return to table of content

Aegis v3.0 – a free, secure and open source 2FA app for Android

yoavm
31 replies
23h10m

I love Aegis but I can't help but think that it's sad we ended up in this place with regards to 2FA. When all these temporary codes started they were sent over SMS, which was insecure but at least all I needed to do was to pick up my phone. Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.

It would have been so much more comfortable if we flipped this around a little - the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that "something you have" part is done.

It feels like when the 2FA thing started no one considered that sooner or later all services will require it, and the UX will be terrible.

LinAGKar
6 replies
22h46m

Some can do that in their own app, e.g. Steam Guard. Too bad that's not a standard. But the FIDO2/webauthn stuff may be similar.

panick21_
1 replies
22h26m

I don't want that to be the standard. I don't want 20 different apps for each bank and each provider.

LinAGKar
0 replies
20h50m

No, but a standard so that any app could implement that functionality and have it work with any service that supports it

bonki
1 replies
18h57m

Steam uses "standard" TOTP but displays the code in a non-standard format. You used to be able to extract the secret and use e.g. KeePass to provide the code in the Steam Guard format.

gsich
0 replies
17h28m

You still can.

oefrha
0 replies
16h8m

If you do that in your own app, you might as well just show a QR code which the user scans and opens up the app for approval. Code as backup. Having to type in an alphanumeric code (talking about Steam Guard, not standard TOTP) when the app is already involved is quite outdated.

I believe Steam Guard already added the scan QR code flow a while ago?

lxgr
0 replies
17h57m

You raise a good point: It seems like this should be possible to integrate into WebAuthN somehow, but currently it isn't.

Passkeys could be coupled with Web Push somehow, for a "confirm action x" type of experience pushed to your (networked) authenticator even when you're not at the website of the relying party that owns it.

khimaros
4 replies
22h47m

you might enjoy Bitwarden (self hosted with vaultwarden) which copies the TOTP to clipboard after logging in to a site.

yoavm
3 replies
21h56m

I'm using Bitwarden, for passwords, but I always felt uncomfortable with the idea of having my 2FA on my laptop too. It feels a little silly - if Bitwarden has both my password and my 2FA code, it's enough to hack my Bitwarden and all this "multi-factor authentication" isn't very "multi" anymore...

sunaookami
2 replies
21h31m

You shouldn't lose any security when your vault itself is protected with 2FA.

lxgr
0 replies
17h53m

Theoretically that's true, but practically, Bitwarden (and any other browser-based extension capable of autofill) runs in a much less secure environment than e.g. Aegis or Google Authenticator on a smartphone, and people often keep it unlocked (or at least not requiring 2FA for every password access).

OJFord
0 replies
20h11m

But then it's barely better than 2FA vault & 1FA app. ('Barely' because it's like a bit of depth, and breadth into a few specific attacks revolving around the app's poor handling of your password.)

OJFord
4 replies
20h4m

I almost^ missed a train recently because I tried to book my ticket and for the first time ever (and actually not since either) Amex wanted to send me a verification code. They support only SMS & email, but you can't change it for the current one and it was set to SMS, and I don't have email on my phone anyway & was at the station. Anyway - SMS didn't arrive. Had the same thing recently with them from a bank, it's the network blocking them, suspected spam or whatever.

There's plenty of other reasons not to use SMS 2FA, but it might suddenly not work one day right when you need it, and totally out of your control, is perhaps the most universally compelling?

yoavm
1 replies
12h16m

I'm totally not advocating for 2FA over SMS. It's also just not secure enough.

What if the website presented a QR you can scan with Aegis and then Aegis would make a request with your one time code? You could still type it manually - there would be an input and a QR code next to it.

qingcharles
0 replies
18h12m

Had this crap happen to me the other day with a banking app. Luckily I eventually managed to find a way to get them to call my phone with the code instead.

