142 comments

[ 2.9 ms ] story [ 251 ms ] thread
I just put a 2FA implant in my arm
Update your threat scenario to encompass dismemberment and create a recovery protocol accordingly. Not sure you would be able to do drills, at least not a second time.
That's why I put mine in my neck. If they cut it out, external access to my accounts is not my main concern.
If they cut out my arm, that wouldn't be my main concern either
But you would be able to have concerns at least
By contrast having your neck removed you would have... No concerns at all?

So neither your injury nor account access would be in you priority list.

people do not cut off fingers for fingerprints so they wont cut my arm off for my github...
They don't need to cut off your finger to steal your fingerprint
I’d much prefer having my phone stolen than my arm stolen.
You need to meet every kid I know
I prefer to calculate the numbers on paper every time. But you need to do it fast enough to make it in less than 30 seconds.
I'm for real tho, it's called the Apex and you load an OTP applet on it
Really? How does it work? Is in an NFC implant? Which PC/phone software do you use to read it
Yes it's an NFC implant. Fidesmo store to load applets, then things like yubico authenticator for OTP. Think of it like only the NFC side of a yubikey neo with fidesmo.
Before considering switching it I would love to see a more detailed feature comparison to `andOTP` I am presently using. From what I can see it is encryption at rest which andOTP may or may not do and scheduled backup. andOTP does manual backup. Anything else?
andOTP isn't really being maintained anymore, which is why I switched recently.
Who are Beem Development?
It's just a group name for the two guys working on it. Source: I'm one of them (Hi!)
The killer feature for me is a way to quickly access tokens in my (cloud-side, encrypted) vault from a desktop (or web) app in case of emergency.

It's not clear to me if Aegis allows this somehow?

The other day I broke my phone. I was traveling and needed to do some 2FA level changes to a GH repo asap.

I didn't even know there was an Authy desktop app until then. It saved my ass, literally.

Aegis is fully offline and doesn't have an official desktop application. You could of course create an export of your Aegis vault and import it in a third-party desktop application, like GNOME's Authenticator or OTPClient.
This is what I do. Two "live" authenticators with my phone and laptop and a secure offsite backup.

I don't add new keys particularily often, so it isn't that big of a hassle two manually sync the authenticators.

What app do you use on the laptop?
Yubikeys store everything on the key. I can lose my phone and use your phone to see my 2FA codes. It's honestly one of the only way MFA make sense - otherwise you lock yourself out of your entire digital life when you lose your phone and need to rely on storing your backup codes (which opens up a storage security wormhole).

It's also a lot easier to wear around your neck.

So you've moved the worry from losing/breaking your phone to losing/breaking your YubiKey?
Sure. I have a backup key but yes, you can't get MFA without adding a device that you may lose; whether that's your phone or a key. Like I said I prefer a key because I can't put my phone on a chain around my neck or on my keychain.
I keep a second key as backup for this reason, which honestly is overkill and I only do because I got a second one for free at a conference. Easier solution (which I also use in case I someday need the second one only to discover that the blue smoke leaked out) is to just print out the TOTP secrets and keep them somewhere. I'm usually printing out recovery codes when I get a new TOTP secret so this has never felt like a big deal.

Also easy enough to maintain a keepass[xc] vault for totp secrets, you could keep a separate one from your passwords if you were feeling paranoid. Great support on mobile and desktop for using a keepass db as a TOTP source - and easy to sync with dropbox/email/ssh/your web server/whatever

Everyone should read this risk mitigation solution for loosing 2FA. I always think about printing recovery codes, but having keepass vault with those codes also sounds great. You may even have some random password there and store it printed out in some locations just for emergency.

Anyways, people should think about these risks when dealing with 2FA: flood, fire, stolen, lost, (I) broke (Smartphone, yubikey, usb, etc), broke (itself), software bug, kids, washing machines, etc.

And also something we usually don’t consider: loss of memory, which can occur in combination with a traumatic event like your house burning. Then you can loose your smartphone, your Yubikey, your printed copy, and your memory all at the same time if everything is stored in one place. And this is exactly when you will need those the most. Not easy to defend against such a nightmarish scenario.
who says you only have one or no other backup?

anyway I wouldn't but s Yubikey for TOTP. OTP sucks. Sure it's better than no 2FA and TOTP is better than SMS OTP still it's not grate.

