Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
bnjns865yI've been using it for quite a few years now and it's a godsend. I always used to forget to get backup codes or turn off 2FA for at least one account before resetting or setting up a new phone and it was such a pain setting them all up again (I have like 20 accounts with 2FA). Authy just makes the whole process so painless. Couldn't imagine going back.
-
C0D4669025y@bnjns it's the whole resync between devices that caught my eye, or hell, just having the piece of mind I can recover them when a bad iOS update occurs needing a restore, there's nothing like going through the 15 odd accounts and setting things up again.
-
endor56665yI really don't like the fact that they demand your phone number to set everything up. It's supposed to be a TOTP generator, not a fucking messaging app.
Then I found Aegis Authenticator, and I fell in love (seriously, look it up on F-Droid!).
Features:
- you save all your 2FA codes in an easily exportable database
- you can encrypt your db with AES when storing it
- you can encrypt it when exporting it, too (and you can see how it's encrypted, because it's basically a plaintext file
- it even supports standards not supported by GAuth, such as SHA-256 and SHA-512, as well as custom refresh times
- you can see the TOTP secret and manually change it
- you can customize each entry, filter them by groups, and much more
- holy shit I did not thing such a perfect app existed
- seriously, why the fuck does Authy still exist even, this thing is gold
- (sometimes the camera acts a bit weird, but whatever, it works) -
C0D4669025y@endor you had me until it's Android only, I think that's why Authy still exists 🙃
Yea adding my phone number didn't make much sense though. -
endor56665y@C0D4 ah, yes, iOS... oops, I completely forgot about that xD
Not sure in that case, I'm really not familiar with the Apple side of things. But I think there should at least exist one or two open source variants that don't require weird permissions/accounts/data to function? -
C0D4669025y@Jilano I thought about that, but I'd rather not have my 2FA keys anywhere near a password manager.
The whole, all your eggs in the same basket issue arises there.
I could probably build something to encrypt / decrypt and keep the keys local, I did get the Totp algo working last year, so could build on that as a backup process in a local tool potentially. -
C0D4669025y@Jilano sadly these are only generators, they don't have an export / sync capability which is my biggest issue.
But reasonable suggestions for anyone not wanting to use Googles Authenticator. -
bnjns865y@endor yeah the whole needing your phone number is a bit odd, but I guess their rationale is it's an easy account identifier as you'll be installing it on your phone? Much like WhatsApp. But I would rather some other arbitrary way to ID my account.
Tbh, I've pretty much resigned myself to everyone knowing my phone number, which is why I give these my secondary, "non personal" one. -
C0D4669025y@Jilano ðŸ¤oh hold on.
This would work across device restore though as it's saved to iCloud.
Actually... reading into how it actually works, that's not as good as it sounds when you get apps like Facebook / WhatsApp...
Quote:
https://developer.apple.com/documen...
In iOS, apps have access to a single keychain (which logically encompasses the iCloud keychain). This keychain is automatically unlocked when the user unlocks the device and then locked when the device is locked. An app can access only its own keychain items, or those shared with a group to which the app belongs. It can't manage the keychain container itself. -
C0D4669025y@Jilano guess it makes sense as some apps run in the background and may need to retrieve data to work, but yea somewhat glad iOS has the sandbox model in place at times 🙃
#theMoreIKnowTheScarierThingsGet
Ok, keychain may not be the best place for these keys 😕 -
Okay with it's features but for security related stuff I always follow the rule of open source; security related software should be publicly verifiable to be able to consider it secure.
And the phone number thing is a fucking no-go for a simple 2FA app. -
@linuxxx Why not phone number. I have a data only SIM that has a number. You can get them anonymously everywhere. I think having a number adds a layer of security and piece of mind if you forget your authentication. I dunno, I love Authy, I love the Windows and Android apps....it fuckin just works.
-
endor56665y@Jilano @intromatt @bnjns It's not even "They know who you are", it's "Phone numbers are not a secure method of authentication".
How exactly is having my phone number going to make the app secure? Is it using SMS to send/receive authentication codes when setting up the device? If so, fuck that: SMS is NOT secure, and should never be used as a trusted and reliable source for configuration data. Anyone could fake it and gain access to your stuff.
For anything else: why not use a simple email-based login instead? Requiring a phone number as a mandatory form of authentication seems sketchy at best.
Related Rants
Question time:
What's the general opinion around here on Authy for 2FA?
I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.
Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂
question
hey look it's not a rant
thoughts and opinions
2fa
authy
any good
o