Ask HN: How do you deal with TOTP 2-factor auth?
Since this github 2fa thing is happening, I'm gonna need a better solution for 2fa. So far I've used Authy on my phone for work stuff. That's fine. But for personal stuff, I want more control.
What good open-source options do you all prefer to deal with TOTP? I'm thinking I'll use Bitwarden to sync TOTP keys, since I already use them for passwords, which means I need apps which let me freely and easily copy those secrets around. I use Linux, iOS and macOS, so I'll need apps for all those platforms.
I'm not interested in moving to a different password manager, and I'm even less interested in moving to a closed source password manager. (Imagine that, handing all your passwords to some closed source application from some random US company in the name of security...)
20 comments
[ 4.3 ms ] story [ 63.3 ms ] threadIt's a hardware device with TOTP support. It works as an USB/Bluetooth keyboard and will type passwords for you.
So if you just want some security theater and you just want to tick the box that reads "2FA" and you don't actually want more security than a username and a password, then knock yourself out, and do what you propose, but I'm not going to be here suggesting anything better for you.
My absolute requirements are:
* I must be able to log in without a phone. I will not let Apple be the arbiter of whether I'm allowed to log in to my accounts or not.
* I must not have to carry around an extra hardware device everywhere I go.
* I must not get locked out of my accounts if I lose a device.
* I must be able to log on to random other systems (other people's computers, temporary VMs, whatever), though in these situations, having to rely on a phone is acceptable.
* Whatever solution I pick must not include switching password managers or depending on some closed source service.
If you like Bitwarden, it will do what you want if you pay for their premium account. If you don't want to do that, you can host your own bitwarden server (I think that this implementation does 2FA, but I'm not positive:
https://github.com/dani-garcia/vaultwarden
I chose KeePassXC on the desktop. It has a database which you can move around, backup it. There is an app for Linux and MacOS 10.13+ (because of Qt5). For iOS, a quick search shows up something called KeePassium.
These apps seem to work with a certain database format (kdbx), so for sync you might need to place the database somewhere online (iCloud, as an example). Otherwise, you might not need syncing if you don't add 2FA accounts to your database that often.
It's seamless and doesn't need an internet connection.
- [0]: https://github.com/andOTP/andOTP
- [1]: https://syncthing.net/
Before being comfortable recommending anything, I have question about GitHub's 2fa implementation here, which others may be able to answer.
Without 2fa, an account can be accessed if you compromise the password (which might be long and high entropy or equally might be terrible) but not otherwise.
If totp (or sms) 2fa is enabled and the 2nd factor is compromised but the password is not, is there any action that can now be performed against the account which couldn't previously, when 2fa wasn't enabled?
My question is essentially: is the 2fa purely extra security, or is it trusted without the password in any situation? If I publish my text messages world-readable in real-time and post the TOTP key in the local newspaper, is my GH account still secure provided the password remains as secret as it was previously?
I do not use the TOTP feature in my password manager as feel it will defeat the purpose of 2FA (though I can split it to a new DB in KeePassXC).
For my work, the company uses a proprietary password manager, I just don't install it in any of my personal computing devices.
- [1]: https://github.com/beemdevelopment/Aegis
- [2]: https://github.com/paolostivanin/OTPClient
https://github.com/raivo-otp/ios-application