What are you all using for a 2FA token manager?
from BonkTheAnnoyed@lemmy.blahaj.zone to selfhosted@lemmy.world on 13 Oct 00:45
https://lemmy.blahaj.zone/post/33020376
from BonkTheAnnoyed@lemmy.blahaj.zone to selfhosted@lemmy.world on 13 Oct 00:45
https://lemmy.blahaj.zone/post/33020376
One more step to unhitching from Google…
Right now the only option I see in F-Droid is Aegis.
I’m not sure what to actually look for side from checking for unexpected permissions and reasonably frequent updates.
Hopefully something I can sync with a GNOME app…
#selfhosted
threaded - newest
I’ve been using KeePassXC. I use Syncthing to keep the database synchronized between computers.
Same here. If it’s TOTP based 2fa, you can keep them in entries and use them from there.
Tbh, if you’re using the same DB for PWs, you’ve successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth
More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn’t compromise full access to your password database, which is still a lot better than using just passwords without a second factor.
that’s like calling strong randomly generated passwords 1.5FA.
with proper MFA, even if you steal my password (database), you won’t be able to steal my account, as you’re missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.
password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they’re not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn’t paying enough attention, as it’s not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.
That’s a big leap you’re doing there, equating stealing a password to stealing a password database. Those are very different. Stealing a password can be done through regular phishing, or a host of other methods that don’t require targeted effort. Stealing a password database, if properly set up, is a lot harder than that. It depends of course on what password manager you’re using, but it usually involves multiple factors itself. So equating that to just a password, no matter how strong and random, is just misleading.
Mind you, I agree that it’s less secure than “proper” MFA, and I’m not saying that everybody should just use MFA through a PW manager. I am using physical security keys myself. But for a lot of regular people that otherwise just couldn’t be bothered, it’s absolutely a viable alternative that makes them a whole lot safer for comparatively little effort. Telling them they just shouldn’t bother at all is just going to create more victims. There is no such thing as perfect security, and everyone has a different risk profile.
I would say it still counts as 2fa just shifting what is verifying you to your password manager and using the site password and 2fa as a way to verify the password manager with the site. If setup right they would have to have the database and your password to decrypt it not just one or the other and for password managers that sync the database it should require your password and 2fa to sync to a new device so it can’t just be freely grabbed. If that doesn’t count as 2fa then I would like to see an argument about how okta signing you into sites counts as 2fa as it is basically the same thing.
Yes, the only issue I have with it is that you can only have one TOTP for each site entry (need to create two separate entries if using two accounts).
I use Aegis, it works well
Bitwarden Authenticator because Bitwarden seems to have a good reputation. I don’t use their password manager, though.
It does seem faintly insecure that it displays all of the codes at once on one page, but I’m having trouble imagining a scenario where it’s actually a problem.
FreeOTP/FreeOTP+
depending on your goal for this (real 2fa vs just simulated) you shouldn’t have sync in the first place.
you could also look into security keys (hardware solution, webauthn/FIDO2) as an alternative that has strong security with good user experience (no typing anymore), but they’re not as widely accepted.
I’m currently using FreeOTP from F-droid. Aegis seemed to have way too much extra crap. You don’t want to sync multiple 2fa applications together since the idea of the 2nd factor is it’s only in one place. Even being able to back it up is sort of contra, but if you have to, make sure the backup is well safeguarded.
The basic TOTP algorithm is quite easy to implement fwiw. A dozen or so lines of Python.
2FAS Authentication
Been using it for a while. It’s pretty awesome.
Bitwarden. I don’t self host it, though. $10 a year for password management and 2FA is fine by me.
Same. Self hosting it sounds nice, and I self host a handful of services, but I don’t want to be stuck without passwords in another country with a dead server at home because a power cut happened at some point.
Bitwarden caches your vault to your device, so you don’t actually need a live connection to the server.
Oh, that’s actually good to know. I guess it makes sense for when you don’t have a good connection as well.
I had fault in my server this summer and my local bitwarden app wouldn’t work without the connection. Same in my laptop, if the connection is blocked by the firewall it doesn’t let me load the vault at all.
bitwarden works fine for me without connection, you just cant update/create passwords
It’s niche but I like to point it out whenever I get the opportunity: if your workplace uses Bitwarden Enterprise, every licensed user gets a free family plan that can be linked to any account. I haven’t personally paid for BW for years.
I’m on the same plan, I do plan to self host it though as a backup only.
As I’ve seen gaming server subscriptions go from £36/y to £23/m (Xbox) in a few years, and cloud CCTV storage from £40/y to £16/m (Google via acquisition of Nest) in a few months, I say we count our stars when a subscription cost remains fair.
1password
Definitely this, especially if you’ll be sharing with a non techie. My wife was able to pick 1password up and use it immediately and she normally turns her nose up at any of my recommendations.
For the 1password accounts 2FA, use a yubikey or aegis. Everything else to 1 password.
What you mean syncing with Gnome app?
