GitHub is slowly rolling in 2FA. Any good open source apps that will enable me to activate 2FA token on android?
If proprietary app is better and more robust I am willing to try it and assess it myself.
138
Comments72View original on szmer.info
If proprietary app is better and more robust I am willing to try it and assess it myself.
Aegis authenticator. Beats all proprietary apps I've tried so far
I'm leaving links here in case anyone needs them
It supports importing data from various 2FA apps and even allows you to generate Steamguard codes.
Steamguard? Since when? That's awesome!
I honestly don't know. I set it up with steamguard-cli few months ago and it's working like a charm.
Nothing to worry about when doing that? I'd love to have Valve support 3rd party 2FA apps officially, but oh well
Yep, it works perfectly
Bitwarden has it too, but eggs in one basket etc.
One of those apps that just does its job, does it well and I never have to worry about it
This is the best option. Love the app. But always remember to keep a backup of your tokens.
There is also ente.io authenticator app. It is available on fdroid. I think it supoorts cloud synchronisation as well.
Aegis
aegis
Aegis on mobile and keepassxc on desktop.
What's the difference between keepassxc and the regular keepass?
KeepassXC is multiplatform. (Also: KeepassDX is quite nice as an an Android app for Keepass databases.)
I wouldn't put my 2FA in password storage. Just in case
Authenticator Pro
I've used it for years for numerous phones. it's the best. Link for the lazy
https://apt.izzysoft.de/fdroid/index/apk/me.jmh.authenticatorpro
Or https://authenticatorpro.jmh.me/
Yes! I moved from aegis to it and it is much better imo.
Better way to select groups. Nicer looks, more customization.
Thank you for the information. I am using Aegis and will not move away from it – I have no reason to. I am completely content with the features it provides. However, I want to look at Authenticator Pro to see how it works, what features it brings and in general, how good the application is. If I like what I see, I will be able to provide an alternative to Aegis when I suggest a TOTP application for someone. I hope Authenticator Pro is great, so I can recommend it with confidence.
That's how I started too. I used Aegis for almost two years. Then I found out about Authenticator Pro and decided to give it a try. The nice thing is that it can import an Aegis export file, so it's easy to get started. Give it a try and see if you like it.
WearOS support!
I love that you can back it up with a file... thatway i can put it somewhere safe and can recover my logins after my phone breaks
This! I don't even have to pick up my phone... I just check the code on my smartwatch. Awesome!
I'd suggest the following
The really important step is to make sure to export and backup your 2FA codes in a safe place.
You don't want to be left in the mud because you lost or wiped your phone that contains the only method to get into your important accounts.
For me FreeOTP+ on fdroid is all I need. Its simple and just works.
BitWarden.
I don't think that it's safe to leave both authentication factors in a single app.
It depends on your risk profile, but yes, it's less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.
With the risk of getting locked out if all your devices get logged out of Bitwarden! 🙈
To clarify, you'd want to enable 2fa for Bitwarden and store the token for that in a different authenticator app - that way you can still log in to Bitwarden without already needing to be logged in
This. It's not two factor if both factors are stored together lol
Why not? If you enable 2fa, chance that you'll save the recovery/emergency code in your password manager anyway (I don't think people would really write them down on a piece of paper and put them in their safe). Why use a separate authenticator app if your password manager can handle it all?
You're absolutely right about this and I need to find a solution.
What if you get logged out from Bitwarden on all the devices? How can you get back in Bitwarden if you have 2FA enabled on that service? (And I hope that you do!)
Believe it or not, I save my bitwarden 2FA on bitwarden too! I also save it on google authenticator, so I have it on two places. The reason I save it on bitwarden is to prevent losing access to the token if I lost my phone, because bitwarden allow you to unlock the vault without OPT on a know device/computer (it only ask for OTP when you login from a new device). So as long as I have one device with bitwarden, I should still be able to unlock the vault and re-login on a new phone using 2FA token from bitwarden on the other device. If I lost all my devices, then I'll have to dig the recovery code I hid and encrypted somewhere on my google account and my primary desktop, which is quite a pain so I hope I don't need to do this.
Beware that for important bug/problem/I don't know, you could be logged out from all your devices for security reason and in that case you can login only with 2FA even on devices where you were already logged in. Keep in mind that Aegis can create encrypted backups, but you'll have to upload them somewhere and I understand that with Bitwarden is easier.
Well, as long as I don't lose the phone with Google authenticator, I should still be able to login to bitwarden without digging out the recovery code.
Aegis
FreeOTP+ from fdroid is what I'm using.
Me as well!
I personally use KeePassXC (KeePassDX on android), it can have TOTP code generation for 2FA for any service. And since it's a password manager, it's secured by a master password.
