Getting completely different TOTPs than Android App

[JeGr]

Hi,

ran your script successfully under Windows, logged the app into my authy and got two lines for Humble and Twitch. Tried to reenter these into Keepass with TOTP extension, AndOTP or other apps to check if it generates the same codes but comapred with the android app, the codes are vastly different and don't work. Anything I did wrong in using the app? Thought the output was run&go :)

Any help appreciated to let Authy finally behind :/

[kmpoppe]

For me the output was run and go for me, and yes the codes are different but that shouldn't pose a problem. If they don't work, the secret isn't registered with the site for some reason.

[kmpoppe]

And unfortunately you can't replace authy because they are the sole provider the site accepts. What the script allows you is a TOTP code that you can save to Keepass but your device registration with authy needs to persist.

[alexzorin]

@kmpoppe is spot on. The codes being different is perfectly normal (Twitch generates a new TOTP secret for every Authy "device") but they should still work, as long as the device is still registered.

I tested this very recently.

At least from the perspective of Twitch, the only way to close your Authy account (while still having 2FA) is to use SMS TOTP. Gross, I know, but that's Twitch's choice.

[JeGr]

Tested it and as you said although all devices show vastly different keys (which seems kinda nonsense) it works. So yes, I know I'll have to leave the device (my phone) on account with Authy (sadly) but at least I don't have to deal with the app and account itself anymore. Makes me wonder: if one would only leave the exporter app attached to authy and delete the other devices - shouldn't that work, too?

[alexzorin]

Makes me wonder: if one would only leave the exporter app attached to authy and delete the other devices - shouldn't that work, too?

Yes, that would work. There is a minor practical problem is that you currently cannot use the exporter to delete your other devices, and I don't think that a device can delete itself.

In my own case, I have two devices: my phone (app is deleted), and authy-exporter (though I deleted its credential so it's not just lying around). I am using the Twitch TOTP secret exported from authy-exporter in another app (OTP Auth which I can recommend heartily).

Just to clarify for future readers of this issue:

The two types of TOTP secrets you will have stored in your Authy account are:

• "Apps" (e.g. Twitch, Humble Bundle): These are when a website is using Authy's backend services to create and manage users. Authy's backend is the one that generates and revokes TOTP secrets for each device. It's a totally managed service.
• "Tokens" (99% of sites): These are when a website simply generates a TOTP secret for you on its own and does not have any relationship with Authy at all.

Once you have exported all of the "Tokens", you can safely delete them from your Authy vault. Their validity is completely independent of your Authy account & devices.

For your "Apps", the exported TOTP secret will only remain valid for as long as the Authy device you exported it from remains attached to your Authy account. You don't have to keep the app installed, you just need to not delete the device from your account.

[JeGr]

Just wanted to close this with "works as described" even though the app-based tokens calculate way differently on different devices etc. so that's to be expected. But still my mind tells me that I don't like that approach and somehow see it as "less" secure (for given values of "less") but can't wrap it around as to why - only finding it extremely intransparent and unnecessarily hard to work with. But anyway now there's a way to do it the normal/standarized way, too :)

[Amunak]

It'd be a great idea to note this in the readme. Checking that the tokens are the same is a good way to verify that the export works... Except that can't be used here.

[alexzorin]

Good idea, I've done that.