Do not recommend Authy as Authenticator app

poisonborz commented 1 year ago

Steps To Reproduce

I'm a bit torn if this should be submitted as a bug report. On one hand it directly affects the security of the app user and it's about information in the app, and an indirect vulnerability - so it neither fits a discussion thread nor a vulnerability report.

The web vault 2FA setup page recommends Authy for both iOS/Android.

Expected Result

Actual community-recommended TOTP apps should be presented, like Aegis on Android or Raivo on iOS. I sincerely hope the Authy recommendation is not the result of some sponsorship.

Actual Result

Authy is recommended. Since they were acquired by Twilio the app's state is questionable. They had a security breach in 2022. It's closed source. It doesn't allow to export/transfer your auths. Even deleting your account is really hard.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Android, iOS

Operating System Version

No response

Web Browser

Chrome

Browser Version

No response

Build Version

2023.7.1

Issue Tracking Info

[x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

NovaSilentium commented 1 year ago

Hi there @poisonborz

Im afraid Github is not the correct channel for this.

We use GitHub issues as a place to track bugs and other development related issues. If your issue persists, please write us back using our contact form, so we can continue troubleshooting: https://bitwarden.com/contact/

You can include a link to this issue in the message content.

Alternatively, you can also search for an answer in our help documentation (https://bitwarden.com/help/) or get help from other Bitwarden users on our community forums (https://community.bitwarden.com/c/support/).

The issue here will be closed.

stefan0xC commented 1 year ago

While I'm not sure about the @poisonborz recommended alternatives (Aegis for Android and Raivo for iOS), I think the question why you specifically recommend Authy has merit. Since Authy requires the creation of an account (with a phone number) and was also breached in 2022, I would second the motion not to recommend it.

There are many good alternatives like Google Authenticator, Microsoft Authenticator, FreeOTP, FreeOTP+ (for Android), Tofu (for iOS), OTP Auth (for iOS) so it's not clear to me why you would recommend Authy specifically. Personally I would prefer recommending an open source application but I think even recommending the Authenticator from Google or Microsoft would be preferable to Authy (as you can decide if you want to backup into the cloud and don't need to create a Google or Microsoft account in order to use the functionality).

Note: Aegis seems to be a good open source alternative for Android (under GPLv3 license). Since I am not an iOS user I did not check Raivo OTP (given their recent acquisition by Mobime and that their license is not really open source I'd probably not recommend it though).

I also wrote this to the support, however I am not sure that support is able to help. I think this could be a feature request to make it configurable which apps are recommended instead? Alternatively I'd also prefer no recommendation over Authy.

bitwarden / clients