this post was submitted on 24 Nov 2023
63 points (98.5% liked)

Privacy

32120 readers
625 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

So basically what title says.

Im using 2FA with google authenticator for multiple accounts. What if my phone gets stolen? Can I have some kind of backup? Or maybe sync with some self hosted service?

Bonus question: what 2FA should I use instead of google?

top 44 comments
sorted by: hot top controversial new old
[–] Cotillion189@lemmy.world 39 points 1 year ago (2 children)

Use Aegis on android or 2FAS on iOS. And just backup your seed on hdd/usb stick. Dont upload on cloud.

[–] rambos@lemm.ee 5 points 1 year ago

Thx, looks perfect!

[–] SamsonSeinfelder@feddit.de -2 points 1 year ago (1 children)

IOS has a 2FA feature included in the key chain (passwords) settings. No need for a third party app. If you backup passwords via icloud, you are already set.

[–] Cotillion189@lemmy.world 1 points 1 year ago

Never upload your passwords to any cloud. Always use good foss instead of proprietary software.

[–] MaxPower@feddit.de 17 points 1 year ago* (last edited 1 year ago) (2 children)

~~There are many forms of 2FA. I'm guessing you mean TOTPs~~ oh you actually wrote that, my bad lol.

I copy the keys from Aegis to KeePassXC. KeyPassXC's database is part of my regular backup. This way I have two apps generating the same TOTPs.

[–] rambos@lemm.ee 8 points 1 year ago

I was afraid of using keypassxc since I dont trust myself, but using it as a backup sounds like amazing solution. Thank you

[–] ebits21@lemmy.ca 4 points 1 year ago

Personally I recommend just using KeePassXC and a KeePass app (I use KeePassium on iPhone).

You always have access to all your data that way. No company is monitoring you. A lot of apps make it very difficult to backup!

My totp database is in the cloud for syncing but needs a key file I don’t keep in the cloud (and a password). My passwords are entirely separate.

[–] rambos@lemm.ee 15 points 1 year ago (1 children)

Thank you all for tips. I got Aegis and backing it up to my selfhosted nextcloud. I will also keep google app in use for now, but I might get keypassxc or vaultwarden in the future

Cheers

[–] trones@ythreektech.com 3 points 1 year ago

As a user of Nextcloud, Aegis, and Vaultwarden, I can say it's a great set of tools. I don't know how I ever got by without Bitwarden/Vaultwarden.

[–] akilou@sh.itjust.works 11 points 1 year ago

I use Authy and am logged in on multiple devices so if I lose my phone I can still access the 2FA on my laptop. Then log back into the new phone using the laptop.

[–] Dave@lemmy.nz 11 points 1 year ago* (last edited 1 year ago) (3 children)

Aegis is a free open source TOTP 2FA app like Google Authenticator, and available on both F-Droid and Google Play. You should be able to export from Google Authenticator and import into Aegis.

Edit: I had assumed because Aegis had an option to import from Google Authenticator that this would mean you could export in bulk. Bad assumption to make, it sounds like you can do it if you have a rooted phone but Authenticator doesn’t make it easy. I did find this that shows a method to do a handful at once: https://blog.jay2k1.com/2021/11/17/how-to-bulk-migrate-from-google-authenticator-to-aegis/

[–] rambos@lemm.ee 5 points 1 year ago

Most comments recommend aegis, Im installing it right now. Thx

[–] illi@lemm.ee 3 points 1 year ago (2 children)

You should be able to export from Google Authenticator and import into Aegis.

If there is a way, I was unable to find it

[–] Dave@lemmy.nz 3 points 1 year ago

I had assumed because Aegis had an option to import from Google Authenticator that this would mean you could export in bulk. Bad assumption to make, it sounds like you can do it if you have a rooted phone but Authenticator doesn't make it easy. I did find this that shows a method to do a handful at once: https://blog.jay2k1.com/2021/11/17/how-to-bulk-migrate-from-google-authenticator-to-aegis/

[–] rambos@lemm.ee 3 points 1 year ago (1 children)

Yes, I just did it. Go to google auth - transfer accounts - you get QR code, screenshot it - and import in Aegis

[–] illi@lemm.ee 1 points 1 year ago

Huh. I was not able to make it work, perhaps I just overlooked something.

[–] 01189998819991197253@infosec.pub 2 points 1 year ago (1 children)

What's the benefit of Aegis over FreeOTP+?

[–] Dave@lemmy.nz 4 points 1 year ago* (last edited 1 year ago) (1 children)

For one, Aegis is more well known. Aegis has 6k+ stars where FreeOTP+ has about 500. This doesn't mean it's better, just that people are more likely to recommend it.

Aegis also has more features, and can import from many different authenticator apps (though as many don't allow exports, this may require technical knowledge to get the database and feed it in). If you have root then Aegis can pull directly from the other apps.

Aegis claims they are better than FreeOTP because the encrypt passwords at rest.

