Get the top HN stories in your inbox every day.
GordonS
dexterdog
I just keep a copy of all QR codes in a safe place. When I need to move to a new device I just install andOTP and scan them all on the new device. I don't like my keys to be protected by only a password somewhere. I prefer to add physical protection to them. If they are accessible from my computer then it's not really 2FA.
Rygian
I can import/export with Google authenticator (via QR codes).
GordonS
IIRC, it didn't used to give you any control over import/export, and only supported using an opaque Google storage option. Has that changed?
Aegis gives me the actual seed, full control of the data so I can do with it as I please.
rootext
You can import/export to Google Authenticator only and you must have two phones. You cannot backup QR codes because screenshot is forbidden for security reason. You cannot migrate to another application.
Rygian
I just took a pic of the QR codes with my webcam and stored that in KeePass.
cbsmith
Tends not to work to well in the scenario where you drop your phone into the ocean.
openplatypus
Keep away from oceans.
Rygian
Normally one does their backups before they are necessary.
virtualritz
The killer feature for me is a way to quickly access tokens in my (cloud-side, encrypted) vault from a desktop (or web) app in case of emergency.
It's not clear to me if Aegis allows this somehow?
The other day I broke my phone. I was traveling and needed to do some 2FA level changes to a GH repo asap.
I didn't even know there was an Authy desktop app until then. It saved my ass, literally.
commoner
Aegis has two automatic encrypted backup options.
The first lets you back up your data to any folder on your device or to any storage provider (e.g. Nextcloud and other cloud storage providers) linked to your device. Turn this on at Settings > Backups > Automatically back up the vault. The storage provider's app needs to be installed. Changes are saved to the backup location automatically.
The second uses the OS's built-in backup feature. For Android devices with Google Play Services, the backup is saved on Google Drive. Some other Android distributions such as LineageOS use Seedvault, which can save the backup to any WebDAV provider or an external USB drive. This option is at Settings > Backups > Participate in Android's backup system.
Either or both options can be used in Aegis.
pluc
Yubikeys store everything on the key. I can lose my phone and use your phone to see my 2FA codes. It's honestly one of the only way MFA make sense - otherwise you lock yourself out of your entire digital life when you lose your phone and need to rely on storing your backup codes (which opens up a storage security wormhole).
It's also a lot easier to wear around your neck.
SoftTalker
So you've moved the worry from losing/breaking your phone to losing/breaking your YubiKey?
hospadar
I keep a second key as backup for this reason, which honestly is overkill and I only do because I got a second one for free at a conference. Easier solution (which I also use in case I someday need the second one only to discover that the blue smoke leaked out) is to just print out the TOTP secrets and keep them somewhere. I'm usually printing out recovery codes when I get a new TOTP secret so this has never felt like a big deal.
Also easy enough to maintain a keepass[xc] vault for totp secrets, you could keep a separate one from your passwords if you were feeling paranoid. Great support on mobile and desktop for using a keepass db as a TOTP source - and easy to sync with dropbox/email/ssh/your web server/whatever
pluc
Sure. I have a backup key but yes, you can't get MFA without adding a device that you may lose; whether that's your phone or a key. Like I said I prefer a key because I can't put my phone on a chain around my neck or on my keychain.
dathinab
who says you only have one or no other backup?
anyway I wouldn't but s Yubikey for TOTP. OTP sucks. Sure it's better than no 2FA and TOTP is better than SMS OTP still it's not grate.
WebAuthn-like auth can provide all the benefits of TOTP while being way more secure and in some cases even not convenient.
The main drawback is how to backup your 2FA which makes it less of a choice for a "casual" user.
openplatypus
The only downside is limited space on Yubikey.
I am currently carrying 2 tokens :(
pgalvin
Up to 32, for those reading who (like me) didn’t know about this limitation.
https://support.yubico.com/hc/en-us/articles/4404456942738-F...
eitland
My Yubikey always loses its credentials. (If anyone else knows about it and have a fix I'm all ears.)
I guess I need a new one, but what I want to say is don't rely on a single Yubikey or even two. Do have backups.
zmxz
Which model do you own and how does the loss manifest?
The single-tap and long-tap don't produce expected output? Can you share more info on it?
I own many Yubikeys (due to research I've been doing in 2017.) and I had many Yubikeys to play with, for TOTP/HOTP/U2F purposes, even using it to unlock Windows and I haven't had a case of a Yubikey basically deprogram itself. I washed them in the washing machine, ran them over with my car, thew them in mud piles and they always worked without a fault so your case is a surprising one.
Judging by what you wrote, unless there's some weird NFC communication going on between your phone and Yubikey (are they in proximity?), I'd say it's faulty and you need a new one.
rsync
"I didn't even know there was an Authy desktop app until then. It saved my ass, literally."