Aegis is my favorite.
aegis is great, but 2fas has Google Drive sync and a browser extension.
lack of sync is a dealbreaker for me.
Aegis, FreeOTP
I recommend one of the FOSS apps in fdroid for this, don't use a proprietary one from Google Play (like the Google Authenticator).
Mauth
I use Yubico Authenticator with my Yubikey (NFC and USB) and Vivokey Authenticator - which is a straight fork of the Yubico Authenticator - with my Vivokey Apex implant.
I actually try to use authenticator apps as little as possible. Having to unlock your phone and open the app each time is too much hassle.
Instead I have four Yubikeys, not security keys, that I store my OTP 2FA codes on. One for personal codes, one for work codes, and the other two as backups for the first two. The backups protect me from hardware failure, the keys being stolen, or lost. One downside of the backup plan is having to scan the QR code twice, once per Yubikey.
Each Yubikey can store 32 OTP codes on the smart card part of the Yubikey. The 32 code limitation is why I have personal and work codes on separate keys. I did run into this limit.
This isn't the cheapest solution. In addition you could argue it also isn't the most secure, but that depends on the attack vector and circumstance.
With this setup I can use the Yubico Authenticator desktop to copy and paste the codes into the browser. While mobile I can use the mobile form of the same app. Also all my Yubikeys have NFC, so I can use that method if I want instead of just USB.
As mentioned in a different comment I highly recommend not storing 2FA codes in password managers like Bitwarden. It creates an all eggs one basket problem, which is exactly what 2FA codes are trying to avoid.
And having to use two USB keys and double code scanning isn't? I'm glad your system works for you, but it sounds like a pain in the but to me lol.
I have to use the work one multiples time a day on weekdays. I use the personal one maybe once a week.
andOTP is the only app I know of that's on F-Droid and has a feature to make an encrypted backup to a file.
Unfortunately it hasn't been updated in awhilee, but I dont think there's an alternative.
I see aegis supports automatic backups. I don't see it explicitly saying 'encrypted' backups though I too use andOTP but didn't realize it's not regularly maintained. I may check out aegis as it does support import from andOTP
Followup. Aegis does support encrypted backup. I had to do an unencrypted backup in andOTP so Aegis could import. Easy stuff
Edit: automatic backup doesn't encrypt? Or I am having trouble setting up
The official GitHub app. Yes, it's not universal for other sites, but you get 2FA and a much more pleasant browsing experience.
For a universal solution, give Aegis a try.
https://github.com/ente-io/auth
KeepassDX already has TOTP
I really like 2FAS, open source, looks and feel polished, no complaints
Aegis seems to be the winner in this thread. Does anyone have experience with Tofu Authenticator for iOS?
Does anyone have any suggestion for iOS? Raivo seems to fallen from grace recently.
What’s wrong with Raivo?
It's recently been bought by a generic mobile app development company. This thread has more discussion on the topic.
I'm just migrating away from github because of this. Sr.ht is looking promising.
Why would you not want to use 2FA?
Most likely because of the "2" in "2FA"
I know it is an unpopular opinion, but it is a huge headache in general. I don't think the theoretical benefits (which make total sense) actually pay off in reality and are worth the extra headache. I'm not saying they should not have it at all, but it should be at least opt-out instead of forced.
In the case of github, I think it is part of their long drawn out plan of data collection and proprietary lock down. Next they are going to require your house address and government ID. I feel better using an free and open source platform anyway.
How exactly could a site collect more of your data through 2fa?
Well, if you use a password manager such as bitwarden you can store your 2FA one ctrl-v away. Even if this is a less secure setup, that still prevents someone eavesdropping on your password from reusing it.
Unless you clear cookies constantly, you need to login just once in a while, where is this huge headache? Password get stolen, 2FA protect you from that.
Where does this even come from, passwords are increasingly insecure and adding another factor, especially authenticator codes, doesn't even require you to give up a single new piece of personal information. The entire thing is just adding a local code that your program of choice remembers and uses to generate the one-time password. No data collection, no proprietary software. Other areas might be doing bad shit for all I know, but this change is entirely a forced security measure because people are too bad at passwords.
After seing the frequent attempted logins on my Microsoft account, I'm "just" a lucky guess away from losing it if I do not have another thing blocking access.
When it comes to proprietary apps Authy is nice, it offers synchronisation between devices, but yeah, it involves cloud (someone's computer) and you need to give them your phone number, so that's for privacy, in the end you might as well use Google authenticator, it syncs between devices to, it's about who you trust more
For people down voting, please share your reasons for it. If there's something wrong with the product, sharing that info would be helpful.
I've used Authy for years now without issue. Seems it's not a popular option anymore.
Is there something I should know about? Or are other options much better now?