There are so many problems with SMS.

lxgr
0 replies
18h1m

Fortunately, SMS-OTP isn't considered SCA/PSD2 compliant anymore (by itself, since it's only a single factor – and the card number doesn't count) by the regulator in the EU (not sure about the UK), so hopefully we'll be seeing less of that going forward.

bonki
2 replies
19h2m

I use Aegis only as backup because the workflow is cumbersome as you say (the app itself is flawless in my book), my primary TOTP authenticator is KeePass. I use the exact same KeePass setup on Linux, Windows and MacOS and copying a TOTP token is only a hotkey away. My KeePass also acts as SSH agent which also works with Cygwin, MSYS and WSL. On Android I use KeePassDX which also supports TOTP. I almost never ever open Aegis and when I do it's mostly to check that I can remember the password. I sync my KeePass databases across all devices and OSes with Syncthing.

pnw
1 replies
18h47m

Are you using the original Keepass or KeepassXC? I need to get off Authy now they've dropped their desktop apps.

bonki
0 replies
18h36m

The original, never liked KeePassXC and it doesn't support plugins. I also used Authy until I migrated TOTP to KeePass and Aegis years ago :)

freedomben
1 replies
22h11m

I agree this kind of sucks (I have about 40 tokens on there), but it's relatively well mitigated with the search functionality and typing the first few characters of the service. This works for all that I've tried except the root MFA token from AWS, and I could easily fix that by exporting and changing the name and re-importing if I wanted to.

This has two things about it that make me actively not want it:

1. Does not work offline (requires an internet connection to work). The current design for TOTP is super flexible as they only require time syncronization, which doesn't require an internet connection.

2. It means I have to install an app for each service, which I absoulutely do not want to do. I would prefer to only use native apps for things that actually need to be native. PWAs and web UIs are strongly preferred for me. A comprehensive and robust way to manage permissions would mitigate my dislike for native apps somewhat, but this is getting harder and harder (though praise be unto GrapheneOS for their efforts!)

From an engineering perspective, it also feels like unnecesary bloat/complexity and coupling.

yoavm
0 replies
21h52m

I agree regarding the offline ability, though literally all the things I'm using 2FA for are online, as they are about logging-in to services.

As for the 2nd point - I definitely don't think it has to be a separate app for each service. Why would it? Imagine an app that holds a private key, the website showing a QR code, you scan it with the app, the app sends the public key to the service using a URL provided in the QR code, and the service stores your public key. From now on, every time you want to login you're asked to scan a QR code, which makes the app send a signed request to the a URL encoded in it. The service gets the request and proceeds with the login. One app, all services.

noman-land
0 replies
22h2m

Couple things no one's mentioned yet. In Aegis you can add icons to token slots, and manually sort them (alphabetically). This, plus searching, helps a lot in finding tokens quickly. They have pre-existing icons for most of the common sites.

lxgr
0 replies
18h3m

the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that "something you have" part is done.

WebAuthN essentially gives you that behavior, with the addition of making it MITM-resistant (which TOTP isn't). It even works cross-platform these days (I think both devices need Bluetooth as a proof-of-proximity, to make sure an adversary isn't relaying you a QR code).

Unfortunately both iOS and Android absolutely insist on syncing these credentials to the cloud, but both now have APIs that would allow a third party to provide a local-only backend.

kmlx
0 replies
22h44m

the UX will be terrible.

if you run safari and store all your passwords using icloud “passwords”, safari will automatically prefill the 2fa code. i assume this is the case for other browsers as well?

fcsp
0 replies
22h47m

That's pretty close to webauthn, which works very nicely with yubikeys if the service supports it. 2fa? Please tap yubi button - done.

eipi10_hn
0 replies
22h17m

Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.

I just click search and type 2-3 characters and most of the time I can see what I need right away. I'm using way over 20 services with 2FA and that's really the least of my concern.

And I actually don't use search that much since Aegis also has a feature of sorting by the usage so whatever I'm using regularly are already at the top for me.

eightnoteight
0 replies
16h48m

Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.

exactly :(

I wish passkeys get rolled out quickly across all sites, most people use just 2 or 3 trusted devices 99% of the time.

for those edge cases where you are working on an untrusted device, the passkey on your trusted mobile can help with authentication via Bluetooth or some QR code etc,...

chippiewill
0 replies
18h24m

I used to quite like the hack that LastPass authenticator had to make it easier.

If you ever encountered a TOTP form in your browser that the LastPass browser extension recognised it would send a push notification to the aunthenticator app on your phone which if approved would send the TOTP code to your browser and submit the form on your behalf.

