personal website of Dan Catchpole.

Authy on 2FA and Heartbleed

Reading up on some more information regarding the Heartbleed bug, it seems that two-factor authentication, while helping to reduce vulnerability, is potentially vulnerable to Heartbleed itself, with an attack having the potential to obtain the secret keys that help to generate one-time passwords used in most common two-factor solutions:

What it means for other services?

Given the severity of the issue, it is very important that you rotate all of your Two-Factor Authentication seeds.

However, to do this for sites which aren’t powered by Authy’s Two Factor Authentication, you’ll have to manually go through each of the websites for which you have an Authenticator token, revoke the current secret seed and then generate a new one. Unfortunately not all sites allow you to do this, so you might have to contact them to find out how to revoke your current secret seed.

If you are a site administrator, we encourage you to revoke the current seeds and request users re-enroll their Two-Factor Authentication on their next login.

The aftermath of the Heartbleed bug is going to stick around for quite a while, it seems. If you're using two-factor authentication on sites like Facebook, Tumblr, or more, I'd highly recommend disabling and re-enabling two-factor authentication, as this will generate a new secret key

© 2010,