Twilio Authy desktop replacement?

[PhilterPaper]

Select Topic Area

Question

Body

About a year ago I started using Twilio Authy desktop 2FA on my laptop (Windows 10) to secure access to GitHub. Today, Twilio announced that they are dropping the desktop capability in a month (way to give lead time, guys!) and supporting only mobile. I don't have cell service where I live out in the woods and can't switch to their mobile app. So, I need to switch 2FA ASAP.

1. What are good, reliable 2FA applications that can run on Win10 (possibly Win11 in a year or so)? Twilio lists 5 recommended apps, but two appear to be mobile-only. They include authenticator.cc, keepassxc.org, and 1password.com. Any warnings to avoid any of these?
2. How can I transfer over on the GitHub end without danger of losing access? Is it possible to sign on (using 2FA), drop the existing 2FA, and simply install a new one (all in one session, I presume)?

Don't tell me to "join the 21st century and get cell service" -- not physically possible! No, I'm not Amish or a Luddite. Don't tell me to ditch Windoze and use Linux instead -- Linux is great, and I love it, but a very small market compared to Win, and for other reasons I need to be on Win anyway. Thanks!

[d-hansen]

So far, I'm not seeing any super awesome options on linux desktop apart from "Bitwarden TOTP" (which I haven't tried); OR, modifying authenticator.cc to use remote storage for TOTP coefficients. At least authenticator.cc is open-source, so easily reviewed for security.
As for your second question: yes, you can add multiple 2FA devices. So, that would be the process: get a new 2FA application, add it to your account, then remove the Twilio device.
Note: I used to work in a scenario where you were REQUIRED to NOT have your cell phone (they were concerned about you taking pictures with your cell phone and then sharing them on social media). So, I agree that REQUIRING a cell phone to use 2FA is ridiculous.
Note2: you could still buy an android device that is not a cell-phone like a tablet. Only requirement is that it needs to run Android or iOS. Then install their stupid app, connected via WiFi and you'd be fine. Maybe this is their goal - like Bill Gates' old goal: "a PC in every household" - they want every computer system to be accompanied by a tablet for authentication...
Note3: there are some ways to run Android apps on a PC.... I personally have tried none of them, because I don't really care. https://www.pcmag.com/how-to/3-free-ways-to-run-android-apps-on-your-pc
I wonder if the boneheads at Twilio realized this move is just going to push more people to figuring that out... Not a great idea in terms of strengthening security IMO.
GOOD LUCK! And to hell with Twilio!

[PhilterPaper]

Ah yes, the nefarious conspiracy of Big Tablet to get us to buy even more devices! I'm going to try to pass on buying a second Android device. I presume that it needs to communicate back to some server (which means setting up Wi-Fi just for that), and isn't strictly a local device? Good to know that I can first add another 2FA method and then ditch Twitio.

[d-hansen]

FYI - I've found the most complete thread on this topic seems to be going on over on Reddit: https://www.reddit.com/r/privacy/comments/1aphpcq/twilio_shutting_down_authy_desktop_crossplatform/

Side note: Interestingly Reddit has not adopted supporting 2FA...

[DNin01]

Well, here's the thing, some authenticator (TOTP) apps work offline! So if your concern is that you won't have a good cell service connection, it's still viable to install authenticator apps on your mobile devices. My personal mobile choice is Google Authenticator.

If for any reason you would prefer a desktop solution, though, password managers are a good choice. KeePassXC (free), 1Password, and Bitwarden all have TOTP integration features. There are also other options in the form of desktop apps and even browser extensions.

Another option is to set up a passkey, which is a one-step login flow that fulfills two factors (therefore, it skips TOTP authentication), where your computer is quite literally a key to your account. Your computer may or may not support the technology, though, and you'll probably have to set a Windows Hello PIN to use it. However, you can also store passkeys on mobile devices.

[DNin01]

I've heard good things about this browser extension.