Unfortunately it only ever worked on the handful of websites Lastpass had implemented bespoke support for, but it was magic when it worked. It would be nice to have a universal standard for push notification 2FA.

cam_l
0 replies
16h12m

At least with aegis I can create groups. So I can separate email, work stuff, etc and only see a few tokens in each group.

Sure the ui isn't great. And it takes a couple extra clicks to the groups. But given the stupid shit that sites do like disabling paste for two factor codes or passwords, i just would never trust them to not fuck up a more streamlined solution. I like a bit more manual control sometimes, at the expense of convenience.

And it also runs and is backed up completely offline, which is nice.

Eduard
0 replies
16h36m

phone making a request means it cannot be airgapped.

working airgapped / offline is a great quality speaking in favor of TOTP

sebastiennight
22 replies
23h11m

Last year Google Authenticator started syncing secrets to the cloud[0] which means that those secrets can now be accessed in new ways outside of the user's control[1], which resulted in a huge breach at a startup called Retool[2].

From then on I started moving my company's team and contractors (as well as family and friends) off of Google Auth and onto Aegis. The app is clean, easy to use, open source, has all the options we could dream off. (and its privacy policy isn't tens-of-pages-long like some other apps, where privacy seemed to be part of the marketing strategy but not the product itself)

I've been a very happy user.

[0]: https://news.ycombinator.com/item?id=35690398

[1]: https://news.ycombinator.com/item?id=35708869

[2]: https://news.ycombinator.com/item?id=37500895

Elbrus
12 replies
20h9m

I started moving my company's team and contractors (as well as family and friends) ... onto Aegis

An important question on this, if you don't mind:

If the phone, where Aegis was installed, is dead/lost/stolen, which options are available to make sure that access to the accounts linked to that phone wouldn't be lost either?

thombles
4 replies
18h38m

Every service I've used with TOTP codes (12 at current count) has given me some sort of randomised backup token at the same time to use if I lose my 2FA app. I store those somewhere separate. I'm not going to argue that this is user-friendly but AFAIK there's no reason you're obliged to use cloud backups today.

lxgr
3 replies
18h14m

This is actually a pattern I really don't like: Why do I mostly get these thrown at me for TOTP, but not other 2FA methods? What am I supposed to do with these "backup codes"? Store them all in my password manager?

At that point, I might as well store the TOTP seed there and rely on its multifactor authentication – which is probably fair for many use cases, but suffers from the problem outlined by GP.

I think sites should treat TOTPs effectively equivalent to Passkeys, i.e. as maybe synced, maybe backed up, but maybe neither – and then the user needs an alternative login method, just like for all 2FA methods.

sowbug
0 replies
16h17m

Choosing 2FA segregates users into two buckets. Most people are satisfied with the risk of allowing password reset emails and social engineering attacks. They don't pick 2FA.

The rest are generally more sophisticated users, and are willing to risk loss of the entire account if they lose their credentials. That's the price for an overall increase in account security. From this perspective, it makes sense to provide backup codes as another tool in the DIY account-management toolbox.

These buckets oversimplify the situation, but they help explain why backup codes are offered as last-ditch authentication for 2FA.

ploxiln
0 replies
16h9m

I write the backup codes in a small paper notebook, kept in a drawer at home. I've had to use it maybe once in the past decade. It's very unlikely that I'll lose both my phone and the notebook at the same time. It's extremely unlikely that anyone who breaks into my house and finds this notebook, can do anything with it.

brewdad
0 replies
16h55m

Personally, I use Bitwarden for passwords and store my 2FA seeds in a Keepass database on my PC and backed up to my cloud. It isn't perfect by any means but at least if my Bitwarden gets compromised, my 2FA tokens are safe and vice versa. If I lose control of both, welp, it's gonna be a bad time I guess.

microflash
3 replies
19h20m

You can optionally backup your encrypted data using Android's built-in backup utility tied to your Google account. It can, then, automatically restore codes when you sign in on a new device.

lxgr
2 replies
18h13m

Does that back up TOTP seeds in Google Authenticator? I thought apps had to opt in to this type of backup and would assume that Authenticator doesn't, but Google has changed the Android backup mechanism so many times, I lost track.

lxgr
0 replies
14h15m

Interesting, thank you! I would have expected Google Authenticator to somehow tangle the encryption keys used to the device it’s running on, but apparently it doesn’t if this works.

vraylle
0 replies
16h9m

It can put encrypted backups on almost any cloud service, pCloud in my case.

bonki
0 replies
19h11m

It has android cloud as well as automatic local backups. I do automatic local backups and use Syncthing to sync them off my phone. Works a charm!

