32 comments

[ 4.8 ms ] story [ 39.8 ms ] thread
For years I've managed all my TOTP codes with KeepassXC. Not a single problem, great software.
Liked the 'Written by human not by AI' bagde
Ente auth is a great free option with sync and apps for every platform. https://ente.io/auth/

They also have a good Google Photos alternative, which is how they make money.

I'd be more curious to know what the traffic data google maps alternative is.
I wish there was a way to export my codes from Microsoft authenticator on iOS. If anyone knows of a way to do this, please feel free to reply. I would like to move to an open source solution.
To be clear, the point of storing a secret token on your phone and then typing over some codes that prove you have access to the secret still, is to provide 2FA. If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

That can be fine if that's what you want, but if you wanted 2FA:

- FreeOTP: https://f-droid.org/packages/org.fedorahosted.freeotp

- someone forked that and called it FreeOTP+: https://f-droid.org/packages/org.liberty.android.freeotpplus

- FreeOTP again but from the dark side of the internet: https://play.google.com/store/apps/details?id=org.fedorahost...

- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust

Edit: Even with the PGP option shown at the end of the article, the secret is still accessible to any malware whenever you access it. Unless PGP-based 2FA becomes super widespread, this won't be something malware looks for and so you'll be fine unless you are targeted by intelligence agencies, but still, it's not quite 2FA because it's not something you "have" but something you "know" (the PGP data's unlock password)

Go for Aegis if you're on Android, 2FA Authenticator (2FAS) or Authenticator (by Matt Rubin) if you're on iOS.
+1. I stopped using google authenticator when they randomly wiped the app for me and lost all the codes.
I get the feeling. Got a pretty bad experience with google when I migrated phones, and it messed up the data for a pretty important app (no damage, because I'm paranoid and have backups). I keep an offline phone with synced Authenticator because of this.
Some time ago I realised how vulnerable I was keeping all my TOTPs in Authenticator __only__, in the event of losing/breaking my device (and no, there is no way I would sync them to Google cloud). This taught me few things:

- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern

- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.

I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.

¹: https://github.com/scito/extract_otp_secrets

Most people don't really know how these TOTP codes work but yeah for the longest time I've just put the plain text secret in a place where I can wrap it with my own golang utility

https://github.com/edify42/otp-codegen

Way easier to open a terminal on my computer and pipe to `pbcopy` and paste it onto the screen.

This reminds me of Steve Gibson storing his 2FA seeds by printing them out [1].

> "Steve: So in my drawer I have all of my QR codes printed."

> "Steve: They're in a safe place. And if it ever comes to the point where I need to set up a new authenticator, not a problem. I just scan the QR codes once again, and we're back in business. So the other thing to look for is an authenticator that will allow you to do that because it is nice to have hard copy backup."

---

I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].

> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."

[1]: https://www.grc.com/sn/sn-921.htm

What is the reasoning that google makes it so complicated to export the TOTPs? Is it just to make it harder to migrate to other authenticators (which does not make much sense because other authenticators just build their tool to import this anyway) or is it just a bad case of "security through obscurity"? I cannot imagine any minimally dedicated attacker that has already put the effort to get the export qr code not being able to actually read it, but it just makes it harder for "common" people to actually get their codes. I remember I had to go through what the article describes to access my TOTPs and migrate to another authenticator.
There was a misguided line of reasoning that if you can back up a digital artifact, it is no longer eligible as a "something you have" type of security credential.

Earlier versions of Google Authenticator did not have any export functionality at all, and the only way to transfer the codes to a new phone was to use a Google backup of the old phone, which is only possible during the initial setup.

I'm just boring and use 1Password for this along with my passwords.
I've been waiting for this for years. I'll put this in a VM for some isolation, and I'll have more security and more convenience.
I have said time and time again, keep a copy of the QR code (or the text encoded within) before adding it to an authenticator app. You may find out too late that you cannot recover the keys. You can do this by simply taking a photo or screenshot of the QR code and storing it in a safe place.

Even better, avoid any MFA mechanism that relies on short codes with low entropy. Instead you could use U2F which uses a hardware token in which the key material is designed to be extremely difficult to extract, and requires physical access to the device to even attempt.

If it has a "Google" label, it's not in your best interests and best avoided. This is just another in a long list of examples and confirmations of this fact.

The solution to most 2FA/TOTP issues (including the one described here) is Stratum. It offers a full array of import and exports features (with or without strong encryption) including the ability to import directly from Google's user-hostile abandon ware.

https://stratumauth.com/

At least Google lets you export the keys. Authy removed that ability and now Twilio is forever on my shit-list.
The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.