Question time:
What's the general opinion around here on Authy for 2FA?

I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.

Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂

I've been using it for quite a few years now and it's a godsend. I always used to forget to get backup codes or turn off 2FA for at least one account before resetting or setting up a new phone and it was such a pain setting them all up again (I have like 20 accounts with 2FA). Authy just makes the whole process so painless. Couldn't imagine going back.

@bnjns it's the whole resync between devices that caught my eye, or hell, just having the piece of mind I can recover them when a bad iOS update occurs needing a restore, there's nothing like going through the 15 odd accounts and setting things up again.

I really don't like the fact that they demand your phone number to set everything up. It's supposed to be a TOTP generator, not a fucking messaging app.

Then I found Aegis Authenticator, and I fell in love (seriously, look it up on F-Droid!).

Features:

- you save all your 2FA codes in an easily exportable database

- you can encrypt your db with AES when storing it

- you can encrypt it when exporting it, too (and you can see how it's encrypted, because it's basically a plaintext file

- it even supports standards not supported by GAuth, such as SHA-256 and SHA-512, as well as custom refresh times

- you can see the TOTP secret and manually change it

- you can customize each entry, filter them by groups, and much more

- holy shit I did not thing such a perfect app existed

- seriously, why the fuck does Authy still exist even, this thing is gold

- (sometimes the camera acts a bit weird, but whatever, it works)

@endor you had me until it's Android only, I think that's why Authy still exists 🙃

Yea adding my phone number didn't make much sense though.

@C0D4 ah, yes, iOS... oops, I completely forgot about that xD

Not sure in that case, I'm really not familiar with the Apple side of things. But I think there should at least exist one or two open source variants that don't require weird permissions/accounts/data to function?

Authy syncs. Never an issue and I recommend it superbly.

@C0D4 I have an old SE and Authy works wonderfully.

@C0D4 I second @endor comment! I shall talk to your wife to get you an Android phone. Regarding iOS, I don't really know what exist, but I'll try to find something usable.

By the way, you could also save your TOTP entrie in a KeePass DB

@Jilano I thought about that, but I'd rather not have my 2FA keys anywhere near a password manager.

The whole, all your eggs in the same basket issue arises there.

I could probably build something to encrypt / decrypt and keep the keys local, I did get the Totp algo working last year, so could build on that as a backup process in a local tool potentially.

@C0D4 Fair enough

Well then, I found these three apps that might interest you:

- Tofu Authenticator (https://www.tofuauth.com/)

- Authenticator (https://mattrubin.me/authenticator/)

- FreeOTP (https://freeotp.github.io/)

PS: They are all open source

@Jilano sadly these are only generators, they don't have an export / sync capability which is my biggest issue.

But reasonable suggestions for anyone not wanting to use Googles Authenticator.

@endor yeah the whole needing your phone number is a bit odd, but I guess their rationale is it's an easy account identifier as you'll be installing it on your phone? Much like WhatsApp. But I would rather some other arbitrary way to ID my account.

Tbh, I've pretty much resigned myself to everyone knowing my phone number, which is why I give these my secondary, "non personal" one.

@C0D4 I read on some of them that they were storing the data in the Apple keychain thingy. So based on that, isn't there a way to import/export data from here? Is it a hassle?

@Jilano 🤭oh hold on.
This would work across device restore though as it's saved to iCloud.

Actually... reading into how it actually works, that's not as good as it sounds when you get apps like Facebook / WhatsApp...

Quote:
https://developer.apple.com/documen...

In iOS, apps have access to a single keychain (which logically encompasses the iCloud keychain). This keychain is automatically unlocked when the user unlocks the device and then locked when the device is locked. An app can access only its own keychain items, or those shared with a group to which the app belongs. It can't manage the keychain container itself.

@C0D4 Whoa! Whenever it's unlocked? Haha

@Jilano guess it makes sense as some apps run in the background and may need to retrieve data to work, but yea somewhat glad iOS has the sandbox model in place at times 🙃

#theMoreIKnowTheScarierThingsGet

Ok, keychain may not be the best place for these keys 😕

@C0D4 Most definitely! At least, now we know *shrugs*

Okay with it's features but for security related stuff I always follow the rule of open source; security related software should be publicly verifiable to be able to consider it secure.

And the phone number thing is a fucking no-go for a simple 2FA app.

@linuxxx Why not phone number. I have a data only SIM that has a number. You can get them anonymously everywhere. I think having a number adds a layer of security and piece of mind if you forget your authentication. I dunno, I love Authy, I love the Windows and Android apps....it fuckin just works.

@intromatt Because in many countries, a phone number has to be linked to your real name. Besides, it can also be traced back to where you brought it and who did (if you used a credit card).

@Jilano @intromatt @bnjns It's not even "They know who you are", it's "Phone numbers are not a secure method of authentication".

How exactly is having my phone number going to make the app secure? Is it using SMS to send/receive authentication codes when setting up the device? If so, fuck that: SMS is NOT secure, and should never be used as a trusted and reliable source for configuration data. Anyone could fake it and gain access to your stuff.

For anything else: why not use a simple email-based login instead? Requiring a phone number as a mandatory form of authentication seems sketchy at best.