Friday, July 9, 2021

Migrating 2FA Codes From Authy to iCloud Keychain

Dan Moren:

Nice as it would be if Apple’s new system could simply import all your codes from Authy—or other apps like Google Authenticator—it doesn’t seem as though that’s an option for that at present, which isn’t entirely surprising given the security issues involved.

[…]

I found a tip that lets you easily display all of your time-based one-time password (TOTP) setup keys from Authy using the Authy Desktop app for Mac and Google Chrome.

The end result was that I spent about an hour laboriously copying each setup code into the appropriate password entry in the Safari Technology Preview’s Password section and—just to be on the safe side—logging in to each website to make sure it worked.

I’m interested in using this feature to enter 2FA codes more easily and to sync them using iCloud Keychain, but testing it out is giving me doubts:

Previously:

Update (2021-07-09): Dave Wood:

I’m surprised Apple even added this as a feature. Just like storing 2FA codes in 1Password, it’s no longer 2FA if both factors are stored together.

Update (2022-02-04): Glenn Fleishman:

Thus, to switch from whatever you’re using now to Apple’s system, you’ll have to disable and re-enable two-factor authentication for each site or, if the site supports it, regenerate the seeding secret.

What if you want to try Apple’s system but maintain whatever app you’re using now? In that case, after you disable and re-enable two-factor authentication, you can scan the QR code or enter the setup key manually in multiple systems, one after another. Just add the QR code to Apple’s system, and then, while it remains onscreen, scan it with Authy or 1Password or whatever.

Apple has now implemented importing and exporting via CSV, including the 2FA codes, so at least you can make a local backup.

Cabel Sasser:

I would like to try importing a 1P CSV into Passwords, but I’m paranoid, and docs are scant. Would it overwrite any existing passwords? Is there a conflict dialog if there are dupes? What can I expect from the experieince?

Rick Mondello:

  • We won’t overwrite existing creds.
  • There is a conflicts dialog at the end.
  • Importing something that’s exactly already there isn’t a conflict. Just silent success.

Previously:

1 Comment RSS · Twitter

Why would I ever want my 2FA codes in my password manager? If my master password ever got out, the attacker would have access to everything.

Leave a Comment