WebAuthn-like auth can provide all the benefits of TOTP while being way more secure and in some cases even not convenient.

The main drawback is how to backup your 2FA which makes it less of a choice for a "casual" user.

The only downside is limited space on Yubikey.

I am currently carrying 2 tokens :(

Up to 32, for those reading who (like me) didn’t know about this limitation.

https://support.yubico.com/hc/en-us/articles/4404456942738-F...

Good luck finding 32 places that accept Yubikey.
They don't have to accept Yubikey, they have to accept TOTP. Which ~everything does.
except eBay
Or Google, very user hostile because it makes me choose between giving them my phone number or installing their spyware app on my phone.
I use Yubikey USB to authenticate with Google.
Google's authenticator is just a standard TOTP app. You can use any app, including Aegis.
Google hides TOTP option until you create a method that uses your mobile number or google app. Only after that you can change it to TOTP.
My Yubikey always loses its credentials. (If anyone else knows about it and have a fix I'm all ears.)

I guess I need a new one, but what I want to say is don't rely on a single Yubikey or even two. Do have backups.

Which model do you own and how does the loss manifest?

The single-tap and long-tap don't produce expected output? Can you share more info on it?

I own many Yubikeys (due to research I've been doing in 2017.) and I had many Yubikeys to play with, for TOTP/HOTP/U2F purposes, even using it to unlock Windows and I haven't had a case of a Yubikey basically deprogram itself. I washed them in the washing machine, ran them over with my car, thew them in mud piles and they always worked without a fault so your case is a surprising one.

Judging by what you wrote, unless there's some weird NFC communication going on between your phone and Yubikey (are they in proximity?), I'd say it's faulty and you need a new one.

Classic USB. Plastic. (I don't know the exact model, I got it from work.)

After adding a site or a computer it works a few days and then suddenly when I try to use it with my phone or computer I just get an error about no <something>.

So yes, probably defective.

Not enough info to even guess what might be wrong, but I'd assume it's defective and I'd try with another key as well. I wish you good luck with the next Yubkey you get! :)

Btw. this is the first time I've read on a public forum that someones Yubikey is defective, they are really well made and I didn't manage to break one via regular use and bad maintenance.

"I didn't even know there was an Authy desktop app until then. It saved my ass, literally."

That's a really unexpected outcome - can you provide any details ?

> [...] can you provide any details ?

I installed Authy desktop, logged in and it retrieved my tokens form the cloud. Not anything else to it.

Pretty sure they're referring to the word 'literally'. Especially since it's by itself after a comma, looks like there's emphasis on it.

That word changes the meaning of the phrase in front of it quite a bit.

I am literally never going to stop misusing this word.
(comment deleted)
You can export the vault (encrypted or not) to a cloud provider (like Google Drive). It's a manual process, but it's simple and quick. Besides, how often do you add new 2FA tokens anyway?
The answer you're looking for is Aegis vault backup + Syncthing or Nextcloud. Seriously.

I once lost my Authy app data and didn't have it installed on any other of my devices (silly requirement tbh). I don't know whether cloud or 2FA is the joke here but Authy slapped me with a 24hr wait time for a "device reset".

Don't know if it exists for Android, but for iPhone users there is OTP Auth, which can make encrypted backups to a destination of your choice.
You can export it to file whenever you add a new key. Then, use SyncThing to sync the copy to a remote location.

The exported file can be encrypted when you make it.

Yeah, that's a UX problem.

I need to do that every time and remember.

From my experience, you loose access when the last backup you made and synced was made before the key you need now was added.

I.e. this doesn't work in practice.

If you enable automatic backups in the Aegis settings it will create a backup after every change. If you set the output directory to a location synced by Syncthing, there's nothing to remember.
Aegis has two automatic encrypted backup options.

The first lets you back up your data to any folder on your device or to any storage provider (e.g. Nextcloud and other cloud storage providers) linked to your device. Turn this on at Settings > Backups > Automatically back up the vault. The storage provider's app needs to be installed. Changes are saved to the backup location automatically.