I like Aegis.
<img alt="" src="https://lemmy.world/pictrs/image/3bd0349e-6a45-4bdd-8858-47847bda50a2.jpeg">
“Unmodified 20? Yeah, you just know your 2FA without even checking somehow”
Yubikey. I dont want to trust my phone, so I use some separate hardware instead
I used aegis for a long time, switched to protons after they introduced it. Ideally I’d be using something physical though like a yubikey
Enteauth
i use Mauth
IIRC it can sync by storing the Data in a file you can sync with a tool of your choice
Yubikey for 2Fa codes also works well for
sudoandsu(2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.We use yubikeys at work, far better then an OTP. Also I have 2 for home use, the only issue is I need to put 1 on some keys I carry as I sometimes need 1 and don’t have it.
Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience. Things like:
Are there accounts that you didn’t get to work? Do you have separate keys for personal and work accounts? Do you just have it on your keychain an plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense. As far as I know you can’t just clone a key. How easy is it to setup a backup key? Does this work for all accounts? I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys? How is your experience? USB or NFC?
I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.
Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.
It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.
So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.
While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.
So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.
<img alt="Once you open the app" src="https://sh.itjust.works/pictrs/image/d11c9406-a419-4e8d-9562-6a328f19b06d.png">
<img alt="Swipe down to scan for NFC" src="https://sh.itjust.works/pictrs/image/a7073cae-9d1c-4270-99b2-5f7dd6d487e8.png">
<img alt="After scanning key it shows you your accounts" src="https://sh.itjust.works/pictrs/image/06f37d88-1233-4112-8297-a33e6daad9bc.jpeg">
<img alt="Click on your desired account" src="https://sh.itjust.works/pictrs/image/4d89d1a9-5aea-40ed-aebc-e9f2dd43f08d.jpeg">
<img alt="Click calculate and scan your key again" src="https://sh.itjust.works/pictrs/image/1f79452d-a18c-44a3-832f-b8c6f56d2e0d.jpeg">
I just realized, the formatting of my last reply got lost somehow, sorry for that. Nevertheless, thank you very much for your response. Really appreciate the insights of a long time user.
I switched from Authy to Aegis like 2 years ago, because I didn’t want to rely on an online service either. Similar to something like Keepass, the database is local and you are in charge of making backups and such. But that is also the great thing about it. If your phone dies you just copy the backup to the new device and your golden. I already thought about the switch to a Yubikey back then, but didn’t go through with it.
With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key
Yes always plugged in works of course, I just meant that you are somewhat compromising the security that you have gained by using dedicated hardware. But as you said, if touch is enabled and the key is password protected you are probably fine. In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.
Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.
I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.
Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.
Yeah maybe this guide wasn’t there when you bought yours or it is outdated. Problem is, you have to setup the 2FA from scratch for these accounts if you don’t have the QR code anymore. Might still be worth a try to really get two identical keys.
Aegis is still an app on your phone. It just is not connected to an online service so you control the database file youself. It of course always depends on you setup e.g. if you have a single device that acts as your 2FA “key” and keep offline backups of the database you don’t have to host anything. If you want to authenticate with multiple devices and add new accounts often some form of automatic sync might be helpful. Even though I like the app, I don’t want to convince you of Aegis. I just didn’t want to paint the wrong picture.
Dito, bought two one as backup for the other and its great.
I use freeotp+, but it looks like it could be dead now. But I does have an export to file.
Yubikeys. I have 2 of them and both have the same entries in case one breaks.
Aegis
Proton Authenticator. Has both Desktop and Mobile apps. Free. Don’t have to sync to Proton.
Do they have a Linux client for the desktop?
deb, rpm and aur-bin
Thanks for the speedy reply. On LMDE so Debian it is.
They have no Linux Drive desktop client, so that was pleasent suprise.
Aegis ♥️
I use bitwaarden and stratum since it has a wearos app as well and it’s nice to use that for 2fa codes
Started testing out stratum recently…
Had to scroll too far for Stratum! The watch app is also why I use it so that I can keep my phone far away from me while I work. Game changer. Surprised more don’t use it.
Authenticator and Authenticator.
Damn thoe innovative tech companies, what will they think of next.
Stratum
Aegis seems like a pretty good 2FA app on Android from what I’ve heard. Personally, I use Ente Auth as sync is very helpful when I don’t have my phone nearby (you can either use the desktop app or use your browser, both work). Don’t think you can self-host sync, though I might be wrong. Ente Auth also works without sync, so there’s that.
I would not suggest using a password manager’s 2FA integration (e.g. Bitwarden, I think Proton Pass has one if you use that?) as it kind of defeats the point of 2FA, since if someone got access to your password manager, they would also get the 2FA codes.
Vaultwarden, bitwarden does 2fa tokens as well.
I use it now.
I used to use aegis before.
I use Aegis on my phone.
Adding to the Aegis chorus.