That's a really unexpected outcome - can you provide any details ?
virtualritz
> [...] can you provide any details ?
I installed Authy desktop, logged in and it retrieved my tokens form the cloud. Not anything else to it.
BenjiWiebe
Pretty sure they're referring to the word 'literally'. Especially since it's by itself after a comma, looks like there's emphasis on it.
That word changes the meaning of the phrase in front of it quite a bit.
alexbakker
Aegis is fully offline and doesn't have an official desktop application. You could of course create an export of your Aegis vault and import it in a third-party desktop application, like GNOME's Authenticator or OTPClient.
hnews_account_1
I can’t believe this is a tech forum. The answer is simple. 2FA has a url. All you have to do is store the url in your password manager. Then you can import it into any new app at a moment’s notice (as long as you have access to the vault) and generate a 2fa code.
In fact, KeePassium on iOS works on this concept. I use it as my primary otp url storage app and then put limited stuff into aegis on my android tablet for anything I may need there. If a keepass based app with an otp generator (like KeePassium) existed for android, I wouldn’t even need that.
Helmut10001
AEGIS has this killer feature, with the encrypted database, which I could sync to my local Nextcloud instance. Otherwise, loosing the phone would always mean loosing all your OTPs. Aegis is a direct (better) replacement for Google Authenticator.
traceroute66
Don't know if it exists for Android, but for iPhone users there is OTP Auth, which can make encrypted backups to a destination of your choice.
aceazzameen
Bitwarden can store and then copy/paste TOTPs. I'm not sure if it's the best security practice to have your password and TOTP key saved together like that. But I tend to use it for sites that I don't consider critical. I then use Google Authenticator for everything else. I might try Aegis next time I get a new phone though.
acdha
I’ve been migrating away from TOTP since it’s so easily phished but my current approach is to use Yubikeys with their app:
https://www.yubico.com/products/yubico-authenticator/
That avoids keeping the seeds somewhere a general attack could get (and requiring a tap complicates attacks) and works across all of my devices. The main drawback is that there isn’t an easy way to install a seed on multiple keys when first enrolling.
psanford
If you are using the yubico-authenticator app then you are using TOTP, just with the seeds stored on your yubikey. This is still vulnerable to phishing.
I hope what you meant to say is that you are switching to using WebAuthn with your yubikey on all sites that support it, and then using your yubikey for TOTP on sites that don't support WebAuthn yet. WebAuthn is the thing that gives you actual protection against phishing.
acdha
Yes, that's exactly what I meant: I use the same Yubikeys for authentication, but fail back to TOTP when sites don't support something secure.
undefined
Semaphor
I use webauthn where ever available, but considering how rare that is, I might start using this.
How well does it work on mobile? Totp via app, tap the nfc key to the phone?
And what does "no easy way" mean, how involved is that process? I’d prefer to have the keys on all 3 (or 4, not sure if the security key allows TOTP) sticks.
RockRobotRock
Yes, on mobile you either plug the YubiKey into your devices USB-C (or lightning) port, or tap the YubiKey to your phone. The totp secrets live on the yubikey and can't be extracted. You can only read out the current code. I believe you can also secure your YubiKey with a password so it must be entered to see the codes.
If you wish to have the same TOTPs on multiple YubiKeys, you are recommended to take a screenshot of the QR code you're given at the beginning (which contains the secret key), and manually add it to all the backup keys you prefer, and then securely erase the screenshot.
further reading: https://support.yubico.com/hc/en-us/articles/360013789259-Us...
smeej
It's worth noting that if you install Yubico Authenticator on another device and use the same key, you do have access to the codes, because as you said, they're stored on the key.
I initially thought the codes were stored on my phone and the key was only required for access, but that's not the case.
That's either a benefit or a drawback, depending on your threat model, but it's definitely something people should understand.
croes
What happens if the Yubikey gets damaged?
acdha
Yes - on my desktops and laptops, I use USB. For my phones, I use the same keys with NFC. Basically you start the app, tap the key next to the phone, and then copy/paste the code. It means that my daily two factor needs are handled by the Yubikey I keep on my badge lanyard for both modern and legacy sites.
"No easy way" basically means that you either have to save the seed and repeat the setup process for your backup key or enroll two separate devices if allowed. It feels like the authenticator app could have a useful addition where it'd automate that for you if you have two keys present.
stoplying1
"Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.
With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.
yewenjie
I was happily using andOTP but seems like it has been unmaintained since June - https://github.com/andOTP/andOTP.
