2

After setting up MFA, most clients have the account automatically added to their Authy app.

For others, they are trying to add the account by clicking Settings >> Add Account. It then asks them to scan a QR-Code or manually enter a key.

As the developer, I cannot for the life of me find out how to get this key or QR-Code. I have read through the docs entirely.

What am I missing? I am using the PHP SDK.

kmoney12
  • 4,413
  • 5
  • 37
  • 59
  • Hello, are you building 2FA using the Authy API? Or are you generating OTP codes yourself? – philnash Jun 12 '17 at 13:48
  • @philnash I believe I am using the Authy API. I'm using this library and code: https://github.com/authy/authy-php – kmoney12 Jun 19 '17 at 01:40

1 Answers1

2

Authy developer evangelist here.

With Authy, the secret key is not exposed to you, the developer, for security reasons. It is only shared with the user directly via the application, without them having to do anything, as you described. Authy, in fact, manages the keys between the app and the user more than just on the first occasion, as keys can be rotated regularly without your or the user's intervention.

If a user is finding that they have signed up to your site but your application isn't appearing in their Authy app then a couple of things might have happened.

  • Their phone may not be on a network at the time they signed up, leading to them not being able to receive the secret key from Authy

This should resolve itself over time as the user will eventually get their phone back on a network. You might consider suggesting they install Authy Desktop to use their desktop computer to authorise.

Alternatively, you could ensure they get a token and finish registering with your site by giving them the option to receive the token over SMS and forcing the token to be sent over SMS, using the force parameter when requesting a token.

  • They may have signed up to your 2FA using a different phone number than the one they initially signed up to Authy with.

For this, again, you may want to give them the option to receive a token by SMS. Or get the user to check their Authy account settings in the application and perhaps re-enter their phone number.

Overall, you won't get access to the secret or a QR code as that is not how Authy manages the secrets. Instead, either give the option to receive an SMS or get them to install an application on a device that has a connection.

Let me know if that helps at all.

philnash
  • 70,667
  • 10
  • 60
  • 88
  • Not having export options is bad tho. There should be a way to make secure export. –  vrnvorona Feb 24 '21 at 06:21
  • This is a fatal flaw in the authy application. As far as I can tell, there is no way to get the secret key so that you can share it between multiple people who are sharing the same login for a website, which means that, in a lot of corporate or group settings, you need to have one person constantly getting bombarded with requests for the login code from others who share the account. – kloddant Oct 27 '21 at 16:12
  • @kloddant I think there is a different flaw in the situation you are describing there. Having multiple people share the login details for a single account is a security issue. With multiple people using one account, if there is abuse of the account you cannot tell who was at fault. If someone leaves or you need to revoke access, you would have to roll the credentials for everyone. Instead, you should be getting individual accounts within the service you are signing into so that you can manage things better overall. – philnash Oct 27 '21 at 23:54
  • Also, one other thing if you absolutely have to use one set of credentials to login. Authy can be installed and used on multiple devices, so you could allow multi-device access in the Authy account, install Authy on each person's device and approve each device as a device within the account that is set up for your application. – philnash Oct 27 '21 at 23:56
  • @philnash Yes, using multiple accounts is the ideal solution to such problems, but that is reliant upon the website in question. If the website does not offer that functionality, then the user is out of luck. Also, this opens up the possibility for the website to exploit this side-effect of this implementation of 2FA to charge for additional accounts when it otherwise could not. – kloddant Oct 28 '21 at 13:09
  • @philnash Authy can be installed and used on multiple devices, true, but this is also dependent upon how 2FA is implemented on the website. If the website does not support it, then again, the user is out of luck. If Authy allowed the user to export the secret key, then it could be transferred to different computers without the need for website support. – kloddant Oct 28 '21 at 13:10
  • Really, what I'd like to see is for the secret key to be given to the user initially upon adding a website in Authy, so that they could distribute it to whoever else is necessary, and then for it not to be stored or accessible after that. – kloddant Oct 28 '21 at 13:16
  • Good news! The Twilio Verify API is the successor to the Authy API and is currently piloting [TOTP in Twilio Verify](https://www.twilio.com/docs/verify/totp/technical-overview) which does not keep the TOTP code from the developer. It is still dependent on the developer to make the secret available to end users though. – philnash Oct 28 '21 at 22:49
  • But I'd still recommend separate accounts for your users. Sure, that might cost more, but that must be compared against the cost of a potential breach caused by the sharing of a single account and credentials. – philnash Oct 28 '21 at 22:50