I wish there was a way to export my codes from Microsoft authenticator on iOS. If anyone knows of a way to do this, please feel free to reply. I would like to move to an open source solution.
To be clear, the point of storing a secret token on your phone and then typing over some codes that prove you have access to the secret still, is to provide 2FA. If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA
That can be fine if that's what you want, but if you wanted 2FA:
- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust
Edit: Even with the PGP option shown at the end of the article, the secret is still accessible to any malware whenever you access it. Unless PGP-based 2FA becomes super widespread, this won't be something malware looks for and so you'll be fine unless you are targeted by intelligence agencies, but still, it's not quite 2FA because it's not something you "have" but something you "know" (the PGP data's unlock password)
I get the feeling. Got a pretty bad experience with google when I migrated phones, and it messed up the data for a pretty important app (no damage, because I'm paranoid and have backups). I keep an offline phone with synced Authenticator because of this.
Some time ago I realised how vulnerable I was keeping all my TOTPs in Authenticator __only__, in the event of losing/breaking my device (and no, there is no way I would sync them to Google cloud). This taught me few things:
- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern
- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.
I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.
Most people don't really know how these TOTP codes work but yeah for the longest time I've just put the plain text secret in a place where I can wrap it with my own golang utility
This reminds me of Steve Gibson storing his 2FA seeds by printing them out [1].
> "Steve: So in my drawer I have all of my QR codes printed."
> "Steve: They're in a safe place. And if it ever comes to the point where I need to set up a new authenticator, not a problem. I just scan the QR codes once again, and we're back in business. So the other thing to look for is an authenticator that will allow you to do that because it is nice to have hard copy backup."
---
I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].
> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."
What is the reasoning that google makes it so complicated to export the TOTPs? Is it just to make it harder to migrate to other authenticators (which does not make much sense because other authenticators just build their tool to import this anyway) or is it just a bad case of "security through obscurity"? I cannot imagine any minimally dedicated attacker that has already put the effort to get the export qr code not being able to actually read it, but it just makes it harder for "common" people to actually get their codes. I remember I had to go through what the article describes to access my TOTPs and migrate to another authenticator.
There was a misguided line of reasoning that if you can back up a digital artifact, it is no longer eligible as a "something you have" type of security credential.
Earlier versions of Google Authenticator did not have any export functionality at all, and the only way to transfer the codes to a new phone was to use a Google backup of the old phone, which is only possible during the initial setup.
I have said time and time again, keep a copy of the QR code (or the text encoded within) before adding it to an authenticator app. You may find out too late that you cannot recover the keys. You can do this by simply taking a photo or screenshot of the QR code and storing it in a safe place.
Even better, avoid any MFA mechanism that relies on short codes with low entropy. Instead you could use U2F which uses a hardware token in which the key material is designed to be extremely difficult to extract, and requires physical access to the device to even attempt.
If it has a "Google" label, it's not in your best interests and best avoided. This is just another in a long list of examples and confirmations of this fact.
The solution to most 2FA/TOTP issues (including the one described here) is Stratum. It offers a full array of import and exports features (with or without strong encryption) including the ability to import directly from Google's user-hostile abandon ware.
I love the post. I know this is not the topic: There is a google-auth replacement which has appropiate qr scanning and doesn't require any connection permission, in f-droid. I don't know why freeOTP is more popular since it asks for full network permission.
The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.
I've been storing TOTP codes in on my Yubikeys for many years now, it works pretty decently. They have an app for it (https://www.yubico.com/products/yubico-authenticator) which has gotten better over the years. For redundancy I've stored keys on two devices.
32 comments
[ 4.8 ms ] story [ 39.8 ms ] threadThey also have a good Google Photos alternative, which is how they make money.
I’ve been using a cli tool i had created for over 2 years now, it just works. I had more ideas but never got to incorporate those.
https://github.com/44za12/horcrux
https://github.com/cookiengineer/forensics-tools
That can be fine if that's what you want, but if you wanted 2FA:
- FreeOTP: https://f-droid.org/packages/org.fedorahosted.freeotp
- someone forked that and called it FreeOTP+: https://f-droid.org/packages/org.liberty.android.freeotpplus
- FreeOTP again but from the dark side of the internet: https://play.google.com/store/apps/details?id=org.fedorahost...
- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust
Edit: Even with the PGP option shown at the end of the article, the secret is still accessible to any malware whenever you access it. Unless PGP-based 2FA becomes super widespread, this won't be something malware looks for and so you'll be fine unless you are targeted by intelligence agencies, but still, it's not quite 2FA because it's not something you "have" but something you "know" (the PGP data's unlock password)
- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern
- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.
I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.
¹: https://github.com/scito/extract_otp_secrets
https://gist.github.com/akssri/92a3b240c89212815a66e86c60eab...
https://github.com/edify42/otp-codegen
Way easier to open a terminal on my computer and pipe to `pbcopy` and paste it onto the screen.
> "Steve: So in my drawer I have all of my QR codes printed."
> "Steve: They're in a safe place. And if it ever comes to the point where I need to set up a new authenticator, not a problem. I just scan the QR codes once again, and we're back in business. So the other thing to look for is an authenticator that will allow you to do that because it is nice to have hard copy backup."
---
I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].
> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."
[1]: https://www.grc.com/sn/sn-921.htm
Earlier versions of Google Authenticator did not have any export functionality at all, and the only way to transfer the codes to a new phone was to use a Google backup of the old phone, which is only possible during the initial setup.
Even better, avoid any MFA mechanism that relies on short codes with low entropy. Instead you could use U2F which uses a hardware token in which the key material is designed to be extremely difficult to extract, and requires physical access to the device to even attempt.
The solution to most 2FA/TOTP issues (including the one described here) is Stratum. It offers a full array of import and exports features (with or without strong encryption) including the ability to import directly from Google's user-hostile abandon ware.
https://stratumauth.com/
https://fxedel.gitlab.io/fdroid-website/en/packages/org.shad...
andOTP.