Zuiii
0 replies
16h10m

Aegis can export an encrypted backup file that can be imported on another phone.

warkdarrior
4 replies
22h11m

Syncing to the cloud is an opt-in setting in Google Auth.

cmiles74
2 replies
22h7m

It was not in my case. I found out about this feature when I saw the green cloud icon and pressed it to find out what it meant. At that time I was made aware the my data was saved in my Google account.

sangnoir
1 replies
19h26m

It's likely your company's administrator forced this default behavior. Cloud sync was an opt-in on my account too, fwiw. It would have been a huge story had it been opt-out.

cmiles74
0 replies
4h44m

TLDR: From what I can tell, the "consent" to cloud backup from Google Authenticator was misleading at best and blocked access to the tool until it was given. IMHO this is another example of Google forcing decisions on customers in order to extract even more data. Thumbs down!

It looks like Google didn't make clear what was happening... There are almost no settings in Authenticator and there is no place to turn "cloud backup" on or off. I found this article that described the feature when it rolled out.

https://www.bleepingcomputer.com/news/google/google-authenti...

If the screenshot is accurate, they blocked access to the tool until "consent" was given to backup codes to Google. The text itself is clear in retrospect but, in my opinion, implies that there will be a choice to backup to Google and that choice was never presented.

"Google Authenticator is Upgrading... You can now sign into your Google Account and backup your Google Authenticator codes to the cloud."

A button is presented labeled "Get Started" and, if you click it, Authenticator will backup all of your codes to the cloud.

I don't remember being presented with this screen but I don't remember a lot of things. I suspect I needed to get a code and simply clicked the button to get to the list of codes. If I read it, I likely thought there was a new setting and I could manage this "backing up" from there. Clearly this was not the case and I "consented" to let Google have all of by 2FA codes.

lxgr
0 replies
18h11m

It's opt-in, yes, but via a dark pattern of "hey, cool new thing, say yes quickly?" as far as I remember it.

I remember getting tripped up by this, because I also have work credentials in there that by policy I'm not supposed to store in a synchronizing TOTP client, and Google Authenticator didn't even allow reviewing the TOTP seeds for the longest time, so this seemed like quite the departure from their previous security stance.

ckcheng
2 replies
21h37m

That sounded scary, but after reading into the Retool breach (thanks for pointing it out), it doesn't sound like Google Authenticator is completely to blame.

Retool points out the "attacker was able to navigate through multiple layers of security" [0], i.e.:

1. "through a SMS-based phishing attack" on "Several employees"

2. "one employee logged into the [SMS phishing] link", "logging into the fake portal"

3. "attacker called the [phished] employee" "and deepfaked our [IT team] employee’s actual voice"

4. "the [phished] employee grew more and more suspicious, but unfortunately did provide the attacker one ... (MFA) code" (over the call)

5. "The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward."

6. "This enabled them to have an active GSuite session on that device." With "Google Authenticator synchronization feature that syncs MFA codes to the cloud", "if your Google account is compromised, so now are your MFA codes".

By #5, I'm thinking GA sync is about as blameworthy as Okta for allowing a device to be added with just a single additional OTP token shared over a phone call?

Here's a different perspective (tptacek) [1]:

> We use OTPs extensively at Retool: it’s how we authenticate into [Google, Okta, internal VPN and Retool]

They should stop using OTPs. OTPs are obsolete. For the past decade, the industry has been migrating from OTPs to phishing-proof authenticators: U2F, then WebAuthn, and now Passkeys†. The entire motivation for these new 2FA schemes is that OTPs are susceptible to phishing, and it is practically impossible to prevent phishing attacks with real user populations

TOTP is dead. SMS is whatever "past dead" is. Whatever your system of record is for authentication (Okta, Google, what have you), it needs to require phishing-resistant authentication.

My only concern is the present tense in this post about OTPs, and the diagnosis of the problem this post reached. The problem here isn't software custody of secrets. It's authenticators that only authenticate one way, from the user to the service.

