Ask HN: Recommended two-factor authenticator app for personal use?
I haven't really looked into authenticator apps before, but with the increases in SIM-jacking I think it's time. I don't use Google, so Google Authenticator is out. I use Duo at work; can you use that for arbitrary personal services? Are there others apps that come recommended?
Also, just general questions: are these apps usually free (if not, free isn't a hard requirement)? Is there some standard, or does each service only support a subset of apps? What happens if you lose your phone?
Any info is appreciated
Edit: One more question: I see rumblings from some people about using password managers as an alternative to 2FA apps. Is that a valid strategy? Does one make the other redundant?
Edit 2: I found this excellent deep-dive on the overall mechanism and the major players: https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/ Based on this I'll probably go with Authy
41 comments
[ 1.5 ms ] story [ 81.9 ms ] threadIf you password for $service is exposed in a dump then you're ok but if your password manager is exposed then both factors of credentials are exposed. Using a separate app is definitely more secure.
You can use Google Authenticator without being a Google user, but Authy is another pretty reputable app which might be worth a look.
I personally pay, but if you only use it for that feature, I can see how it is too expensive. If you also use the app, it is a pretty good offer.
https://xkcd.com/538/
But I would probably give you everything I have and I know if you have convincing arguments.
Best of all: it even supports 7 digit TOTP that previously required Authy (I think Cloudflare and HumbleBundle use this variant).
https://github.com/beemdevelopment/Aegis
2FA is a killer application for a smartwatch.
Equally awesome are barcodes, replacing membership cards.
https://github.com/espruino/BangleApps/tree/master/apps/auth...
https://apps.apple.com/us/app/otp-auth/id659877384
Password managers, as 1Password, do offer 2FA. For those password managers that have free versions this is sometimes a paid add-on. Using password manager also for 2FA can be a little bit risky, but you can also use password manager only for storing 2FA or even use two password managers (one for 2FA, other one for passwords).
Seems to me a Yubikey can also break or be lost or stolen.
That's why I rejected a Yubikey option and use Aegis instead. I think the risks associated with someone getting hold of my 2FA keys are lower than the risks associated with getting permanently locked out of my accounts due to losing the 2FA keystore.
With any of these apps, you need to backup the first time setup code (or the QR code) for each site or platform where you're configuring 2FA. That's how you get the ability to set those up in another app if you lose your device.
If you're on iOS, the latest iOS version (iOS 15) has in-built support to generate and populate two factor codes. If you'd like a separate app, I'd recommend OTPAuth if you're on iOS/watchOS/macOS (the Mac app is a paid one, the rest are free and allow iCloud syncing).
One way to have a backup is just adding all your secrets to your password manager like KeePass, KeeWeb etc which can generate TOTP codes (but kind of defeats the purpose of _two_ factor).
Don't use Google Authenticator, if you forget to manually backup the keys, they're gone once you reset the phone. Learned it the hard way.
There is no real "magic" here. They apply a secret key (unique to your account) and the current time to a standard hashing algorithm and the results are pretty binary --- they either work or they don't. Those that don't --- well, you've probably never heard of them for obvious reasons.
So dive right in knowing you can move to a new app or a different device at any time by simply copying the key and applying the same standardized algorithm. UI, account setup and other things are mostly just window dressing.
EDIT - I haven't seem it personally but based on comments here, apparently there are some apps that try to hold your keys hostage. I would avoid any such app like the plaque.
Raivo OTP on iOS - https://apps.apple.com/app/raivo-otp/id1459042137 It has a Mac App too which just reflects the OTP and not doesn't store data on it.
Both are FOSS. Both allow to copy seed. What else one needs?
Here's a good video about TOTP by Techlore which explains why going with Authy is a bad idea - https://www.youtube.com/watch?v=iXSyxm9jmmo