Twilio reminds users that Authy Desktop apps die in March – not in August End of life for the Authy Desktop authentication app is scheduled for March 19, rather than the August 2024 date previously announced. The clock is ticking for the Windows, macOS, and Linux versions, and Authy wants users to switch over to its mobile applications instead. The developer advised that the iOS app should also work …
Always an upside. The alternatives suggested included Keepassxc which I have used for years as my password manager. Setting up to 2FA always featured Authy or Google Authenticator and I have both on various devices. I hadn't realised that Kepassxc had 2FA support (and its difficult to find without a tutorial). Then simple to setup and, of course, works on all devices accessing the same database.
So moving from one password manager and 2FA apps to just one combined. Result! Thank you Twilo for the fish and a reason to avoid your products in future too.
Bitwarden also allows this feature on a paid plan ($10/yr) if you like your password manager hosted. There are a few scripts kicking around github that allow you to export all your secrets from authy desktop or the browser extension by pasting some code in the console. I used it to migrate all my authy stuff to bitwarden.
When you self-host using Vaultwarden as your server software, you get a fully open source solution and have most of the premium feature you're likely to want, such as sharing vaults.
That's what I do for the family; I have access to my mum's utilities, insurers etc. should it become necessary but not her various fora, knitting club and the like.
When I first saw the suggestions, I looked into this and concluded KeePassXC was just a password manager. But you are right - it's there in the "Getting Started Guide" under "Database Operations" -> "Adding TOTP to an Entry".
The downside is that it has the opposite problem - its not available for phones! In theory if you can capture the original QR code then you could use it in combination with another authenticator app, but that seems painful.
Well this was a useful reminder to sort out an alternative desktop solution:
"Ahoy! Just a friendly reminder about the EOL for Twilio Authy desktop app ending on March 19, 2024."
And this was a useful reminder to migrate away from all your services forever:
"Note: The Authy app lacks an export feature [and we have no intention of providing one even though we are leaving you with no other options, so suck it up buttercup]"
"We made this difficult decision to sunset the Twilio Authy desktop apps in order to streamline our focus, and provide more value on existing product solutions."
I expect the English translation is either "We've run out of money, so we're bailing" Or "Customers? Really, In this day and age who gives a damn about customers?"
What it actually means is that the whole acquisition was a big mistake that Twilio never should have made.
The case study was not properly made and they found themselves with something they couldn't actually make any money from.
This is a big win for the guys who sold Authy and are now swimming in dosh, and a very poor showing for Twilio management who bought, and now killed, something people apparently needed because Twilio management did not properly take into account the requirements of making Authy work.
Not impressed at all.
Any product with a cod-cute made up name ending in -Y invokes extreme suspicion in this cynic's mind. Rightly, in this case.
"Authy Desktop allows users to sign into services without having to squint at their phones."
My employer requires me to use Microsoft Authenticator. It works just fine on Android-x86 inside a VirtualBox VM. No squinting required.
-A.
I just had to migrate Authy from my old phone to the new one, and it was dystopian to say the least. To unlock the accounts for migration to the new device required changing my password - but you can't change your password without first unlocking all the accounts. I tried contacting Twilio only to find their "support service" is 98% navigating an FAQ with wrong answers in and 2% finally getting in touch with a human being. It got sorted after much hoop jumping, but ye gods, it couldn't be less friendly if they had an option to "Press 3 to hear rude remarks about your wife and/or mother".
I know of at least one organisation using Authy for 2FA in locations where mobile devices are forbidden for security purposes - only desktops/laptops accessing the network via wired LAN. Could be interesting to see how they cope when the desktop app ceases to be.
I really loved Authy's cross-platform sync, and quickly moved off Google 2FA to Authy. But this move is probably just what I needed to finally move all my 2FA across to Bitwarden (which does passkeys too). So 90% through the manual slog of recreating my 61 2FA logins... on target for Authy's cut-off date. Sorry, but I do 99% of my browsing on desktop so a mobile-only app is just not going to cut it for me.
Another Bitwarden advantage is the extent of cross-platform support.
@Danie - How did you find 61 sites that use 2FA? I will not even tell you how few I have amongst hundreds of logins, it's pitiful.
And, according to Bitwarden's report on 2FA use, I have not missed enabling a single one. Sadly, not a single financial account offers anything more secure than SMS / email delivery of a TOTP. As it stands SMS TOTP delivery seems to be the "industry standard". What bothers me about this is: to generate the code delivered by SMS they have implemented most of what it would take to support "authenticator app" TOTP, yet they still wont do it.
Even worse is the uptake of anything more secure such as hardware keys. I wonder if passkey uptake will be any better.
So I have to wonder, Is the death of Authy Desktop really that big of a deal? Sadly, it may not be.
《SMS / email delivery of a TOTP.》
I cannot see the real point of this as the number could be any random 6 digit number with a use by date ie the shared secret isn't actually shared. The 2F is really the possession of your phone or control of your email account.
TOTP is very roughly a hash of a random seed and the curent time - where the random seed is the roughly preshared key.
For very odd reasons I needed a text client to produce these tokens which given the linux oath toolkit libraries was a 20 line C program featuring the single library call:
oath_totp_generate (secret, secret_length, now, time_step_size, start_offset, digits, output_otp)
If you can get the secret out of authy generating the token is pretty simple - clients often export them as a URI possibly as a QR code eg
otpauth://totp/Okta%3A?secret=VBDASQOY366QSYRY&algorithm=SHA1&digits=6&period=30
The converting base32 encoded secret to an unsigned byte array is the only clever bit. ;)
Properly securing these totp secrets on your device/workstation is the really hard part.
I've just done the Authy-to-Bitwarden migration - 13 accounts, took about 30 minutes but actually fairly painless as most sites smart enough to use a third-party 2FA like Authy are fairly clued up when it comes to changing the process. The Bitwarden 2FA interface is fine too. Annoying, but you'll only have to do it once.
I'm not quite sure what happens if I don't renew my $10/year in twelve months time - "Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium" apparently, so I guess I can continue to use my existing TOTP keys even if I don't renew, but can't create any new ones?
Amazing incompetence at user relations. Being just a user, forced some years ago to install Authy Desktop by corporate edict, I have heard not one word about this from the corporate side. I just happened to get a message claiming to be from Twilio that looked like spam, smelt like spam, and was one click away from the trash can, when I thought maybe ... just maybe... it's for real.
No problem installing the Android version or migrating my credentials (except having to create a new password that required me to stand on my head while typing Special Characters). But still no communication from Corporate. I'm looking forward to some very entertaining panic email in mid-March.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