[0] https://retool.com/blog/mfa-isnt-mfa

[1] https://news.ycombinator.com/item?id=37503551

lxgr
1 replies
17h49m

it doesn't sound like Google Authenticator is completely to blame.

I don't think anyone would seriously claim that, but I think it's fair to call it an unfortunate additional hole in the swiss cheese.

ckcheng
0 replies
13h3m

I only started reading into the Retool case because there was the claim above that sounded serious and scary:

Google Authenticator started syncing secrets to the cloud[0] which means that those secrets can now be accessed in new ways outside of the user's control[1], which resulted in a huge breach at a startup called Retool[2].
tptacek
0 replies
15h24m

Point of order: Retool got hit by an SMS phishing attack, and while they made a big deal out of Google syncing TOTP seeds, the real moral of their story is to stop using TOTP altogether; it's not phishing-resistant. Rather than cutting a whole team from one TOTP app to another, it would probably be a better idea to shift the whole team to an IdP that forces FIDO2. TOTP is obsolete.

freedomben
11 replies
22h21m

I adore Aegis, and view it as one of the most important apps on my phone.

If you use Aegis on Android and use a Gnome-based Linux distro, I highly recommend complementing with Gnome Authenticator[1][2][3][4].

    flatpak install flathub com.belmoussaoui.Authenticator
Gnome Authenticator is still a little early and buggy (mainly performance issues when you have lots of tokens), but it can import and export Aegis format (and a few others). It's been downright luxurious having my seeds on my phone and my laptop and desktop.

[1] https://gitlab.gnome.org/World/Authenticator

[2] https://flathub.org/apps/com.belmoussaoui.Authenticator

[3] I think (I hope) that Gnome Authenticator will be distributed as part of Gnome at some point in the future, but it isn't yet

[4] It's also super easy to build and run from source using Gnome Builder[5]. Just open Builder and clone the source from gitlab, and click the "Build" button and it will do its thing

[5] https://wiki.gnome.org/Newcomers/BuildProject

shortsunblack
3 replies
10h50m

Which is idiotic, as having your seeds on your desktop no longer makes it two factor authentication, rendering the use of phrase factually incorrect.

reddalo
1 replies
9h44m

If you login on some services on your phone, you have the same problem.

2FA protects you mainly from password leaks, not from people phisically accessing your devices.

freedomben
0 replies
8h15m

Yes, very much agree. I am uncomfortable with the idea of putting them into a cloud service such as bitwarden, not because of a distrust for bitwarden, but rather having them on the cloud and/or in the same place as the passwords feels like big reduction in security. Simply having them on an additional local device does not feel like much of a change to me.

To each their own though, and everyone has a different level of risk, and a different level of risk tolerance. With all security, it comes down to an evaluation of that. I know some people in a very safe area who don't even lock their car or their house. They have not had any issues, and it can be very convenient not to have locks. That security posture is not for me, but it works for them.

izacus
0 replies
9h33m

That is neither true nor idiotic.

pigpang
2 replies
12h55m

There is no way I will install authentificator as flatpak.

sliken
1 replies
12h15m

Just curious, why?

freedomben
0 replies
8h10m

If I had to guess, which currently I do as GP has not provided an answer, I would guess it has to do with the the ease with which the flatpak can be updated maliciously compared to a traditional OS package that usually goes through a separate maintainer. Thus, if the project was hacked or the owner of the flatpak turned evil, they could reap a pretty major bounty with no blocks in the way.

If this were my concern, I would just build from source as it is quite easy to do with this project.

lxgr
1 replies
18h8m

It's been downright luxurious having my seeds on my phone and my laptop and desktop.

The same is possible for my iOS tool of choice (called "OTP auth"). It can also synchronize to iCloud (passphrase encrypted) and make use of that on macOS.

I've resisted the temptation of that comfort so far (and of just putting the TOTP seeds into Bitwarden or 1Password), because it does seem a lot like collapsing what's now definitely two or maybe three factors into two or sometimes only one.

freedomben
0 replies
8h21m

Indeed, I went through a very similar philosophical dilemma as well. I eventually decided that the convenience outweighed the security reduction, in part because the security reduction feels fairly minimal as they still live only on local devices and not on a device accessible to anyone besides me.

