Issue #17

This Authenticator App Did What?

Ahoy there, fellow Netizens! This week, let’s talk about what happened with Raivo, a popular authenticator app for iOS.

Raivo’s nasty surprise

Raivo users had a nasty surprise at the end of May. After updating the authenticator app, they found their 2FA codes had been deleted, locking them out of their online accounts.

Mobime, the company who owns Raivo, announced they found a way for users to restore their codes if they had enabled iCloud backup. Unfortunately, some users reported that this did not work for them. And users who did not have iCloud backup enabled still appear to be out of luck.

To add insult to injury, the update that deleted users’ 2FA codes also appears to have added a paywall to features that were previously free. Not a good look.

I contacted Mobime yesterday to ask if they had any comments about the Raivo situation, but have not heard back.

Raivo's fall from grace

This might make you think Raivo was a shady authenticator, but it had a great reputation in the privacy conscious community and was developed by security researcher Tijme Gommers.

However, it was controversially acquired by Mobime last year. Some users expressed concern about the acquisition because there was little information available about Mobime and the company dodged questions about its plans for the app. This episode suggests users were right to be concerned.

What can you do?

The good news is that there are steps you can take to ensure you don’t get locked out of your online accounts, even if your authenticator app deletes your 2FA codes. However, you’ll need to make sure everything is set up ahead of time.

Here’s what you can do:

1. Save your backup codes somewhere safe. Most sites will generate a set of backup codes, which are one time use codes you can use in place of your regular 2FA option, when you first turn on 2FA. These codes will save your bacon in a situation like this, so don’t ignore them!
2. Enable multiple forms of 2FA. Often, sites will allow you to enable more than one form of 2FA. For example, X (formerly Twitter) allows free users to enable both an authenticator app and security keys. If you have both options enabled, then if something goes wrong with one, you can log in with the other instead. However, be wary about enabling weaker forms of 2FA, such as SMS-based 2FA.
3. If you’re using an authenticator app, save the QR codes you scanned when setting up 2FA. If anything goes wrong, you can use a different authenticator app to scan the QR code and it will generate the 2FA codes for the linked account immediately.

Until next time, stay safe out there!