Fake Authy / Google Authenticator / Microsoft Authenticator / 1Password Authenticator / Okta Verify / Duo Mobile migration-sync lure — "Authy Desktop is shutting down, migrate your TOTP codes to our portal" / "enable Google Authenticator cloud sync" / "verify Microsoft Authenticator cross-device sync" + credential-harvesting link to a non-vendor host, or a malicious "Authy Migrator" installer that exfiltrates TOTP seeds + backup codes. Catastrophic blast — TOTP seeds are the master key behind every 2FA-protected account; harvested seeds let the attacker generate valid 6-digit codes indefinitely until the victim manually rotates each. The Twilio Authy 33M-record breach (July 2024) pre-identified real Authy user emails just before the Aug 2024 desktop-app sunset. Distinct from backup-codes-solicitation-phishing (iter 1109, one-time recovery codes) and fake-password-manager-master-breach-lure (vault). Evidence: Twilio Authy sunset Aug 19 2024; Proofpoint + BleepingComputer + ITPro 2024-2026 migration-phish telemetry; Google Authenticator cloud-sync rollout 2023-2025

Authenticator-app migration credential phishing targeting the 2024-2026 2FA-sync wave. Attackers impersonate Twilio Authy (the most aggressive variant, riding the August 19 2024 desktop-app sunset), Google Authenticator (cloud-sync rollout from 2023 onward), Microsoft Authenticator (cross-device sync rollout), 1Password Authenticator, Okta Verify, Duo Mobile, and the generic "authenticator migration" shape. The narrative weaponizes a real event: "Authy Desktop is shutting down — migrate your TOTP codes to the new portal within 48 hours" / "Enable Google Authenticator cloud sync to preserve your codes" / "Verify Microsoft Authenticator cross-device sync to keep your 2FA access" / "Your authenticator seeds must be re-enrolled on the new provider." The link drives to either (a) a credential-harvesting fake migration portal that captures TOTP seeds and backup codes, or (b) a malicious "Authy Migrator" / "Authenticator Importer" binary that exfiltrates the seed store from the victim's existing authenticator app. Blast radius is catastrophic: TOTP seeds are the master key behind every 2FA-protected account — bank, email, broker, crypto exchange, work SSO, GitHub, domain registrar, everything the victim has 2FA on. Harvested seeds let the attacker generate valid 6-digit codes indefinitely for EVERY linked account until the victim manually rotates each. Because 2FA migrations involve users EXPECTING exactly this kind of email ("your new provider wants to import your codes," "enable cloud sync for your codes"), skepticism is unusually low. The victim pool was further primed by the Twilio Authy 33M-record breach disclosed in July 2024 — Twilio notified 33 million Authy users that their phone numbers had been exposed via an unauthenticated API. Shortly after, Authy Desktop was sunset on August 19 2024, and migration-phishing waves spiked from Q3 2024 onward, targeting the exact breach-list of pre-verified real Authy users. Real precedents: the Twilio breach itself; Proofpoint + BleepingComputer + ITPro 2024-2026 coverage of post-sunset migration phish campaigns; parallel Google Authenticator cloud-sync migration-phish waves through 2024-2025; 1Password + Microsoft Authenticator cross-device-sync launches triggered similar impersonation. Distinct from `backup-codes-solicitation-phishing` (iter 1109, asks for one-time RECOVERY codes — this signal targets TOTP SEEDS, a categorically different credential with continuous code-generation capability), `fake-password-manager-master-breach-lure` (vault master password), `fake-mobile-carrier-sim-swap-approval-lure` (SMS takeover via carrier). Legitimate authenticator-migration emails from the real vendors come exclusively from: `authy.com`, `twilio.com`, `google.com`, `accounts.google.com`, `support.google.com`, `microsoft.com`, `microsoftonline.com`, `apple.com`, `okta.com`, `duosecurity.com`, `duo.com`, `1password.com`, `agilebits.com`. Any migration email whose sign-in / import link is hosted elsewhere is, by construction, a phish. Defense: NEVER migrate TOTP seeds via an email link. The real migration process always happens inside the authenticator app itself (usually via a QR code shown in the app you're leaving, scanned by the app you're entering — never email-driven). If you receive a "migrate your codes" email, open the authenticator app directly and check its in-app migration flow. If your provider has truly sunset, they will publish official migration guidance on their own `.com` domain which you can navigate to via bookmark.