Migrating 2FA Codes From Authy to iCloud Keychain
Nice as it would be if Apple’s new system could simply import all your codes from Authy—or other apps like Google Authenticator—it doesn’t seem as though that’s an option for that at present, which isn’t entirely surprising given the security issues involved.
[…]
I found a tip that lets you easily display all of your time-based one-time password (TOTP) setup keys from Authy using the Authy Desktop app for Mac and Google Chrome.
The end result was that I spent about an hour laboriously copying each setup code into the appropriate password entry in the Safari Technology Preview’s Password section and—just to be on the safe side—logging in to each website to make sure it worked.
I’m interested in using this feature to enter 2FA codes more easily and to sync them using iCloud Keychain, but testing it out is giving me doubts:
Most of the sites that I want to add 2FA codes to do not appear in the Passwords section of Safari’s preferences, even though Safari does know how to auto-fill them. (Maybe this is because they are stored in a different keychain?) So there is no way to add the code, except maybe by consolidating keychains, which I don’t really want to do.
I don’t want to use iCloud Keychain for all my passwords, just the 2FA codes, but that doesn’t seem to be possible.
I would prefer my codes to be protected by a separate, stronger passphrase.
It doesn’t feel like safe long-term storage since it doesn’t work with import/export. Indeed, once I added a code to a site, that site would no longer appear in exports at all. I do see some new entries in the Keychain Access app, but they are separate from the site’s main entry (messy), and the credential is not actually visible in Keychain Access and can’t be exported. I don’t want this data to be stuck in an opaque app that might corrupt its database.
Previously:
Update (2021-07-09): Dave Wood:
I’m surprised Apple even added this as a feature. Just like storing 2FA codes in 1Password, it’s no longer 2FA if both factors are stored together.
Update (2022-02-04): Glenn Fleishman:
Thus, to switch from whatever you’re using now to Apple’s system, you’ll have to disable and re-enable two-factor authentication for each site or, if the site supports it, regenerate the seeding secret.
What if you want to try Apple’s system but maintain whatever app you’re using now? In that case, after you disable and re-enable two-factor authentication, you can scan the QR code or enter the setup key manually in multiple systems, one after another. Just add the QR code to Apple’s system, and then, while it remains onscreen, scan it with Authy or 1Password or whatever.
Apple has now implemented importing and exporting via CSV, including the 2FA codes, so at least you can make a local backup.
I would like to try importing a 1P CSV into Passwords, but I’m paranoid, and docs are scant. Would it overwrite any existing passwords? Is there a conflict dialog if there are dupes? What can I expect from the experieince?
- We won’t overwrite existing creds.
- There is a conflicts dialog at the end.
- Importing something that’s exactly already there isn’t a conflict. Just silent success.
Previously:
1 Comment RSS · Twitter
Why would I ever want my 2FA codes in my password manager? If my master password ever got out, the attacker would have access to everything.