Ask HN: Recommended two-factor authenticator app for personal use?

18 points by brundolf ↗ HN
I haven't really looked into authenticator apps before, but with the increases in SIM-jacking I think it's time. I don't use Google, so Google Authenticator is out. I use Duo at work; can you use that for arbitrary personal services? Are there others apps that come recommended?

Also, just general questions: are these apps usually free (if not, free isn't a hard requirement)? Is there some standard, or does each service only support a subset of apps? What happens if you lose your phone?

Any info is appreciated

Edit: One more question: I see rumblings from some people about using password managers as an alternative to 2FA apps. Is that a valid strategy? Does one make the other redundant?

Edit 2: I found this excellent deep-dive on the overall mechanism and the major players: https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/ Based on this I'll probably go with Authy

41 comments

[ 1.5 ms ] story [ 81.9 ms ] thread
I use Microsoft’s Authenticator and so far have had no problems. I also use 1Password’s built in 2FA functionality which is a little redundant but it makes filling in 2FA code on websites and apps very easy.
Using tools like 1Password and Bitwarden to manage your OTP codes, while arguably better than not using OTP at all, is a bad idea.

If you password for $service is exposed in a dump then you're ok but if your password manager is exposed then both factors of credentials are exposed. Using a separate app is definitely more secure.

You can use Google Authenticator without being a Google user, but Authy is another pretty reputable app which might be worth a look.

Just so you know- the article I've now linked in the original post found some nontrivial issues with Microsoft's Authenticator
I started using Microsoft Authenticator for work, since I have several O365 accounts that require it. Ended up really liking it and use it for all of my TOTP now, with Bitwarden as my password manager. Also have a yubikey, for other purposes.
Bitwarden
I thought that feature was behind a subscription, though?
It is, unless you host your own Vaultwarden instance.
Yes, but a) it is 10 dollars a year and b) comes with a bunch of other great features.

I personally pay, but if you only use it for that feature, I can see how it is too expensive. If you also use the app, it is a pretty good offer.

But if you also use bitwarden for your passwords, aren't you making your two-factor authentication a single factor again?
Depends. For someone who's determined enough and has a wrench, most things become single factor.

https://xkcd.com/538/

Yes not always. Two factors is something you know and something you have. If I lost my phone or my token generator, you can drug, torture, and kill my family and me as much as you want, you will not go far.

But I would probably give you everything I have and I know if you have convincing arguments.

Even if you don’t use Google, you can use their Google Authenticator app.
I've used Google Authenticatior a few years ago. Back then it didn't support device migration.
Yeah, it was somewhat lackluster for a while.
There is an export option in the menu, but it does require you to still have your previous device.
Aegis, it's FOSS and supports encrypted backups. Migrating to a new device is trivial.

Best of all: it even supports 7 digit TOTP that previously required Authy (I think Cloudflare and HumbleBundle use this variant).

https://github.com/beemdevelopment/Aegis

I keep 2FA in a keepass db. I use keepassxc on computers and strongbox on phones.
TOTP is an RFC, so when sites talk about Google Authenticator you can use any implementation. I use a couple of lines of own Python and the pyotp package. I audited it that much that it doesn't do any networking.
I'm using OTP Authenticator which is on f-droid. It is nice. Before that I used a simple python script, but I finally broke down and started using a "smart" phone.
I have a script I can run on any of my machines to generate the OTP code (so I don't need a phone/app).
A vote in favour of Authy. Works well and easy to transfer to a new phone ( I even did it when my phone died while overseas ). It even has a desktop version (which I use on Linux ).
Authy is a good choice if you want to multiple devices, e.g. mobile and desktop. It is rather easy to add a new device or to make a backup.

Password managers, as 1Password, do offer 2FA. For those password managers that have free versions this is sometimes a paid add-on. Using password manager also for 2FA can be a little bit risky, but you can also use password manager only for storing 2FA or even use two password managers (one for 2FA, other one for passwords).

I have been using the Yubico Authenticator for about a year. The really handy part for me is that the otp codes are generated by the hardware YubiKey, so switching phones is a non issue.
i didn't know about Yubico Authenticator, it seems like a great solution. How do you handle QR codes?
It uses the phone camera to scan QR codes during the initial setup but stores credentials on the yubikey itself.
i see, I was checking the desktop version and there's no option to import a qr code image
A significant problem with 2FA codes on a phone (if not backed up) is when the phone breaks or is lost or stolen.

Seems to me a Yubikey can also break or be lost or stolen.

That's why I rejected a Yubikey option and use Aegis instead. I think the risks associated with someone getting hold of my 2FA keys are lower than the risks associated with getting permanently locked out of my accounts due to losing the 2FA keystore.

RE the alternative question: 2FA is _not_ an alternative to password managers -- it's like seat-belts and brakes on a car, you're going to want both. You need a password manager to keep track of the random password you've set for each of the hundred sites you log into; and you should use 2FA for high-value sites in case the password you used for that site gets stolen (like via malware infestation on your computer, or you're tricked into entering your credentials on a phishing page, etc).
You mention SIM jacking, but I see other comments here recommending Authy here, which requires a cell phone number and SMS OTP to set it up. Your second edit also says you're going with Authy. That doesn't make sense to me.

With any of these apps, you need to backup the first time setup code (or the QR code) for each site or platform where you're configuring 2FA. That's how you get the ability to set those up in another app if you lose your device.

If you're on iOS, the latest iOS version (iOS 15) has in-built support to generate and populate two factor codes. If you'd like a separate app, I'd recommend OTPAuth if you're on iOS/watchOS/macOS (the Mac app is a paid one, the rest are free and allow iCloud syncing).

I used Google Authenticator some years ago on a phone that broke. At the time I was unable to restore it to my new phone. The proposed solution used to be to authenticate multiple devices (phones with Authenticator, Yubikeys) but to this day many Services only allow You to link a single second factor to your Account, meaning that upon loosing that factor you’re required to contact support to restore access to your Account. Is there any open source solution that generates a second factor in software and can be easily cloned/restored to multiple devices ? Nobody buys a single set of keys for their front door or car. I know why yubikeys don’t offer „spares“ but usecases can differ are there any yubikey protocol compatible competitors that offer spare keys ?
Nothing is stopping you from adding the secret token to multiple apps or devices to generate TOTP codes, as there is no connection between the service providing the secret and the TOTP generator.

One way to have a backup is just adding all your secrets to your password manager like KeePass, KeeWeb etc which can generate TOTP codes (but kind of defeats the purpose of _two_ factor).

I will forever promote Authy as 2FA app, you can restore it on another phone even if your main one is dead.

Don't use Google Authenticator, if you forget to manually backup the keys, they're gone once you reset the phone. Learned it the hard way.

Maybe my needs are overly simplistic but most any of them will work just fine.

There is no real "magic" here. They apply a secret key (unique to your account) and the current time to a standard hashing algorithm and the results are pretty binary --- they either work or they don't. Those that don't --- well, you've probably never heard of them for obvious reasons.

So dive right in knowing you can move to a new app or a different device at any time by simply copying the key and applying the same standardized algorithm. UI, account setup and other things are mostly just window dressing.

EDIT - I haven't seem it personally but based on comments here, apparently there are some apps that try to hold your keys hostage. I would avoid any such app like the plaque.

Tofu is the best and only choice for an authenticator app on iOS.