It’s time to stop using Authy


Multi-factor authentication is a valuable security measure. If someone guesses or steals your password, it’s another barrier to their getting into your account. Using an application that generates access codes is one of the better ways to do it. Several applications are available, most of which use the same protocol. The Open Authentication architecture sets the standard, and many applications implement it, offering advantages or disadvantages. I’ve used Authy from Twilio for some time, but it’s time to leave.

The biggest dangers of using a 2FA application are a breach in its security and the loss of its availability. Authy has been deficient on both counts. In June, Twilio suffered a data breach. The exposed information wasn’t critical, but it could aid malicious parties in getting 2FA codes by trickery. Worse, Authy’s availability on various devices and computers has been erratic.

I used to have the Authy application for the Mac. Twilio discontinued the Mac desktop application in March 2024. It was still possible to run the iOS application on a Mac, but a few days ago, when I did a software update, that stopped working too. I have alternatives, which I won’t specify here since I’ve probably already made too much information public, but they could go away too. A report on Reddit discusses the same issue. Apparently Twilio just dropped support for or disabled the iOS application on a Mac. There was no announcement.

Another Reddit report says that on a new phone, Authy refuses to run because it doesn’t meet unspecified “minimum integrity requirements.”

Given this pattern, it’s very possible that one day, Authy will unexpectedly stop working for you. Maybe it won’t work anywhere. You’ll be locked out of your accounts on multiple websites. It’s time to get away from Authy.

Exit carefully, though. You don’t want to lock yourself out by doing things in the wrong order, and you don’t want to weaken your security more than you have to. Don’t delete any Authy apps until you’re no longer dependent on them. Authy doesn’t support export or migration, so the process will be tedious. Do it anyway. If you’re about to move to a new phone or tablet or run a major software update, seriously consider getting off Authy first.

The first step is to go through every site where you have Authy 2FA and get away from it. Note: The following is a revised procedure. It should go more smoothly than the one I originally wrote in this post.

  • Choose and install a new application, such as Google Authenticator or 2FAS. There are lots of options. Read the reviews. Watch out for applications with copycat names like “Auhty”; they might be Trojan Horse malware, and sometimes they get into app stores. Some will show up at the top of your search in the app store, because they’re paid ads.
  • For each site where you have Authy 2FA, disable 2FA, then re-enable it using the new application. As you proceed, keep track of which ones now use the new app. Some sites let you change 2FA application without disabling it.
  • If the site offers recovery codes, save them after switching it to the new 2FA app. The extra protection is worthwhile, and your previous recovery codes may or may not still be valid. Use offline or protected files for your recovery codes.

Once you’ve done that, you’re finished with Authy. There’s no need to delete it right away; wait till you’re sure you haven’t missed anything. Finally, breathe a sigh of relief that you’re free of an authenticator whose continued support is in doubt.