The second uses the OS's built-in backup feature. For Android devices with Google Play Services, the backup is saved on Google Drive. Some other Android distributions such as LineageOS use Seedvault, which can save the backup to any WebDAV provider or an external USB drive. This option is at Settings > Backups > Participate in Android's backup system.

Either or both options can be used in Aegis.

I can’t believe this is a tech forum. The answer is simple. 2FA has a url. All you have to do is store the url in your password manager. Then you can import it into any new app at a moment’s notice (as long as you have access to the vault) and generate a 2fa code.

In fact, KeePassium on iOS works on this concept. I use it as my primary otp url storage app and then put limited stuff into aegis on my android tablet for anything I may need there. If a keepass based app with an otp generator (like KeePassium) existed for android, I wouldn’t even need that.

Bitwarden can store and then copy/paste TOTPs. I'm not sure if it's the best security practice to have your password and TOTP key saved together like that. But I tend to use it for sites that I don't consider critical. I then use Google Authenticator for everything else. I might try Aegis next time I get a new phone though.
AEGIS has this killer feature, with the encrypted database, which I could sync to my local Nextcloud instance. Otherwise, loosing the phone would always mean loosing all your OTPs. Aegis is a direct (better) replacement for Google Authenticator.
I am considering switching from authy because it still doesn't have folders or collections or tags but the transition is annoying without root on android. Also wondering how people ensure they can restore if your phone dies?
Aegis supports automatic backups, I backup my Aegis database encrypted to my nextcloud.

edit: Also, it allows (after checking the "I know what I’m doing" warning) plaintext secret export, if you want that for some reason.

Aegis at least lets you export a password encrypted backup
I did the transition by extracting keys from the desktop app using the scripts mentioned in this gist[1] and its comments. Of course, you should not do this unless you are comfortable verifying the security of the scripts yourself.

Importing to Aegis afterwards was quite straight-forward.

[1]: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...

I've been having a great experience with this!
I’ve been migrating away from TOTP since it’s so easily phished but my current approach is to use Yubikeys with their app:

https://www.yubico.com/products/yubico-authenticator/

That avoids keeping the seeds somewhere a general attack could get (and requiring a tap complicates attacks) and works across all of my devices. The main drawback is that there isn’t an easy way to install a seed on multiple keys when first enrolling.

I use webauthn where ever available, but considering how rare that is, I might start using this.

How well does it work on mobile? Totp via app, tap the nfc key to the phone?

And what does "no easy way" mean, how involved is that process? I’d prefer to have the keys on all 3 (or 4, not sure if the security key allows TOTP) sticks.

Yes, on mobile you either plug the YubiKey into your devices USB-C (or lightning) port, or tap the YubiKey to your phone. The totp secrets live on the yubikey and can't be extracted. You can only read out the current code. I believe you can also secure your YubiKey with a password so it must be entered to see the codes.

If you wish to have the same TOTPs on multiple YubiKeys, you are recommended to take a screenshot of the QR code you're given at the beginning (which contains the secret key), and manually add it to all the backup keys you prefer, and then securely erase the screenshot.

further reading: https://support.yubico.com/hc/en-us/articles/360013789259-Us...

It's worth noting that if you install Yubico Authenticator on another device and use the same key, you do have access to the codes, because as you said, they're stored on the key.

I initially thought the codes were stored on my phone and the key was only required for access, but that's not the case.

That's either a benefit or a drawback, depending on your threat model, but it's definitely something people should understand.

What happens if the Yubikey gets damaged?
That’s why (as with essentially all YubiKey use-cases), you have backup(s).
Yes - on my desktops and laptops, I use USB. For my phones, I use the same keys with NFC. Basically you start the app, tap the key next to the phone, and then copy/paste the code. It means that my daily two factor needs are handled by the Yubikey I keep on my badge lanyard for both modern and legacy sites.

"No easy way" basically means that you either have to save the seed and repeat the setup process for your backup key or enroll two separate devices if allowed. It feels like the authenticator app could have a useful addition where it'd automate that for you if you have two keys present.

"Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.

With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.

