thanks for the link. Rather eye opening.
1 Like
+1 thanks for that link!
I found authy when still running windows and without smart phone, worked well from desktop. Will definitely test aegis for phone, but for now I’m satisfied with Bitwarden and OnlyKey (both of which handle 2fa, totp, etc.
1 Like
Btw, KeepassXC also supports TOTP 2FA on desktop.
3 Likes
What is it you find annoying with Yubikeys ?
I just installed one of the TOTP plugins avaiable for Kee Pass, and what a minefield does that seem…
To begin with, the commands that were supposed to be added to the menus came in double. The Wiki “help” is ambiguous, it makes clear you need to know obscure technical details about the implementation of 2FA by the site you’re trying to protect, and it comes with many warnings that using that plugin is dangerous and might lock you out of your accounts.
Thank you very much. Uninstalled.
1 Like
Woah…
I sadly have to admit that the part about the crypto of andOTP being pretty bad is true. This is partially due to the fact that I had absolutely no clue about cryptography and very little coding experience when I forked it.
Says the andOTP developer… that app which is praised to high heavens on so many security and privacy forums…
That proves a point I’ve been making here and there : 2FA by app is not a mature technology.
Security is hard to get right. Having a developer of a cryptographic application candidly admitting he had no clue about cryptography (or coding !), when he first “developed” it…
It also proves something else : plenty of people will say a program is terrific, and the one to use for privacy, just because it’s open source. At that point, “open source” is just a synonym for “abides by our religion”, “belongs to our sect, therefore nice”, etc.
4 Likes
Cheers for KeePass!!
Not keepass, keepassXC a fork which supports it out of the box, no plugins needed. Also, 2FA by app is certainly mature, but just because we have a lot of people who don’t know what they are talking about parroting the same bullshit advice, doesn’t mean its good advice. This for example is why people still think that a VPN makes you anonymous, and you should buy Purism products.
2 Likes
Actually KeePassXC is the one I have - so even better!
1 Like
Yubikeys goes Steamworks bye bye, always on DRM. (Couldn’t resist.)
Currently I recommend AndOTP because it’s stable, and it has worked for me. However I don’t use device credentials because it’s buggy for me, not sure why. It got corrupted. Unfortunately I cannot guarantee the security of any Android applications due to my lack of knowledge in Java, Kotlin, etc.
However, Aegis Authenticator looks like it has a lot of potential. But I had issues importing my AndOTP backup. It didn’t work. When Aegis Authenticator becomes stable I’m definitely switching to it as my daily driver.
I guess you’ll just have to trust the developers if you don’t know. Cryptography is hard to get right, even if you’re using libraries like Libsodium. Things are getting better though.
I wouldn’t say that Aegis Authenticator is less or more secure than AndOTP. But the developers behind the application seem to be addressing problems that were present with AndOTP, and from the Reddit link it appears that the AndOTP developer doesn’t have much time to work on the project.
Overall, I don’t think that these applications are bad choices. But do keep an eye out.
3 Likes
So is the only problem people here have with Yubikeys because it’s closed source? Is there something else I’m not aware of.
I really enjoy my Yubikey.
1 Like
OnlyKey is open source and supports U2F, yubico OTP, google’s TOTP and has “plausible deniability”. Fairly new product with a still very engaged and responsive dev team, although I think forums were on google or somesuch silly place 
anyways, I got one last month and like it much more than the yubikey5 nfc I got my old lady a couple days later (and on her request, so that made me very happy to buy her one! lol
1 Like
It isnt as compatible with services as i hoped, and the app as far as i can tell doesn’t have a back up option, so if i loose either phone or key then its pretty annoying. I will continue to use the key for services that support it well, but looking to find a different 2fa app with a back up option.
Backup of hardware keys is dead simple : you must have several. Just like a door key.
That’s one of the reasons I say 2FA by software is not mature, whereas 2FA by hardware is the future. Anyone can understand : put the key into the lock (sorry, the USB port), or bring it close to your phone, and the lock (sorry, your account) opens.
Keep your key in your pocket. Have one, or several, spare ones, in a safe place.
In the meanwhile, since we’re mainly stuck with 2FA by app, Authy is recommended because it has an embedded backup mechanism (although it takes some thinking to master ; it’s not dead simple, but no 2FA app is dead simple).
The principle of Authy backup is simple, though : you simply store your secrets on several devices. So, if one is broken or lost (typically, your phone), the other (typically, but not limited to, your destkop) will allow you to regain access.
Bear in mind I have no direct experience of 2FA. I’m still on the edge. I just learned by reading.
1 Like
Could you elaborate, please ? I don’t understand.
I use andOTP on phone and OTPClient on PC (linux), which has option to import database from andOTP. So even if I lost phone and PC, I could still access databse from my external drive (encrypted)
1 Like
I used to use AndOTP, it generally worked but the UX was subpar and it lacked certain quality of life features.
I recently switched to Aegis Authenticator and I highly recommend it. It looks better, it is easier to use, offers better account management features and allows biometric (fingerprint) fallback/authentication.
One issue with Aegis is that you have to sync the configuration manually with Syncthing, but since I already use Syncthing, this wasn’t a huge hassle.
2 Likes
If you store your OATH-TOTP secret key and password together in the same database, then you don’t get two factors but one.
3 Likes
There are a number of security benefits to using TOTP (regardless of where you store the secrets, in a password manager or otherwise) compared to not using it at all.
- TOTP secrets are unguessable. Unlike passwords, whose strength is determined by the user, TOTP secrets are determined by the server and if implemented correctly are long random strings that cannot be obtained through guesswork (brute forcing, etc).
- TOTP secrets are never transmitted during authentication. Even if there is a sophisticated MITM on your network that is able to intercept HTTPS traffic, TOTP secrets are never transmitted across the network after you originally receive them.
- TOTP secrets are unique. You’ll get a new one for each site you visit no matter what, whereas with typical password use most users end up reusing the same passwords. If you’re using a password manager correctly this is less of a big deal, however.
So it depends on your threat model. In theory storing your TOTP passwords in your password manager decreases your security a bit, because now an attacker only needs to compromise your password manager. But if you make that difficult enough it isn’t really an issue.
Two-factor isn’t as important for security as it’s cracked up to be, I’d go as far as to say it’s the least important benefit that TOTP gives users. The benefits of TOTP are significant even if you don’t store them in a separate location.
1 Like
KeePassXC TOTP best, I manage my own TOTP