I still can't bring myself to put them into bitwarden, though. I suspect that will be a line I refuse to cross for quite some time, even though the convenience and luxury of doing so is tempting. Having my seeds in the cloud to me definitely reduces a factor

brnt
0 replies
7h31m

Why not Keepass?

BHSPitMonkey
0 replies
1h14m

You can just use a Keepass database and then you aren't locked in to a single OS (KeepassXC, Keepass2Android, etc.). Synchronize any way you like.

cosmojg
9 replies
20h0m

Bitwarden and KeePassXC also provide free, secure, and open-source 2FA in addition to password management. I keep my TOTP secret keys separate from my passwords simply by storing them in separate vaults. I don't know why anyone would use anything else (although I'd love for someone to comment and tell me).

Xaiph_Rahci
6 replies
16h5m

Because doing this reduces the 2FA into 1FA (i.e. there is no longer a possession factor).

911e
2 replies
14h19m

The goal is to protect your data from brute force not from yourself, it’s perfectly reasonable to have 2fa in your password manager, saying it’s 1fa is just fud

aryonoco
1 replies
13h57m

It's not fud.

2FA traditionally means relying on one thing you know (i.e. a password) plus one thing you have, or one thing you are (biometrics).

Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing. And if that happens, the world has bigger problems than my passwords.

Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.

Now we all face different threat models and if your threat model doesn't call for having a totally separate identity factor, great! There's nothing wrong with that. But we don't all face your threat model, and some of us do indeed need a second identity factor that's not stored in the same place as the password.

polygamous_bat
0 replies
13h48m

Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing.

One of the threat models that I consider is there being a bug in the particular RNG/encryption algorithm implementation used to get that encrypted password. In that case, my password can possibly be brute forced much faster than purely random guessing.

bobbylarrybobby
0 replies
13h50m

Yes, if your vault is hacked, your 2fa will become 1fa, but:

- 2fa is still good for stopping someone who steals your password but not your whole vault - 2fa blocks people from guessing your password (through brute force etc)

So there is still quite a bit of benefit.

aryonoco
0 replies
14h17m

There are different ways to avoid this.

Nearly all of my 2FA are in Bitwarden, because it's just so damn convenient. But my Bitwarden itself uses YubiKey as 2FA.

Since I adopted this setup last year, it's been the best if both worlds for me.

Alpha3031
0 replies
14h7m

... The posession factor is the encrypted file that stores your secrets. It is in fact the same factor that Aegis uses, because it also uses an encrypted file to store your secrets. I'm not sure what you're expecting Aegis to do that is different from storing TOTP secrets in an encrypted file.

oefnak
0 replies
3h39m

Bitwarden 2FA is not free.

Sander_Marechal
0 replies
9h16m

The main downside for me with using Bitwarden for 2FA TOTP is that I can't add more than one TOTP to a password. At work we use Active Directory so I can access a lot of sites with the same account, but all those sites have a different TOTP. I can only store one in Bitwarden and I am forced to store the rest on my phone in a regular authenticator app. I don't want to create duplicate accounts in Bitwarden just for the TOTP.

billforsternz
7 replies
13h8m

I'm a veteran developer, but really more of a "normal" than the type of developer who is commenting on this story. I admit I find this stuff really, really, really confusing. I hate dealing with any of this stuff, I don't do it voluntarily for the same reasons I don't (for example) use pretty good privacy for email (I just use web gmail like a regular person).

Anyway, I do (involuntarily) use 2FA for two services, and managed to set myself up with Google Authenticator on my Android phone. Both services that onboarded me for this explained it really poorly, but at least got me hooked up and I now routinely (and reluctantly) login to those services this way. Reading this I suddenly realised, whoaaa, if I lose my phone do I lose access to those (important) services? Well no, I hope not at least, when I look at the Authenticator app it has the green "your codes are being saved to your google account" cloud icon. That's kind of reassuring. I suppose.

I'm not really sure what my point is, other than online security is an ever more important issue, it's a swamp and even many technical people who might know everything there is to know about some arcane corner of the technology universe don't necessarily properly understand it. Although I suspect most would not be prepared to admit it like I just did. Actual normal people (like my wife for example) have absolutely no chance of getting on top of the details and navigating their way to a best practice solution. I hope Google (or Apple) don't either give up on this or go full evil, that would be really bad.