If you are using the yubico-authenticator app then you are using TOTP, just with the seeds stored on your yubikey. This is still vulnerable to phishing.

I hope what you meant to say is that you are switching to using WebAuthn with your yubikey on all sites that support it, and then using your yubikey for TOTP on sites that don't support WebAuthn yet. WebAuthn is the thing that gives you actual protection against phishing.

(comment deleted)
Yes, that's exactly what I meant: I use the same Yubikeys for authentication, but fail back to TOTP when sites don't support something secure.
Just keep TOTP in your password manager at this point. Whatever security is lost by it not being a "true second factor" is made up for by not having to recover or restore backups due to a lost or stolen phone.
Restoring backups is extremely easy, though.
I would argue that the most important account to have TOTP enabled IS your password manager. So, if you already have a TOTP app to generate codes for your Password Manager why not consolidate it?

Besides, if you dont have a physical and digital backup of your TOTP seeds you really like to live dangerously.

2fa for your password manager is good, but that doesn't have to be TOTP. That can just as well be something like the 1password secret key (something you have).
I think that's the idea behind using a key file and a password in KeepassXC.
The one place I intentionally don't have TOTP is my password manager.

there is a base case somewhere in a backup strategy where TOTP is not feasible. The base case for me is "Keepass file backed up to multiple locations and my master key written down in an envelope in my house in case I hit my head".

Why would I lock my passwords away behind a TOTP that can get lost? My TOTP in Authy is protected by a long random key. Where do I store the key? In my password manager.

You can't use a password manager and TOTP to back each other up.

I realise now that I was not clear on my post. Using TOTP or second factor is useful for those heathens that insist in using cloud based service for password manager (I'm one). Not for local keepass/pass synced by syncthing/rsync/ssh etc.

I treat my kdbx as a single password encrypted backup of my bitwarden vault on my computer and external hard-drive.

I care much less about second factor if it's something offline on my computer than something accessible by a web interface to anyone in the world.

Well my password manager don't have an account to begin with, neither does my TOTP manager. And depending on risk assesment for a given site/account, letting the password manager do some doubble duty as TOTP manager as a convinience is fine, especially if the alternetive outcome would be to not enable TOTP due to the annoyance.
If you have a TOTP app that allows exoprts, I agree.

If the individual site allows backup codes, I agree.

But you first need an app that hosts your TOTP that has exportable secrets.

A password database file is sort-of a second factor (something you have).
I use Bitwarden for TOTP, because I have become convinced that it still provides a true second factor even if both the password and the TOTP seed are in the same entry in my password manager.

This is because every access to Bitwarden requires two factors: a device I've already logged in with, and either the passphrase or a biometric unlock. Bootstrapping a new device requires the passphrase and a token.

I used the one by Twilio but switched my TOTP codes over to 1Password which I was already using anyway. I get that there's a security benefit of not having them in the same app but it's just not practical for me.
I didn't know Aegis supported the Nextcloud backup target! I was hacking my way around on earlier versions of Android using Solid Explorer's connection to my Nextcloud, but that stopped working somewhere along the way.

Reconnected via the Storage Access Framework and backups are syncing!

Thank you, alexbakker

Thanks for supporting the Nextcloud backup - win win! App is perfect, just a single feedback: Possibly find a way to auto-populate the logo images of the apps?
I switched to Aegis recently, and I did it for only 2 reasons:

1) I prefer to use OSS when possible

2) Aegis supports import/export/backup - so if I get a new phone, I don't have to spend days setting up my dozens of accounts again! This also means I can setup the same OTPs in both Keepass and my phone, so I can always get into my accounts

I'm really liking it, it does the same job as the Google and Microsoft Authenticator apps, but import/export/backup means it's more usable

I can import/export with Google authenticator (via QR codes).
IIRC, it didn't used to give you any control over import/export, and only supported using an opaque Google storage option. Has that changed?

Aegis gives me the actual seed, full control of the data so I can do with it as I please.

