What are the 2fa options?

Privacy Tools
#15

Currently I recommend AndOTP because it’s stable, and it has worked for me. However I don’t use device credentials because it’s buggy for me, not sure why. It got corrupted. Unfortunately I cannot guarantee the security of any Android applications due to my lack of knowledge in Java, Kotlin, etc.

However, Aegis Authenticator looks like it has a lot of potential. But I had issues importing my AndOTP backup. It didn’t work. When Aegis Authenticator becomes stable I’m definitely switching to it as my daily driver.

I guess you’ll just have to trust the developers if you don’t know. Cryptography is hard to get right, even if you’re using libraries like Libsodium. Things are getting better though.

I wouldn’t say that Aegis Authenticator is less or more secure than AndOTP. But the developers behind the application seem to be addressing problems that were present with AndOTP, and from the Reddit link it appears that the AndOTP developer doesn’t have much time to work on the project.

Overall, I don’t think that these applications are bad choices. But do keep an eye out.

3 Likes
#16

So is the only problem people here have with Yubikeys because it’s closed source? Is there something else I’m not aware of.

I really enjoy my Yubikey.

1 Like
#17

OnlyKey is open source and supports U2F, yubico OTP, google’s TOTP and has “plausible deniability”. Fairly new product with a still very engaged and responsive dev team, although I think forums were on google or somesuch silly place :confused:

anyways, I got one last month and like it much more than the yubikey5 nfc I got my old lady a couple days later (and on her request, so that made me very happy to buy her one! lol

1 Like
#18

It isnt as compatible with services as i hoped, and the app as far as i can tell doesn’t have a back up option, so if i loose either phone or key then its pretty annoying. I will continue to use the key for services that support it well, but looking to find a different 2fa app with a back up option.

#19

Backup of hardware keys is dead simple : you must have several. Just like a door key.

That’s one of the reasons I say 2FA by software is not mature, whereas 2FA by hardware is the future. Anyone can understand : put the key into the lock (sorry, the USB port), or bring it close to your phone, and the lock (sorry, your account) opens.

Keep your key in your pocket. Have one, or several, spare ones, in a safe place.

In the meanwhile, since we’re mainly stuck with 2FA by app, Authy is recommended because it has an embedded backup mechanism (although it takes some thinking to master ; it’s not dead simple, but no 2FA app is dead simple).

The principle of Authy backup is simple, though : you simply store your secrets on several devices. So, if one is broken or lost (typically, your phone), the other (typically, but not limited to, your destkop) will allow you to regain access.

Bear in mind I have no direct experience of 2FA. I’m still on the edge. I just learned by reading.

1 Like
#20

Could you elaborate, please ? I don’t understand.

#21

I use andOTP on phone and OTPClient on PC (linux), which has option to import database from andOTP. So even if I lost phone and PC, I could still access databse from my external drive (encrypted)

1 Like
#22

I used to use AndOTP, it generally worked but the UX was subpar and it lacked certain quality of life features.

I recently switched to Aegis Authenticator and I highly recommend it. It looks better, it is easier to use, offers better account management features and allows biometric (fingerprint) fallback/authentication.

One issue with Aegis is that you have to sync the configuration manually with Syncthing, but since I already use Syncthing, this wasn’t a huge hassle.

2 Likes
#23

If you store your OATH-TOTP secret key and password together in the same database, then you don’t get two factors but one.

3 Likes
#24

There are a number of security benefits to using TOTP (regardless of where you store the secrets, in a password manager or otherwise) compared to not using it at all.

  1. TOTP secrets are unguessable. Unlike passwords, whose strength is determined by the user, TOTP secrets are determined by the server and if implemented correctly are long random strings that cannot be obtained through guesswork (brute forcing, etc).
  2. TOTP secrets are never transmitted during authentication. Even if there is a sophisticated MITM on your network that is able to intercept HTTPS traffic, TOTP secrets are never transmitted across the network after you originally receive them.
  3. TOTP secrets are unique. You’ll get a new one for each site you visit no matter what, whereas with typical password use most users end up reusing the same passwords. If you’re using a password manager correctly this is less of a big deal, however.

So it depends on your threat model. In theory storing your TOTP passwords in your password manager decreases your security a bit, because now an attacker only needs to compromise your password manager. But if you make that difficult enough it isn’t really an issue.

Two-factor isn’t as important for security as it’s cracked up to be, I’d go as far as to say it’s the least important benefit that TOTP gives users. The benefits of TOTP are significant even if you don’t store them in a separate location.

1 Like
Why is TOTP 2FA safer than a password?
What do you use for two-factor authentication?
Why is TOTP 2FA safer than a password?
#25

KeePassXC TOTP best, I manage my own TOTP

#26

I never mentioned you should store everything on one machine.
I for example have a small laptop from which i removed the networkcard, and put my totp database on it.

#27

Should I use keepassXC and keepassDX for 2FA instead of Aegis? keepassDX is already recommended. But Aegis is more convenient.

#28

I use both. On phone, it’s easier for me to use Aegis, but I have .kbdx database for 2FA also (another one, not the same one with passwords)
There is also nice OTP Client for Linux
https://github.com/paolostivanin/OTPClient
and for Windows
https://www.microsoft.com/en-us/p/otp-manager/9nblggh6hngn?activetab=pivot:overviewtab#

1 Like
#29

What do you guys think about Authenticator? It’s a extension for Firefox, Chrome and Edge and it’s open source.

#30

Looks nice, but I personally don’t like to keep important things in my browser (extensions). E.g. I do have bitwarden extension (with auto-lock), but that one I use for less important accounts (like for PTIO forum :d ).

1 Like
#31

I’m kinda SOL because I don’t have a mobile, so this seems to be my only option. Or maybe I can set up a different keepass database for only TOTP? Or use Aegis with an emulator?

#32

See above

All OATH-TOTP tools basically do the same: They store a secret that is used to derive short-lived one-time passwords. So the actual tool shouldn’t matter. It is important that you store the secrets in a secure place, though.

Alternatively, you can use WebAuthn or U2F for some websites, which results in enhanced security as this doesn’t rely on a shared secret that the website and you know.

#33

I would love to know if anybody has done any tests on the reliability of backup systems of these apps.
I don’t remember which one it was however I lost access to a couple important sites when one of the aforementioned apps backup system did not work after I had factory reset my phone.

#34

The easiest of all these to use would definitely be the one build in in bitwarden.
As for concerns about a single point of comprimise these are indeed factors to take into consideration. Depending on your threat model.
What I would do in your situation was to set it up in bitwarden and secure bitwarden with a yubikey.
And setup bitwarden so that each time you unlock the database it needs the master password + the key from pressing the yubikey in your pc and or using it’s nfc to auth it on your phone.

Hereby you are also creating an additional two factor security.