GitHub is slowly rolling in 2FA. Any good open source apps that will enable me to activate 2FA token on android?
If proprietary app is better and more robust I am willing to try it and assess it myself.
If proprietary app is better and more robust I am willing to try it and assess it myself.
I'm leaving links here in case anyone needs them
It supports importing data from various 2FA apps and even allows you to generate Steamguard codes.
I honestly don't know. I set it up with steamguard-cli few months ago and it's working like a charm.
Nothing to worry about when doing that? I'd love to have Valve support 3rd party 2FA apps officially, but oh well
Yes, it doesn't. Or at least they didn't when I started using Aegis for it, I had to import the key from the steam app, because they didn't show any QR codes or such. Not sure if it has changed since then, though.
Thank you!
I'd been a happy user of andOTP for many years, unaware until now that it had been abandoned and that I therefore needed ro replace it. I looked through the recommendations posted here and came to the conclusion that Aegis indeed was the best recommendation.
Migrating from andOTP to Aegis by exporting an encrypted backup file from andOTP to the local filesystem and importing it in Aegis worked flawlessly.
One thing that I really liked in andOTP that Aegis doesn't have was the PGP export, it was just very nice to get encrypted backup files that I could decrypt directly using standard software that I already have and know how to use, entirely independent from any particular app. Aegis instead provides the decrypt.py script to decode and decrypt its own encrypted backup file format and while I've tested and verified that this works fine, simply using standard PGP was nicer.
But that's a minor detail. All in all, Aegis seems to do everything I need, and does it well.
This is the best option. Love the app. But always remember to keep a backup of your tokens.
There is also ente.io authenticator app. It is available on fdroid. I think it supoorts cloud synchronisation as well.
KeepassXC is multiplatform. (Also: KeepassDX is quite nice as an an Android app for Keepass databases.)
It depends on your risk profile, but yes, it's less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.
If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.
With the risk of getting locked out if all your devices get logged out of Bitwarden! 🙈
To clarify, you'd want to enable 2fa for Bitwarden and store the token for that in a different authenticator app - that way you can still log in to Bitwarden without already needing to be logged in
I'd suggest the following
The really important step is to make sure to export and backup your 2FA codes in a safe place.
You don't want to be left in the mud because you lost or wiped your phone that contains the only method to get into your important accounts.
I see how 2FAS cross-device sync works, but there is no mention for Aegis on their site how they do it? For me, not having good sync across my Android devices and Linux desktop is a showstopper.
I've used it for years for numerous phones. it's the best. Link for the lazy
https://apt.izzysoft.de/fdroid/index/apk/me.jmh.authenticatorpro
Thank you for the information. I am using Aegis and will not move away from it – I have no reason to. I am completely content with the features it provides. However, I want to look at Authenticator Pro to see how it works, what features it brings and in general, how good the application is. If I like what I see, I will be able to provide an alternative to Aegis when I suggest a TOTP application for someone. I hope Authenticator Pro is great, so I can recommend it with confidence.
That's how I started too. I used Aegis for almost two years. Then I found out about Authenticator Pro and decided to give it a try. The nice thing is that it can import an Aegis export file, so it's easy to get started. Give it a try and see if you like it.
I love that you can back it up with a file... thatway i can put it somewhere safe and can recover my logins after my phone breaks
This! I don't even have to pick up my phone... I just check the code on my smartwatch. Awesome!
Bitwarden and it's fully cross-platform. I like that it auto copies the 2FA pin to clipboard after filling in login - cuts out extra clicks and copy movements.
Vaultwarden is also a great and simple to self-host backend written in Go that runs in Docker.
That's literally what the comment I reacted to is about. Are there two vaultwardens? Did you misread?
And very easy to set up and run without docker! For, you know, us folks with a BSD server 🙂
I think it is more about passwords being accessible after hacks etc. What you are referring to, is if Bitwarden were to be hacked, both are accessible. Online Bitwarden has securely hashed all the data, so that is pretty useless if anyone gets it. On my devices I use biometric login, and on desktop a Yubiky as 2FA into Bitwarden. I also have it set to request login every time the browser is restarted, just in case someone were to steal the session data from the browser.