I also use Proton Pass for some sites that aren’t as critical for me / don’t have a bunch of PII. It’s easy.
I personally use Ente Auth and quite like it, don’t use syncing and save an encrypted copy to my PC. I really like that you can see what the next code will be.
Vaultwardwn/bitwarden + a yubikey for bitwarden itself and a few others
keepassxc and a yubikey. And syncthing to keep all devices in sync
since no one mentioned andotp i might have to move away from it…
I think it is not maintained any more: github.com/andOTP/andOTP
lol thanks
I’ve been using Aegis for several years now without any problems. It replaced the Google Authenticator seamlessly.
I used to use 2FAS, but recently switched to a self-hosted instance of Ente
Aegis.
I like the auto backup feature (encrypted) . Then the backup is synced to computer via Syncthing.
Set and forget setup.
I also use aegis. Have been for years and it works great
For me aegis is by far the best. Simple. Encrypted. Backup. It’s saved to a syncthing folder. Passwords are in bitwarden for simpme stuff but keepassxc is great. And also synced via syncthing.
Bitwarden
Yah, I can’t see a point to have another app/extension when Bitwarden has it built in, and it’s a great password manager.
Wait, it does? Including in the mobile app? I don’t see it.
Right under Password in the edit screen of an item: Authenticator Key. You put in the auth key the target site provides you when you enable TOTP and it will start generating timed tokens. Usually you’ll also get a one-time pad of backup keys, I usually toss those in the Notes of the edit screen there as well in case something goes wrong.
<img alt="" src="https://lemmy.world/pictrs/image/07461840-a355-4e61-84f7-619a9f7a595e.png">
The point of 2FA is “something you have” and “something you know” to enter a secured system.
If you put both of those into one system that is accessible by one password, the whole concept is defeated.
My threat model isn’t having someone take my computer and log into stuff so my concern when using 2FA is more about them having gotten hold of a password remotely. But a TOTP makes that password pretty hard to use, no matter where it’s stored. And my BW is also protected by a Yubi/password combo, so I guess I’m just vulnerable to having that beaten out of me.
The other issue with this - If you lose access to that one system, you’re SOL. It’s a single point of failure.
That I could accept as a good reason.
But if they get your Bitwarden vault and crack it - they have everything Throw a roadblock in their way - use a separate app for OTP.
I’m a little concerned about having OTP and passwords together in one system.
OTP is on my phone, Bitwarden is on my computer. I don’t use the OTP in Bitwarden.
This is the way. I use Bitwarden and Aegis.
The issue here is putting Bitwarden on your phone with OTP in Bitwarden.
On the phone, I use Authy, More eggs - more baskets.
Bitwarden
I use
passfor my passwords, and it has anotpextension that I’ve been using more and more. I used to use aegis but I have needed to switch phones one too many times without having access to the previous phone to be comfortable with phones for 2fa.Of course, this isn’t as secure as a truly separate OTP solution, but it’s still better than no OTP/2FA. And I can easily enough back up and restore my 2fa access over the internet, even on a new computer (albeit I need to also backup a PGP key that can decrypt the password store to truly be portable).
This is what I do. If someone can figure out pass with my password protected gpg, plus my passwords are partials (I salt them), and otp then they can have my access
I’m curious how you make that work - do you just remember the salts, store them separately, or what? I have like 50-70 passwords in my store currently, there’s no way I’m remembering a (true random) salt for each one.
My salt is just a memorized password I put in addition to the one stored in pass
Woahhh defo not enough love for Ente Auth in tgese comments. Highly recommend! Its got a beautiful and intuitive UI, completely open-source and is back by super active devs and community 💚
I primarily use GNOME Authenticator, but after an inopportune crash, I now also run 2FAuth on my home server as a backup, and now just hope that I remember to do the export/import dance going forward.
I use Proton Authenticator on an iPhone without an account and I am satisfied
FreeOTP+
Yep f-droid.org/…/org.liberty.android.freeotpplus/
If i remember correctly sone tokens it can’t read? Cant backup? Clunky interface? I looked at it, but decided against it.
Had no issues with FreeOTP+ for a long time, using it for many accounts
Ente
Ente
Ente
Ente
Ente
Ente
Gans
I use Aegis, automatically backed up every time a new key is added. Was using Authy for a while, but they’re going down the enshittification hole, so I dumped them.
Yubikeys. I think everyone should get a couple (need 2 in case 1 lost)
A combination of Yubikey and Enpass (I got Enpass back when it was $15 for perpetual).
Yubikey. It supports TOTP as well as passkeys. Plus is a physical device separate from my phone. Recommend getting 2 to have 1 as backup
Aegis
Ente Auth
Aegis for time codes, Nitrokey for physical 2FA tokens.
Bitwarden as Vaultwarden enables TOTP.
Proton Pass is addictive how convenient it is. I use Aegis to log in to proton pass.
despite hosting most things, I still lean into Proton Pass and Mail
they aren’t perfect but I value their services and stick to self hosting less critical things