916983

>Personally, I'd be concerned with trusting my credentials with any company unless all members of the leadership team (yes, including "nontech" people) are incredibly familiar with basic security terminology and practices.

> (Note that the founder is unclear when PBKDF2 and AES are being used in the product, which is concerning, because they have very different use cases and should be hard to confuse).

(http://news.ycombinator.com/item?id=6133648)

[voltagex_]

Great, so what should I use instead?