Tends not to work to well in the scenario where you drop your phone into the ocean.
Normally one does their backups before they are necessary.
You can import/export to Google Authenticator only and you must have two phones. You cannot backup QR codes because screenshot is forbidden for security reason. You cannot migrate to another application.
I just took a pic of the QR codes with my webcam and stored that in KeePass.
I just keep a copy of all QR codes in a safe place. When I need to move to a new device I just install andOTP and scan them all on the new device. I don't like my keys to be protected by only a password somewhere. I prefer to add physical protection to them. If they are accessible from my computer then it's not really 2FA.
Recently had a hard time exporting 20+ OTP secrets from Google Authenticator.

I believe I discovered a bug in the app: if you long press a secret > edit > leave an empty string as the comment, and then export a QR code containing this secret, your other device will fail to import ("QR code cannot be interpreted.").

I've only seen this happen with secrets where the comment is put in parentheses and appended to the regular, immutable name of the secret. There's another type of secret where the entire name can be edited, this I did not test. But if you try the import/export flow on a secret whose name contains `()` I bet you'll hit the bug.

I briefly tried Aegis but you must have Aegis+Authenticatior installed, and be root, or you can exfiltrate Authenticator's database file from private storage, which best as I can tell, also requires root. Shouldn't have gone with Authenticator at all, I've learned.

It seems optimal to simply retain the original secret (QR code or whichever medium) you are given when 2FA is initially enabled.

Later found this equivalent: https://mattscodecave.com/posts/how-to-move-from-google-auth...

There's a third option to switch from Google Authenticator to Aegis. You can simply scan those export QR codes of Google Authenticator with Aegis.
Wouldn't that need a second device since one can't screenshot Google Authenticator?
Or take a picture of the phone screen, say with a webcam.
Nice. You know I hadn't once bothered to click the "big plus button" UI element. I headed straight for the "three dots" UI element > Settings > Import/Export submenu, every time. Joke's on me for not exploring Aegis's interface more fully ;)
FYI: For iOS users looking for alternatives to Google Authenticator or Authy, I highly recommend the open source Raivo. https://raivo-otp.com/

Recently moved all of my TOTPs to it. Encrypted iCloud sync and local backup if desired.

Thanks for this, I'm currently using both Duo to Microsoft authenticator, and the lack of firm reassurance about the backup mechanisms in each of these makes me uneasy. I'd frankly prefer a vault with a model similar to BitWarden's, where I can export my private keys.
Love raivo. Wish there was an automated backup solution though
I was happily using andOTP but seems like it has been unmaintained since June - https://github.com/andOTP/andOTP.

I wish F-Droid or Play Store had a feature like GitHub's 'Archived' to inform users.

I'm still using andOTP and I prefer it over Aegis. Are there any reasons to stop using it if it still works? What kind of security vulnerability can affect it? Honest questions.
I'm wondering the same thing. It also looks like while Aegis is actively developed on GitHub, that hasn't materialized into a new release on the Play Store or F-Droid in 7 months.
You're right, it's been a while, but we actually issued a beta release for 2.1 today!
Nice. Will that hit F-Droid at some point? Or do we gotta wait for the non-beta release?
Also a happy andOTP user. Initially I thought you were being impatient because no updates for a few months isn't necessarily bad, but I see that the project itself has been updated to reflect that it is not being maintained by its creator. Thanks for the heads up.

Looking at Aegis, it appears to support importing from andOTP

It's the only decent authenticator that I've found on the play store.
The authenticator you use is less important than the process you use to store the TOTP QR codes/secret keys. Never just feed it into an app, always screenshot it and store it somewhere safe THEN put it in something that can generate your TOTP codes.
Aegis is an excellent FOSS Authenticator that is available in FDroid. However, offline first apps are challenging to use TOTP across multiple devices. These days I just use TOTP provided by my password manager (Bitwarden) that is seamless across devices.
“Secure 2FA” app is an odd title. A 2FA app is nothing if it’s not secure. The “secure” bit here is redundant. The fact that it has to be said is actually a red flag. Are you saying it’s secure because in reality it really isn’t?
This is a great switch from AOTP that I just did.

The more exciting thing I learned here is that I can backup my entire GrapheneOS phone to my Nextcloud server for recovery. I just go into Android settings->Backup to get started. This will save me a lot of time the next time I lose my phone. Thank you!