What are the 2fa options?

#1

I’m looking for some good 2fa apps for my android at the moment i’m using yubi keys and i’m not a huge fan. Has any one had experience with Duo, Authy, Aegis, or the one built into Bitwarden?

1 Like
(blacklight447) #2

These are some open source ones that you can use from F-droid: Aegis authenticator, freeotp+ , and antotp.

3 Likes
#3

I do like the look of aegis, just slightly worried that it might not be secure, also it seems like a very new app.

#4

+1 for andOTP here. Works great, and has many options.

1 Like
#5

I’ve used andOTP, which is great, but am trying out Aegis as it is cleaner, and well, read this:

4 Likes
#6

thanks for the link. Rather eye opening.

1 Like
#7

+1 thanks for that link!

I found authy when still running windows and without smart phone, worked well from desktop. Will definitely test aegis for phone, but for now I’m satisfied with Bitwarden and OnlyKey (both of which handle 2fa, totp, etc.

1 Like
(blacklight447) #8

Btw, KeepassXC also supports TOTP 2FA on desktop.

1 Like
#9

What is it you find annoying with Yubikeys ?

I just installed one of the TOTP plugins avaiable for Kee Pass, and what a minefield does that seem…

To begin with, the commands that were supposed to be added to the menus came in double. The Wiki “help” is ambiguous, it makes clear you need to know obscure technical details about the implementation of 2FA by the site you’re trying to protect, and it comes with many warnings that using that plugin is dangerous and might lock you out of your accounts.

Thank you very much. Uninstalled.

1 Like
#10

Woah…

I sadly have to admit that the part about the crypto of andOTP being pretty bad is true. This is partially due to the fact that I had absolutely no clue about cryptography and very little coding experience when I forked it.

Says the andOTP developer… that app which is praised to high heavens on so many security and privacy forums…

That proves a point I’ve been making here and there : 2FA by app is not a mature technology.

Security is hard to get right. Having a developer of a cryptographic application candidly admitting he had no clue about cryptography (or coding !), when he first “developed” it…

It also proves something else : plenty of people will say a program is terrific, and the one to use for privacy, just because it’s open source. At that point, “open source” is just a synonym for “abides by our religion”, “belongs to our sect, therefore nice”, etc.

3 Likes
#11

Cheers for KeePass!!

(blacklight447) #12

Not keepass, keepassXC a fork which supports it out of the box, no plugins needed. Also, 2FA by app is certainly mature, but just because we have a lot of people who don’t know what they are talking about parroting the same bullshit advice, doesn’t mean its good advice. This for example is why people still think that a VPN makes you anonymous, and you should buy Purism products.

2 Likes
#13

Actually KeePassXC is the one I have - so even better!

1 Like
#14

Yubikeys goes Steamworks bye bye, always on DRM. (Couldn’t resist.)

(Tari R. Alfaro) #15

Currently I recommend AndOTP because it’s stable, and it has worked for me. However I don’t use device credentials because it’s buggy for me, not sure why. It got corrupted. Unfortunately I cannot guarantee the security of any Android applications due to my lack of knowledge in Java, Kotlin, etc.

However, Aegis Authenticator looks like it has a lot of potential. But I had issues importing my AndOTP backup. It didn’t work. When Aegis Authenticator becomes stable I’m definitely switching to it as my daily driver.

I guess you’ll just have to trust the developers if you don’t know. Cryptography is hard to get right, even if you’re using libraries like Libsodium. Things are getting better though.

I wouldn’t say that Aegis Authenticator is less or more secure than AndOTP. But the developers behind the application seem to be addressing problems that were present with AndOTP, and from the Reddit link it appears that the AndOTP developer doesn’t have much time to work on the project.

Overall, I don’t think that these applications are bad choices. But do keep an eye out.

3 Likes
#16

So is the only problem people here have with Yubikeys because it’s closed source? Is there something else I’m not aware of.

I really enjoy my Yubikey.

1 Like
#17

OnlyKey is open source and supports U2F, yubico OTP, google’s TOTP and has “plausible deniability”. Fairly new product with a still very engaged and responsive dev team, although I think forums were on google or somesuch silly place :confused:

anyways, I got one last month and like it much more than the yubikey5 nfc I got my old lady a couple days later (and on her request, so that made me very happy to buy her one! lol

1 Like
#18

It isnt as compatible with services as i hoped, and the app as far as i can tell doesn’t have a back up option, so if i loose either phone or key then its pretty annoying. I will continue to use the key for services that support it well, but looking to find a different 2fa app with a back up option.

#19

Backup of hardware keys is dead simple : you must have several. Just like a door key.

That’s one of the reasons I say 2FA by software is not mature, whereas 2FA by hardware is the future. Anyone can understand : put the key into the lock (sorry, the USB port), or bring it close to your phone, and the lock (sorry, your account) opens.

Keep your key in your pocket. Have one, or several, spare ones, in a safe place.

In the meanwhile, since we’re mainly stuck with 2FA by app, Authy is recommended because it has an embedded backup mechanism (although it takes some thinking to master ; it’s not dead simple, but no 2FA app is dead simple).

The principle of Authy backup is simple, though : you simply store your secrets on several devices. So, if one is broken or lost (typically, your phone), the other (typically, but not limited to, your destkop) will allow you to regain access.

Bear in mind I have no direct experience of 2FA. I’m still on the edge. I just learned by reading.

#20

Could you elaborate, please ? I don’t understand.