One more step to unhitching from Google…
Right now the only option I see in F-Droid is Aegis.
I’m not sure what to actually look for side from checking for unexpected permissions and reasonably frequent updates.
Hopefully something I can sync with a GNOME app…
You must log in or register to comment.
I use
passfor my passwords, and it has anotpextension that I’ve been using more and more. I used to use aegis but I have needed to switch phones one too many times without having access to the previous phone to be comfortable with phones for 2fa.Of course, this isn’t as secure as a truly separate OTP solution, but it’s still better than no OTP/2FA. And I can easily enough back up and restore my 2fa access over the internet, even on a new computer (albeit I need to also backup a PGP key that can decrypt the password store to truly be portable).
This is what I do. If someone can figure out pass with my password protected gpg, plus my passwords are partials (I salt them), and otp then they can have my access
plus my passwords are partials (I salt them)
I’m curious how you make that work - do you just remember the salts, store them separately, or what? I have like 50-70 passwords in my store currently, there’s no way I’m remembering a (true random) salt for each one.
My salt is just a memorized password I put in addition to the one stored in pass
Authenticator and Authenticator.
Damn thoe innovative tech companies, what will they think of next.
I’ve been using KeePassXC. I use Syncthing to keep the database synchronized between computers.
Same here. If it’s TOTP based 2fa, you can keep them in entries and use them from there.
Tbh, if you’re using the same DB for PWs, you’ve successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth
More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn’t compromise full access to your password database, which is still a lot better than using just passwords without a second factor.
that’s like calling strong randomly generated passwords 1.5FA.
with proper MFA, even if you steal my password (database), you won’t be able to steal my account, as you’re missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.
password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they’re not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn’t paying enough attention, as it’s not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.
even if you steal my password (database)
That’s a big leap you’re doing there, equating stealing a password to stealing a password database. Those are very different. Stealing a password can be done through regular phishing, or a host of other methods that don’t require targeted effort. Stealing a password database, if properly set up, is a lot harder than that. It depends of course on what password manager you’re using, but it usually involves multiple factors itself. So equating that to just a password, no matter how strong and random, is just misleading.
Mind you, I agree that it’s less secure than “proper” MFA, and I’m not saying that everybody should just use MFA through a PW manager. I am using physical security keys myself. But for a lot of regular people that otherwise just couldn’t be bothered, it’s absolutely a viable alternative that makes them a whole lot safer for comparatively little effort. Telling them they just shouldn’t bother at all is just going to create more victims. There is no such thing as perfect security, and everyone has a different risk profile.
I would say it still counts as 2fa just shifting what is verifying you to your password manager and using the site password and 2fa as a way to verify the password manager with the site. If setup right they would have to have the database and your password to decrypt it not just one or the other and for password managers that sync the database it should require your password and 2fa to sync to a new device so it can’t just be freely grabbed. If that doesn’t count as 2fa then I would like to see an argument about how okta signing you into sites counts as 2fa as it is basically the same thing.
I personally use Ente Auth and quite like it, don’t use syncing and save an encrypted copy to my PC. I really like that you can see what the next code will be.
Aegis.
I like the auto backup feature (encrypted) . Then the backup is synced to computer via Syncthing.
Set and forget setup.
I primarily use GNOME Authenticator, but after an inopportune crash, I now also run 2FAuth on my home server as a backup, and now just hope that I remember to do the export/import dance going forward.
Bitwarden
I’m a little concerned about having OTP and passwords together in one system.
OTP is on my phone, Bitwarden is on my computer. I don’t use the OTP in Bitwarden.
This is the way. I use Bitwarden and Aegis.
The issue here is putting Bitwarden on your phone with OTP in Bitwarden.
On the phone, I use Authy, More eggs - more baskets.
Yah, I can’t see a point to have another app/extension when Bitwarden has it built in, and it’s a great password manager.
The point of 2FA is “something you have” and “something you know” to enter a secured system.
If you put both of those into one system that is accessible by one password, the whole concept is defeated.
My threat model isn’t having someone take my computer and log into stuff so my concern when using 2FA is more about them having gotten hold of a password remotely. But a TOTP makes that password pretty hard to use, no matter where it’s stored. And my BW is also protected by a Yubi/password combo, so I guess I’m just vulnerable to having that beaten out of me.
The other issue with this - If you lose access to that one system, you’re SOL. It’s a single point of failure.
That I could accept as a good reason.
Wait, it does? Including in the mobile app? I don’t see it.
Right under Password in the edit screen of an item: Authenticator Key. You put in the auth key the target site provides you when you enable TOTP and it will start generating timed tokens. Usually you’ll also get a one-time pad of backup keys, I usually toss those in the Notes of the edit screen there as well in case something goes wrong.
The browser extension also lets you scan the page for QR codes for the TOTP key.
since no one mentioned andotp i might have to move away from it…
I think it is not maintained any more: https://github.com/andOTP/andOTP
I use Proton Authenticator on an iPhone without an account and I am satisfied
Ente
Ente
Ente
Ente
Ente
Ente
Gans
FreeOTP+
If i remember correctly sone tokens it can’t read? Cant backup? Clunky interface? I looked at it, but decided against it.
I’m currently using FreeOTP from F-droid. Aegis seemed to have way too much extra crap. You don’t want to sync multiple 2fa applications together since the idea of the 2nd factor is it’s only in one place. Even being able to back it up is sort of contra, but if you have to, make sure the backup is well safeguarded.
The basic TOTP algorithm is quite easy to implement fwiw. A dozen or so lines of Python.
“Unmodified 20? Yeah, you just know your 2FA without even checking somehow”
I use Aegis, it works well
