How to transfer TOTP profiles from Authy to a Token2 hardware token

Authy remains one of the most popular TOTP application used for 2FA due to its user-friendly features, such as centralized backup. As this feature is based on phone numbers (Authy uses your mobile phone number to identify or reset your account), which may be vulnerable to sim-swap attacks, some users may want to migrate from Authy to hardware tokens. Or, alternatively, users may need to clone/backup their existing TOTP profiles to hardware tokens.

In this guide, we will show you can transfer the accounts from Authy to a hardware token. You can use this both for backing up your TOTP profiles and transferring them completely to a hardware token.

A special tool will be required to export from Authy to files in special formats possible to be uploaded or burnt to Token2 hardware tokens. 

Requirements

You will need the following to perform the migration:

• An Authy account and an installed and activated Authy app
• One of the versions of Token2 Authy Migration Toolset (available as a Go script, or a compiled portable application)
• A Token2 hardware token, multi- or single profile (with single-profile hardware token you will need one token per TOTP profile exported from Google Authenticator)
• A device capable of running one of the hardware token provisioning tools (NFC Burner or USB-Config tool)

Step 1. Configure your Authy Account

The Go script gets enrolled to your Authy account as an additional device. Therefore, you should allow multi-device. To do so, open your Authy app, go to Devices and then enable "Allow Multi-device".

Our script reads your profiles from the backup stored on Authy's servers. Therefore, make sure you enabled the backup functionality. This is done by going to "Accounts" and then enabling "Authenticator Backups" option

Step 2. Generate export files using Authy migration toolset

Launch one of the versions of Authy Migration Toolset. In this guide, we will use the portable app version in GUI mode, but the process is similar for other version as well.

Launch the script/app and specify the export filename. You should use either .txt or .html extension for your files: 

• .html (HTML) : This will generate the list of TOTP profiles containing the seeds in QR format as well as in base32 text. Use this format if you plan to transfer profiles to Token2 hardware tokens using NFC Burner app or to other TOTP Apps
• .txt (Molto-2) Import file : Use this format if you plan to transfer all profiles to Token2 Molto-2 hardware token 

For this guide, we will use html format as an example.

If this is the first time you use the app, it will ask you to register this app as a virtual device in your Authy account. This is done by providing your phone number and allowing the connection in your main Authy app (or any Authy app you are currently logged in). To register, provide your phone number details first as shown below:

After you provide the correct phone number, the Authy app on your mobile device will ask you to authorize a new device called 'Unknown'. See how it looks like on an iPhone app below:

After the device registration is done, provide the backup password as shown below and press enter:

If you see no errors after 'TOTP profile migration file is being generated' message, the file has been created successfully. This file will be used to provision the tokens in the next step.

Step 3. Provisioning Token2 hardware token

The files generated in the previous step can be used to provision Token2 hardware tokens. With Molto-2 Import files it is as easy as specifying the file path and clicking on 'bulk import' button on the Molto-2 UBS-Config tool. For all other use cases (burning Token2 hardware tokens via NFC or transferring to alternative TOTP apps) the html format has to be used. The process is reviewed below.

Open the html file generated by the migration toolset. It lists the exported TOTP profiles one by one and each profile is presented in the following format:

• profile title, including the account name and issuer
• QR code (this will be used to provision the hardware tokens in our example)
• Text version of the seed in base32 format

We will use Token2 NFC Burner app for Android to illustrate the process. The process is similar when using apps on the other platforms.

Install Token2 NFC Burner app on your Android device if you have not already done so. Make sure the correct app is installed - there is a separate app for each category of the devices. You can use this page to find which app is needed for your device (choose your model and the platform, you will get the app guides or links on the right column). The Android app we will be using for this example, for miniOTP-2 model, is this one. 

Open the Token2 Burner app on your mobile device and click the button to scan a QR code, or manually enter the authentication key (base32 format is to be used). To scan the code, point your device's camera at the QR code of the corresponding TOTP profile in the html file.

Once the seed field has been filled, touch the "Burn seed" button, then turn the hardware token on and touch the top of the device. The process completion (or any errors) will be shown in the 'Results' area.

Repeat the process for other TOTP profiles listed in the html file, if needed. 

Download the Authy migration toolset

The toolset is available in the following versions:

• Open Source Go script, both for Linux and Windows
  
   Authy Migration toolset project on Github
  
  
• A portable app for Windows (a compiled version of the same Go script)
  
  Download Authy Migration toolset portable app
  
  

FAQ

Q: How secure is the process?

The process itself contains 2 different parts - exporting from Authy and importing to our burner apps. The exporting is done directly from Authy's servers via secure channels. The traffic goes directly between your computer and Authy's servers, no other host is involved in the process.

From our side, we also ensured the security is at the highest level. You can also use the open-source version of the tool, which is less user-friendly, but the code can be easily verified for security.

Q: Why there are 2 versions of the toolset?

Both are based on the same Go script. The  compiled desktop app was provided only to simplify the process for those that are not able to install Go and its additional components on their machines.

Q: Why not all Authy accounts can be migrated?

For Authy-hosted accounts, it uses the non-standard combination of 7 digits OTP and 10/20 seconds time offset. This combination is not supported by our hardware tokens.

Q: Can I use this toolset to migrate from Authy to another app?

Yes, absolutely. If you specify a .html file as the export format, the toolset will generate standard TOTP provisioning QR codes that you can use with any TOTP tool, so you can migrate from Authy to Google Authenticator or from Authy to Microsoft Authenticator, from Authy to Duo etc.