But your point is very valid if a user were to have a weak password for their Bitwarden, or not to have a good 2FA for their Bitwarden login. You want to keep that basket of eggs as safe as you can.
But if the access to the combination of the two requires a separate 2FA (my Yubikey), then it is virtually separated. It is not just one password and you inside Bitwarden. One could argue otherwise, that having a 2FA app on the same phone as your password manager, is also not separate, if the same PIN/biometric gives access to that phone with the two apps on.
Do you use your Yubikey for 2FA or do you use it instead of a password?
If it's the former then I guess it's fine.
"Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium or membership to a paid organization (families, teams, or enterprise)."
It’s $10/y and a steal for that excellent software. I pay it and self host it just to support them.
This!
Keepassxc is cross-platform, free and open-source. It has also options for iOS and Android.
Bitwarden is all of those things. Unless you use their web vault, then it’s $10/year. Which keepassxc does not have.
I’m aware. So is Bitwarden if you don’t use their web vault, which KeepassXC does not have. Keepass can use a cloud drive to sync multiple devices whereas Bitwarden requires a self hosted instance to sync. Personally I would rather trust my own hosted instance over that of a cloud provider. But that all depends on your threat model and who you’re willing to trust. Having used both I personally prefer self hosted Bitwarden.
I know they exist. I think you’re missing what I’m saying.
Bitwarden is fully free and self hostable. That is how I use it. Bitwarden needs a self hosted webserver. KeePass can use only a cloud provider or self hosted cloud storage and also set up a web vault.
With Bitwarden, if you don’t want that hassle you can use their webvault they host. You cannot do that with keepass. That is what costs the $10/year.
Point is, both are good software that do things a bit differently. I liked KeePass, but I found Bitwarden to do what I wanted better, which was easily sync my passwords across devices without the hassle of self hosting something like Nextcloud. A quick docker container and I’m good.
Maybe some people are fine with keepass and something like Dropbox for sync. And maybe others don’t want to use a public cloud server but also don’t know how or want to host their own instance of a a password manager or cloud server. So they can use something like Bitwarden’s webvault instead, which is free except for TOTP.
aegis is great, but 2fas has Google Drive sync and a browser extension.
lack of sync is a dealbreaker for me.
I recommend one of the FOSS apps in fdroid for this, don't use a proprietary one from Google Play (like the Google Authenticator).
I use Yubico Authenticator with my Yubikey (NFC and USB) and Vivokey Authenticator - which is a straight fork of the Yubico Authenticator - with my Vivokey Apex implant.
The official GitHub app. Yes, it's not universal for other sites, but you get 2FA and a much more pleasant browsing experience.
For a universal solution, give Aegis a try.
andOTP is the only app I know of that's on F-Droid and has a feature to make an encrypted backup to a file.
Unfortunately it hasn't been updated in awhilee, but I dont think there's an alternative.
I see aegis supports automatic backups. I don't see it explicitly saying 'encrypted' backups though I too use andOTP but didn't realize it's not regularly maintained. I may check out aegis as it does support import from andOTP
Followup. Aegis does support encrypted backup. I had to do an unencrypted backup in andOTP so Aegis could import. Easy stuff
Edit: automatic backup doesn't encrypt? Or I am having trouble setting up
automatic backup doesn’t encrypt?
It does for me. Are you sure that your backup really isn't encrypted? Look in the JSON backup file, all your vault data should be encrypted and stored in one single long base64 encoded string with key name "db". Is that not so for you?
I had to do an unencrypted backup in andOTP so Aegis could import.
I just did an en encrypted backup from andOTP to the local filesystem and successfully imported it in Aegis. It worked flawlessly. Just in case someone else is reading this and is hesitant about how to migrate from andOTP to Aegis.