[PhilterPaper]

OK, I have been fighting for over three solid days now to get this damned thing to work. I ended up installing "2fast" b/c it works from the desktop, and it appears have installed OK. I can log into it and click on GitHub, and it generates a 6 digit code. It's a different code than Twilio Authy generates, if that means anything. However, if I use 2fast's code for the 2FA in GitHub sign-in, it tells me "2FA has failed".

How do I tell GitHub to stop using the Twilio-generated key and use 2fast's instead? It only says in Settings that I'm using TOTP application, and doesn't say which one or that more than one is available. I don't have enough hair left to keep tearing it out -- what do I do now? Twilio ends some time tomorrow!

[DNin01]

The fact that it's generating a different code than what Authy is is weird. That means it's probably not displaying the correct 6-digit codes either.

I'd recommend you look into this issue more, or you could try re-registering the authenticator app on your GitHub account (you can do this by clicking "Edit" next to "Authenticator app"). Sometimes this also happens because your computer's clock is not set correctly, so check that it's setting itself automatically.

If you can't figure it out, don't panic - you can save your recovery codes in case you need them, or set up a passkey, which, when used to log in, skips 2FA.

[d-hansen]

You should be going into the GitHub "settings", and then "Password and authentication". Then scroll down to Two-factor Authentication. Find the row labelled "Authenticator App" in the Two-factor Methods section. On the right-side, click on the 3 dots and select Edit. It will then open to a bigger section and present you with a QR code. You should configure your "2fast" app with this QR code. Then enter a token from the "2fast" app under the QR code and click Save.
Alternatively, you can disable the Authenticator app, then just re-add a new one.
Note: this will configure a new TOTP which will not match whatever you previously had and will generate different codes.
Hopefully you have previously configured some alternative backup methods so you can get in and make configuration changes.

[DNin01]

If you're having some trouble, I'd at least recommend setting up a passkey or having recovery mechanisms (like recovery codes) ready in case you lose access to your authenticator app, while you figure out a more permanent solution.

[PhilterPaper]

Alternatively, you can disable the Authenticator app, then just re-add a new one.

That's more or less what I ended up doing (switching to SecureKey). I think it's working properly (was able to sign on with it). I'm not sure if I missed a step or something on 2fast -- all the instructions are so oriented towards phone use, and desktop is always an afterthought (you too, GitHub!). Thanks everyone for the suggestions and help. I don't know why 2FA has to be so bloody complicated and difficult for someone who can't use a phone for it (no cell service out here in the boonies). Recently I had to process some financial estate documents, and the firm insisted that I had to sign digitally via a smartphone app. They looked at me with pity as some sort of Amish or Luddite when I told them I couldn't...

I must have tried at least a half-dozen 2FA desktop apps before finding SecureKey. Fingers crossed that it keeps working (and doesn't suddenly get withdrawn, as Twilio did with Authy). I just love several apps that promised, "Yes, we support Windows desktop," and the first thing they ask when you try to download is, "Do you want the Android or iOS version?" Sigh. Or even, "Sorry, desktop version not yet available," (despite claiming yes, it's available). This is more complicated than it needs to be. I wish that GitHub didn't require 2FA for open source (public) projects, but I guess it's easier to have everything under one roof to protect private repositories.

[kumchu]

Check out OneAuth from Zoho! Long time user of OneAuth! It’s available on Windows, macOS, Android, iOS and also supports watchOS and WearOS!

I have been using it on my iPhone, Apple Watch and MacBook Pro! Works like a charm and it’s feature rich!

E2E Encrypted with your own passphrase having Zero-Knowledge Architecture and syncs well with all my devices!

For more details: refer their website: https://zurl.to/9a2N

Their recent blog regarding Authy EOL: https://www.zoho.com/blog/accounts/authy-alternative-zoho-oneauth-app.html

And found this related page for Authy alternative as well: https://www.zoho.com/accounts/oneauth/authy-alternative.html