Authy corrupted my 2FA backup and all I got was this lousy blogpost
Had a fun scare over the weekend, and wanted to write up a post that hopefully someone will find via Google if they have the same issue.
Last week, my iPhone USB-C port had some issues and could no longer be used for charging. I went to the Apple Store on Saturday, and they were able to repair in about an hour. The fix involved replacing my logic board, so I was left with essentially a new iPhone and I needed to restore my backup from iCloud.
After the restore, during my setup process I went to restore my Authy 2FA codes. For those who do not know me, I have worked in mobile app development for 15 years. This profession has lead me to getting new phones and test devices more than the average person, and I have probably installed Authy on a new phone/tablet 50+ times over the past ~12 years I have used the service.
Prior to this weekend, the experience has always been the same. I have a backup password that has been the same since 2014. I enter the password, and my 2FA codes are restored from the backup.
Obviously, I'm writing this blogpost because all did not go according to plan this weekend. Saturday afternoon I entered my backup password, and was presented with a new prompt. I did not screenshot, so I don't have the exact phrasing, but I was presented with an alert that stated "Some of your 2FA codes are backed up with a different password. Please enter that password now." This was concerning because I have never had a second backup password. More troubling, some key accounts including my personal AWS account and my GitLab account were still locked away awaiting this second and non-existent backup password.
My initial thought was just that this was some sort of weird sync issue and it must be a one-time problem. I decided to download Authy on my iPad to attempt a restore there. I never use Authy on iPad, so I hadn't installed it before. Unfortunately after downloading and attempting an account restore, the problem became much worse. On my iPhone, only 5 of the 41 2FA codes I had were locked behind this "second backup password." On the iPad, about 30 of the 41 2FA codes were still locked away after a restore. Although I knew that I only had one backup password, and I could see in the settings that my backup password had not changed since 2014, I tried any other password/code I could think of without any luck. The locked items from my backup remained locked and unaccessible.
Since it was the weekend, I decided to just hope for a server issue or oddity, and wait till Monday morning to file a ticket/service request with Authy. It was there that I learned that like most software companies today, their support team is now OpenAI and a general LLM chatbot that repeats back whatever FAQs/knowledge base articles that they have fed into the machine. All of these knowledge base articles lead to the unfortunate answer that if a backup password is lost, the 2FA code can not be restored and you are essentially locked out of your 2FA'ed service/account forever.
After finagling with the LLM gatekeeper, I was able to file a ticket into a system that presumably was read by a human. After submitting a ticket at 9am, I received a response that encouraged me to change the backup code on my old iPhone (I explained in the ticket that I no longer had my previous Authy install due to having my phone replaced), and then delete/redownload Authy on my new device. Given the experience of my iPad showing many more locked entries after I restored there, I was obviously reluctant to try this support suggestion.
For those unaware, Authy was sold to Twillo in 2015 and unfortunately, it has seemingly not received a whole lot of attention since the acquisition. The app continues to retain support, but there hasn't been much to show that the product is a priority to Twillo. But, it's remained useful for my needs for the last decade, so it has continued to be my 2FA product of choice. For 2FA codes, it always made sense in my head to have these codes removed from my normal password safe (1Password) as a means of separation.
That being said, these corrupted/potentially lost 2FA backups was a bridge too far for me and I spent the rest of my morning moving all of my 2FA backed sites from Authy to 1Password. Fortunately for me, I also had Passkeys tied to both my GitLab and my AWS account and so getting logged in and changing over 2FA services was easy. Unfortunately, my beloved Call of Duty mobile account only had a 2FA in Authy and was also in this locked backup purgatory. Goodbye soldier.
While discussing the problem a few hours later with a co-worker, I went to the iOS App Store to see just how often the mobile app was updated. I had mentioned that it doesn't seem like Twillo gives much care to Authy, so I wanted to see just how frequently they put time into updating the app.
Much to my surprise, when checking the App Store page, I saw that an update to the app had been approved by Apple only 14 minutes prior. I downloaded the update, tapped upon one of the previously "locked" items, and entered my backup password. Boom, the previously locked 2FA codes were now unlocked and restored, ready for use.
By that point, I had already migrated all accounts to 1Password. About 5 hours later, I received another reply from Authy support, but it told me that I must have mistyped my password or forgotten it, and that I could again try to remember my password or use an old device to gain access to the 2FA codes. The reply mentioned nothing about the iPhone app update and to try again after updating the app.
Unfortunately, I think this is the end of the road for me and Authy. While I'm more than understanding that bugs happen, 2FA codes are too important to have the potential for irreversible data loss. It seems like some sort of change occurred that wasn't caught by unit tests or human testing, and while I don't necessarily believe my bug report was important enough to alert someone to the issue, the timing does seem very coincidental. Authy has always been a solid free tool, but given the importance of 2FA codes, it probably makes more sense to use something like 1Password where there's a paid relationship between myself and the product.
Hopefully no one else has the issue I had, and fortunately it looks like yesterday's app update resolves the issue.