I wish F-Droid or Play Store had a feature like GitHub's 'Archived' to inform users.
kevinfiol
I'm still using andOTP and I prefer it over Aegis. Are there any reasons to stop using it if it still works? What kind of security vulnerability can affect it? Honest questions.
yellowapple
I'm wondering the same thing. It also looks like while Aegis is actively developed on GitHub, that hasn't materialized into a new release on the Play Store or F-Droid in 7 months.
alexbakker
You're right, it's been a while, but we actually issued a beta release for 2.1 today!
22c
Also a happy andOTP user. Initially I thought you were being impatient because no updates for a few months isn't necessarily bad, but I see that the project itself has been updated to reflect that it is not being maintained by its creator. Thanks for the heads up.
Looking at Aegis, it appears to support importing from andOTP
Semaphor
Last year, 113 comments: https://news.ycombinator.com/item?id=25803996
Lucent
Just keep TOTP in your password manager at this point. Whatever security is lost by it not being a "true second factor" is made up for by not having to recover or restore backups due to a lost or stolen phone.
arepublicadoceu
I would argue that the most important account to have TOTP enabled IS your password manager. So, if you already have a TOTP app to generate codes for your Password Manager why not consolidate it?
Besides, if you dont have a physical and digital backup of your TOTP seeds you really like to live dangerously.
unethical_ban
The one place I intentionally don't have TOTP is my password manager.
there is a base case somewhere in a backup strategy where TOTP is not feasible. The base case for me is "Keepass file backed up to multiple locations and my master key written down in an envelope in my house in case I hit my head".
Why would I lock my passwords away behind a TOTP that can get lost? My TOTP in Authy is protected by a long random key. Where do I store the key? In my password manager.
You can't use a password manager and TOTP to back each other up.
arepublicadoceu
I realise now that I was not clear on my post. Using TOTP or second factor is useful for those heathens that insist in using cloud based service for password manager (I'm one). Not for local keepass/pass synced by syncthing/rsync/ssh etc.
I treat my kdbx as a single password encrypted backup of my bitwarden vault on my computer and external hard-drive.
I care much less about second factor if it's something offline on my computer than something accessible by a web interface to anyone in the world.
atriix
Well my password manager don't have an account to begin with, neither does my TOTP manager. And depending on risk assesment for a given site/account, letting the password manager do some doubble duty as TOTP manager as a convinience is fine, especially if the alternetive outcome would be to not enable TOTP due to the annoyance.
howinteresting
2fa for your password manager is good, but that doesn't have to be TOTP. That can just as well be something like the 1password secret key (something you have).
plumeria
I think that's the idea behind using a key file and a password in KeepassXC.
andrewaylett
I use Bitwarden for TOTP, because I have become convinced that it still provides a true second factor even if both the password and the TOTP seed are in the same entry in my password manager.
This is because every access to Bitwarden requires two factors: a device I've already logged in with, and either the passphrase or a biometric unlock. Bootstrapping a new device requires the passphrase and a token.
unethical_ban
If you have a TOTP app that allows exoprts, I agree.
If the individual site allows backup codes, I agree.
But you first need an app that hosts your TOTP that has exportable secrets.
theandrewbailey
A password database file is sort-of a second factor (something you have).
Semaphor
Restoring backups is extremely easy, though.
wingmanjd
I didn't know Aegis supported the Nextcloud backup target! I was hacking my way around on earlier versions of Android using Solid Explorer's connection to my Nextcloud, but that stopped working somewhere along the way.
Reconnected via the Storage Access Framework and backups are syncing!
Thank you, alexbakker
725686
Who makes this? How do I know it is trustworthy? I know its supposed to be open source, but when you install from the app store you don't really know what you are installing. I trust Twilio's Authy a tad more than a random app with a nice home page.
commoner
Authy has a questionable privacy policy:
> When you use our app we collect: Your phone number, device information, and email address.
> When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if your account is compromised or may be compromised.
> We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
> Your information will be transferred to the U.S.
> Your personal information may be transferred to the United States, and possibly other countries where we or our service providers operate.
> In addition, we may share your information with third parties as follows: Compliance with Laws. We may disclose your personal information to a third party if (i) we reasonably believe that disclosure is compelled by applicable law, regulation, legal process or a government request (including to meet national security or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose personal information to assist in preventing a death or serious bodily injury.
> Business transfers. If we go through a corporate sale, merger, reorganization, dissolution or similar event, personal information we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. Any acquirer or successor may continue to use the personal information as described in this notice.
https://www.twilio.com/legal/privacy/authy
I would trust Aegis over Authy any day. As you can see from the source code, Aegis does not expose users to these privacy risks. Even though Aegis has automatic encrypted backup features, Aegis itself does not request the internet access permission.
remram
Unfortunately I didn't manage to set up Aegis with SendGrid, so I have to have Authy just for SendGrid (both belong to Twilio).
commoner
SendGrid does not support the TOTP standard (or any authenticator apps other than Authy), because as you mention, SendGrid and Authy are both owned by Twilio:
https://docs.sendgrid.com/ui/account-and-settings/two-factor...