I think I will check out whether my two services can give me recovery codes. I am confident I can manage vital username/password combinations and recovery codes, that's the level of sophistication (or not) I'm comfortable with in this space.

BlackFly
3 replies
9h11m

For my personal threat model, most 2FA flows decrease my security. Historically, the loss of my phone is a more likelier event than a compromise of my credentials and the damage to me and the businesses holding my accounts from loss of my credentials is much less than the denial of service from loss of access. This flips with some access from my employer and my bank, but I don't associate any of my personal devices with my employer's account in any way.

It is a shame how the industry seems to think that security is some single dimension along which things are more or less secure. Denial of service for personal accounts is often times more damning and common than account compromise. 2FA makes me less secure in some cases.

arccy
1 replies
6h40m

but account compromise will often also lead to denial of service

ngneer
0 replies
5h30m

True, but you are missing the point. A system is secure that acts in its user's best interests. In the case above, 2FA is not in the user's best interest, as defined by the user.

RamRodification
0 replies
2h16m

I absolutely get your point but I think at least some of that is on you, or on those services. There are supposed to be safeguards that remove (or at least mitigate) the risk of denial of service caused by loss of the secondary device. One-time-use codes or some other method for emergency access are common ones I can think of.

daqhris
1 replies
10h9m

The current state of technology seems frightening indeed. This 2FA is a miracle. It is free and independent of the big tech companies. I'd put it on the same level of importance as Mozilla products. In the future, we will see more proof-of-personality applications for security reasons. But recovery codes won't be going out of fashion any time soon. Unless, of course, AI-enabled developers are gifted with long-term memory in the next few years.

ParetoOptimal
0 replies
4h45m

This 2FA is a miracle. It is free and independent of the big tech companies

Microsoft is trying to make the untrue. If your job uses office 365 you are forced to use Microsoft authenticator by default.

Embrace, extend, extinguish is etched in their company DNA I guess.

GoblinSlayer
0 replies
11h24m

But can you access your google account if you lose your phone? That account belongs to google, not to you.

tremarley
6 replies
21h0m

Are there any good 2FA applications for Desktop?

Using the phone to authenticate every login seems very inefficient.

Some of us do not like using the phone.

usr1106
0 replies
11h15m

I use my own 15 lines of Python code calling pyotp. At least for desktop means preferably CLI.

patrakov
0 replies
1h23m

I would say that the "generic desktop app" approach is to be avoided. The reason is that there is a strictly better alternative that targets almost the same audience. By implementing a TOTP generator as a desktop browser extension instead, one gets visibility into which site the user visits, and can show only the relevant code, or, if there is none, a phishing warning.

The users that are left behind in the browser extension approach are those who need TOTP for non-web things like SSH.

Happy user of https://authenticator.cc/

mhitza
0 replies
20h55m

I use Bitwarden for passwords and 2FA (browser plugin, Android app for mobile). Definitely not recommended by anyone security focused, but these 2fa are forced onto me by different platforms and not something I chose/care.

There should be desktop authenticator software. If I can have one on Linux I'm sure all the other desktop OSs have at least 1.

jonotime
0 replies
19h49m

I use keepass on phone and desktop

alisonatwork
0 replies
12h28m

I use KeePass. It's a little bit cryptic to set up the OTP - you have to create an advanced field called TimeOtp-Secret-Base32 with the seed in it - but after that you just Ctrl-T to get the latest code.

jrm4
5 replies
22h59m

Since we're here: Anyone else dealing with the stupid thing where your organization won't let you have your generating token thing and instead force you into e.g. Duo?

I have only one, and its frustrating. I know it's probably breakable with rooted Android or something but haven't had much time to look into it (or fight it)

lxgr
1 replies
17h50m

TOTPs are inherently less secure than many of these proprietary solutions (they don't offer control over where people store them and whether they create backups of them, for one thing), so I do somewhat understand companies preferring those.

jrm4
0 replies
46m

I agree that "TOTP with user held keys offer relatively more control to the user than to the organization," but I would never call this "inherently less secure."

