I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.
Which is why I would never use them. And even if you are never forced to send them your KYC details, they track things like your IP address, geolocation, which sites you are logging in to and when you do so, and share all that with third parties. You are essentially giving them the power to spy on all your crypto-related activities.
If you let me o_e_l_e_o, I would like to point out what Authy claims[1] that they track (we don't know if it's all of it though) just to give other users an idea of what a "simple" 2FA app can track:
- Your phone number, device information, and email address.
- If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
- We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.
- We do not sell your personal information.
- We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
- Websites and programs that integrate our 2-factor authentication API will be able to see information they sent us about you, your login activity to their website and program, your primary device type, and other device related information relevant to identifying unusual or suspicious activity, but they will not see any other websites or programs for which you use Authy.
- We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
- Your information will be transferred to the U.S.
I would also like to remember that just five years ago, a user reported on r/bitcoin[2] that if you had multi-device setting
ON Authy wouldn't protect you in case of a hacker gained access to your number (spoofing probably):
BY DEFAULT Authy allows any mobile device with access to the phone number associated to the Authy account to download and access the private keys for that account.
Even Coinbase published a blog entry advising users to disable this feature as soon as possible:
(...)Once you’ve installed Authy, we recommend disabling the Multi-device option. This means nobody can add a new Authy app to your account. (...)
Although this finding was quickly "fixed" - Authy applied a rule that, by default, would set that option to
OFF to prevent abuses down the line.
By now you've probably noticed that I always prefer to use open sourced applications whenever possible and this is one of the reasons why - anyone can actually look into the code, inspect it to see if it does what it claims it does and can be freely audited by whoever feels the need to do it. Authy is like a "black hole in a container" - as most closed source apps are - in the sense that we don't know what kind of information they are actually communicating and we will actually never will know. And considering the goal of it - maintaining access to critical services of mine - I would much prefer to have that information in an application that I know is fully transparent with "me".
Closing note: If you would like to also have a 2FA application that would also provide you with password management services, look no further than Bitwarden - an open source application that can be self-hosted on your own device[4][5] allowing you to be the "holder" of any information that you so desire to keep in it.
[1]
https://www.twilio.com/legal/privacy/authy[2]
https://libreddit.spike.codes/r/Bitcoin/comments/6eugqd/authy_by_default_will_not_protect_you_if_a_hacker/[3]
https://blog.coinbase.com/how-to-increase-your-coinbase-account-security-4b7164926631[4]
https://github.com/bitwarden/server[5]
https://bitwarden.com/help/install-on-premise-linux/