One big difference is FreeOTP+ lets you not have to enter a pin/password to see the codes while Aegis you need to enter a pin, password, or biometric to see your codes.

Popularity aside, you sold me on the import compatibility. FreeOTP+ can export to other FreeOTP+ installations, but I've had issues with exporting to other apps. I had to manually import using the secrets displayed within FreeOTP+. The encryption sold me. I will be migrating to Aegis. I haven't heard of it until this post, and have been using FreeOTP+ sans encryption.

[–] RovingFox@infosec.pub 9 points 1 year ago (1 children)

I use Authenticator Pro. It allows backups for itself or for exporting to other apps.

[–] Ozzy@lemmy.ml 3 points 1 year ago

+1 To AuthPro, the guy behind the app is really cool

[–] s3rvant@kbin.social 6 points 1 year ago

I use Aegis like several others here and then backup my codes to a Cryptomator vault which I can then sync online for cloud backup

[–] Pantherina@feddit.de 5 points 1 year ago (1 children)
[–] 6h0st_in_the_machin3@kbin.social 1 points 1 year ago (1 children)

This, I've just installed it this week and I think it's better than Google (though I'm suspicious of the "free" service.

[–] Pantherina@feddit.de 4 points 1 year ago

Its not a service its an app. And yes nothing is free so please donate to the Devs

[–] HurlingDurling@lemm.ee 5 points 1 year ago

Authenticator Pro is awesome, FOSS, and allows you to backup your 2FA.

[–] m0yP@lemmy.ml 5 points 1 year ago

Aegis or Ente Auth for Android. Backup your databases in your cloud of choice. Do not use Google Authenticator.

[–] Synthead@lemmy.world 5 points 1 year ago

All you need is the TOTP secret, and it will generate OTPs. If you enter the secret in another TOTP app, you'll also get OTPs. Here's a Ruby lib that will render OTPs from a secret, for example: https://github.com/mdp/rotp

For an Android TOTP tool, I like FreeOTP+. You can even use it for Steam OTPs.

[–] dessalines@lemmy.ml 4 points 1 year ago

Keepass + Syncthing

KeepassDX is a good android client, and it supports TOTP.

[–] Zerush@lemmy.ml 3 points 1 year ago (1 children)

I prefer an authentication code, which I can save on a pendrive or, if not, a second email. I never use 2FA with a phone number, precisely because a phone is never secure and is also a privacy hole. It's enough that they know my email, it's not necessary that they also know my phone number.

[–] rambos@lemm.ee 1 points 1 year ago

Who knows my phone number if I use Aegis?

[–] I_Miss_Daniel@lemmy.world 3 points 1 year ago

Just transfer them to another device? Or save the big QR code it generates as an image.

[–] elgordio@kbin.social 3 points 1 year ago (1 children)

When enrolling with the 2FA take a screenshot of the QR code, print it and add it to wherever you keep your secure documents. The QR code is your private key, just scan it again to add a new device if you lose your original.

Obviously you need to keep the code secure!

[–] LWD@lemm.ee 2 points 1 year ago* (last edited 11 months ago)
[–] Cyberflunk@lemmy.world 1 points 1 year ago (1 children)

I use 1pass at work and vailtwarden personally. Both are perfect solutions.

[–] rambos@lemm.ee 1 points 1 year ago

Im using bitwarden free for passwords only. I might try vaultwarden

[–] ExtremeDullard@lemmy.sdf.org 0 points 1 year ago (1 children)

Just take a screenshot of the QR code and save the image somewhere

[–] rambos@lemm.ee 1 points 1 year ago

I dont know why you got downvote. Seems like perfect backup if stored somewhere safe. Am I missing something?

[–] peasntanks@lemmy.ml 0 points 1 year ago* (last edited 1 year ago)

You could use a python script with oathtool copied onto each of your devices. This is not a good suggestion.

[–] Eideen@lemmy.world -1 points 1 year ago (1 children)
[–] shortly2139@lemmy.world 10 points 1 year ago (2 children)

Just a heads up. There is no way to export from authy. So if you ever want to switch apps for whatever reason, lets say they were bought by big evil corp., then you would have to go and regenerate all your keys. Where as a good app would let you export and import from anywhere

Yep took me several days to transfer all the logins to Aegis

[–] AtmaJnana@lemmy.world 4 points 1 year ago* (last edited 1 year ago) (1 children)

lets say they were bought by big evil corp

Is this an intentional joke? (I often miss jokes so I am asking seriously)

Authy was bought ages ago by Twillio, which also owns Segment (customer data platform)... So Twilio may not be all that big, but they're fairly big players in the tracking and ads space. Which I loathe.

I'm in this thread because I want to move away from Authy for this very reason.

[–] shortly2139@lemmy.world 2 points 1 year ago

An unintentional one it would seem. Had no idea. Thanks for highlighting this.