0

Let's say I have a personal and work account on a website and use them strictly on separate devices and ISP. If I have connected 2FA for both accounts to a single 2FA app's account, say Authy for example, does the website have any chances of finding that both the accounts are connected to me, explicitly through the 2FA app?

P.S.: There is no particular website involved here, just wondering if that would be possible before I consider using a 2FA app.

pras92
  • 81
  • 1
  • 3
  • 9
  • To make the scenario even more clear, imagine using single Authy account installed in my android, and that is connected to two Twitter accounts. Can Twitter find out both the twitter accounts are linked to one person, just because both gets 2FA codes from same Authy account from my android? – pras92 May 17 '22 at 20:54
  • While you mentioned the website is unaware of Authy, that was never my question. Additionally, your opening statement assumed if I had two authenticators while I was pretty clear in my question that it involved a "single 2FA app's account". Which is why I went ahead with a clarifying comment. And I checked with this (https://meta.stackexchange.com/a/305291/1195901) to see if this question is on-topic, before asking. – pras92 May 17 '22 at 21:41

1 Answers1

1

Let's say I have a personal and work account on a website and use them strictly on separate devices and ISP. If I have connected 2FA for both accounts to a single 2FA app's account, say Authy for example, does the website have any chances of finding that both the accounts are connected to me, explicitly through the 2FA app?

The website is completely unaware of the fact you are generating the 2FA with Authy or anything about the device that generated the 2FA code.

To make the scenario even more clear, imagine using single Authy account installed in my android, and that is connected to two Twitter accounts. Can Twitter find out both the twitter accounts are linked to one person, just because both gets 2FA codes from same Authy account from my android?

If you have two authenticators, tied to the same Authy account, then they are completely separate from one another. The website is completely and totally unaware you are actually using Authy to handle the codes. You can even install Authy on as many devices as you want.

I believe you are mistaking the terms authenticators and accounts, when it comes to 2FA, which was the cause of confusion.

Nope; That absolutely is false. Any website that offers 2FA authentication is unable to detect how you generate the 2FA code use to authenticate your account. I wasn’t actually confused.

Additionally, your opening statement assumed if I had two authenticators while I was pretty clear in my question that it involved a "single 2FA app's account". Which is why I went ahead with a clarifying comment.

Except you actually have two separate authenticators, they are just linked, to the same Authy account. I have 20 different Google Authenticators, synchronized across (Google Authenticators, Microsoft Authenticators, Last Pass, and Authy) on multiple devices.

My assumption is that each [website name here] account, would have their own Google Authenticator, linked to the same Authy account. You can replace “Google Authenticator” with any 2FA authenticator that the website (and Authy) in question supports.

Ramhound
  • 41,734
  • 35
  • 103
  • 130
  • I believe you are mistaking the terms authenticators and accounts, when it comes to 2FA, which was the cause of confusion. Here, Authy would be the authenticator and accounts would refer the webstite's account. That aside, I'll take your answer as confirmation to my question. Thanks. – pras92 May 17 '22 at 21:56
  • //Except you actually have two separate authenticators// My point was that, they're termed as accounts, even by Authy itself. In the Authy app, if one wants to add a new website, they would have to choose "Add Account". – pras92 May 22 '22 at 02:15
  • Why do you keep repeating the same statement in all your comments and edits to your answer? I myself use Authy for multiple accounts on same website, which is why I asked this question! I never contended your claim that websites will get no info about an user's Authenticator app. Remember I had said this in my first comment and also accepted your answer. Yet you keep repeating the same redundant response for my points on your terminology. Kindly avoid responding to this if you don't have anything new to add. Thanks. – pras92 May 23 '22 at 20:08
  • @pras92 - You also indicated that you thought I misunderstood your question. I don't care if my answer is accepted, I only care if my answer is accurate, and written in such a way it answers your question. – Ramhound May 23 '22 at 21:22