For anyone shopping for an email provider, this would be one reason to choose a provider other than SendGrid.
jayknight
It is also available on f-droid, and they compile the apps themselves instead of distributing compiled apps. So if you trust f-droid, you know it is the same as the open source code.
neilv
You need parties you trust auditing all the code and each change, before you run it.
commoner
F-Droid does check code before privacy violations for accepting it. Any potential privacy violations are labeled as "anti-features" and apps that don't meet F-Droid's inclusion criteria are rejected:
https://f-droid.org/docs/Inclusion_Policy/
Aegis Authenticator passed F-Droid's checks. It has no anti-features:
https://f-droid.org/en/packages/com.beemdevelopment.aegis/
Aegis doesn't even request the internet permission. Compare that with Authy, which logs users' IP addresses, login activity, phone numbers, and email addresses, and states that users' data and personal information will be shared with third parties for any reason Authy wants to:
https://www.twilio.com/legal/privacy/authy
Twilio has had 2 data breaches this year, and the second one involved Authy. Since Authy does not use end-to-end encryption, hackers were able to obtain 2FA credentials from any Authy account, and they compromised the accounts of 93 Authy users:
https://techcrunch.com/2022/08/26/twilio-breach-authy/
On top of that, Authy is closed source and its code has never been audited, not even by F-Droid. There is no way to use Authy without sending your personal information to a service that states it will not promise to keep it private.
There is no good reason to trust Authy over Aegis.
rpigab
It has the name of a very powerful shield from Greek mythology, so it will protect you.
vzaliva
Before considering switching it I would love to see a more detailed feature comparison to `andOTP` I am presently using. From what I can see it is encryption at rest which andOTP may or may not do and scheduled backup. andOTP does manual backup. Anything else?
ajvs
andOTP isn't really being maintained anymore, which is why I switched recently.
voidee
FYI: For iOS users looking for alternatives to Google Authenticator or Authy, I highly recommend the open source Raivo. https://raivo-otp.com/
Recently moved all of my TOTPs to it. Encrypted iCloud sync and local backup if desired.
bede
Thanks for this, I'm currently using both Duo to Microsoft authenticator, and the lack of firm reassurance about the backup mechanisms in each of these makes me uneasy. I'd frankly prefer a vault with a model similar to BitWarden's, where I can export my private keys.
ajyey
Love raivo. Wish there was an automated backup solution though
branon
Recently had a hard time exporting 20+ OTP secrets from Google Authenticator.
I believe I discovered a bug in the app: if you long press a secret > edit > leave an empty string as the comment, and then export a QR code containing this secret, your other device will fail to import ("QR code cannot be interpreted.").
I've only seen this happen with secrets where the comment is put in parentheses and appended to the regular, immutable name of the secret. There's another type of secret where the entire name can be edited, this I did not test. But if you try the import/export flow on a secret whose name contains `()` I bet you'll hit the bug.
I briefly tried Aegis but you must have Aegis+Authenticatior installed, and be root, or you can exfiltrate Authenticator's database file from private storage, which best as I can tell, also requires root. Shouldn't have gone with Authenticator at all, I've learned.
It seems optimal to simply retain the original secret (QR code or whichever medium) you are given when 2FA is initially enabled.
Later found this equivalent: https://mattscodecave.com/posts/how-to-move-from-google-auth...
alexbakker
There's a third option to switch from Google Authenticator to Aegis. You can simply scan those export QR codes of Google Authenticator with Aegis.
chinathrow
Wouldn't that need a second device since one can't screenshot Google Authenticator?
password4321
Or take a picture of the phone screen, say with a webcam.
alexbakker
Correct.
branon
Nice. You know I hadn't once bothered to click the "big plus button" UI element. I headed straight for the "three dots" UI element > Settings > Import/Export submenu, every time. Joke's on me for not exploring Aegis's interface more fully ;)
nanomonkey
You can securely store and generate TOTP tokens in emacs: https://www.masteringemacs.org/article/securely-generating-t...
Since I have emacs on everything, including my phone, it's not a bad solution for my purposes.
pkulak
Of course you can.
Get the top HN stories in your inbox every day.
I switched to Aegis recently, and I did it for only 2 reasons:
1) I prefer to use OSS when possible
2) Aegis supports import/export/backup - so if I get a new phone, I don't have to spend days setting up my dozens of accounts again! This also means I can setup the same OTPs in both Keepass and my phone, so I can always get into my accounts
I'm really liking it, it does the same job as the Google and Microsoft Authenticator apps, but import/export/backup means it's more usable