Just a different kind of insecure.

genpfault
1 replies
17h15m

Aegis will happily slurp the secrets out from Duo on a rooted device.

devsda
0 replies
14h41m

Some organizations disable totp entirely. Instead, everytime there's a login attempt a pop-up notification with "allow" & "deny" options is pushed to the registered device.

explosion-s
0 replies
22h54m

Duo lets you use a physical security key, I then use bitwarden to store that as a passkey. Not quite a full replacement but good enough for me (you can also self host bitwarden [0])

[0] Vaultwarden

lern_too_spel
4 replies
21h7m

Just use Bitwarden. The UI is clunkier, but the UX is better. After it fills in the username and password, it puts the OTP in the clipboard, so you can just paste and go without opening an app and manually copying it into the login form.

tremarley
2 replies
21h3m

Using a password manager as your authenticator seems very risky to me.

You should use separate services.

If your password manager is breached, at least the infiltrator cannot pass 2FA.

lern_too_spel
1 replies
20h25m

It is no different from Passkeys in that regard, yet we're fine with that. If you want extra security, you would have your password manager and your OTP generator on different devices, but only a small fraction of people do that. Storing your OTP generator secrets and your passwords in the same app provides a reasonable trade-off between security and convenience for most people.

patrakov
0 replies
1h18m

Let me add: for services like GitHub that never log you out, 2FA is pure security theater. The only factor in this case is a browser cookie.

belthesar
0 replies
20h54m

I'm hard opposed to storing my second factor codes alongside my first factors. Part of the reason why I use 2FA is because if my password store is compromised, the accounts in it that are compromised do not contain all of the credentials necessary to log into the accounts protected by 2FA. I also do not store my emergency removal codes in the same secret store as my passwords for this reason.

abhinavk
4 replies
14h33m

What do you guys prefer to use on iOS?

halJordan
1 replies
14h10m

Raivo is a source-available ios app. It has exports, icloud sync and can generate a new QR code. Keychain is also not bad.

Ringz
0 replies
10h16m

OTP Auth. In use for years. Backups, iCloud Sync, Widgets, Folders. Perfekt.

sunng
2 replies
23h6m

I have being using andOTP for years but the development seems to halt, also it's no longer available from f-droid. The feature that backup with gpg encryption is broken.

I hope it's possible to import my otps from andotp into aegis. Also the backup encryption with gpg (openkeychain) is welcomed.

MRPockets
0 replies
3h52m

I have been a happy long-time user of andOTP since migrating to it from FreeOTP (iirc) and was unaware that it was no longer maintained. Some quick digging shows that the Github repo links to this XDA post[0] where the author announced he was ceasing development. :(

The good news is that migrating to Aegis is quite simple. Export from andOTP, in Aegis go to Settings -> Import & Export -> Import from File, & choose andOTP. Pick your file and away you go.

It doesn't seem to have a database of icons like andOTP does though; none of my imported items show an icon though several did in andOTP. (Could this be because of the method they were added?)

[0] https://xdaforums.com/t/unmaintained-app-4-4-open-source-and...

CorrectHorseBat
0 replies
20h32m

Yes it's possible to import from andOTP

rkagerer
2 replies
19h20m

What's the backup story like?

Can you do an encrypted backup on demand (protected with a password you supply)? Is there any desktop app such backup can be opened/read with (or even eg. read with something like sqlite db browser)? Can the app be configured to save an encrypted copy to eg. Dropbox whenever changes are made?

Is it recommended to install from Play store, or the APK off GitHub?

logicprog
1 replies
19h12m

I use Aegis as my main app for 2FA so I can answer these questions:

Can you do an encrypted backup on demand (protected with a password you supply)?

Yes!

Is there any desktop app such backup can be opened/read with (or even eg. read with something like sqlite db browser)?

It's just plain JSON once decrypted, so it's always readable; I do know the GNOME Circle app "Authenticator" can natively import Aegis backups as well, since it's what I use on my desktop machine, but I don't know what other apps exist.

Can the app be configured to save an encrypted copy to eg. Dropbox whenever changes are made?

It does have some facilities for automatic and cloud backups judging from the settings page, but I've never tried them

Is it recommended to install from Play store, or the APK off GitHub?

If you do the latter you'd lose automatic updates. I used F-Droid.

greenmartian
0 replies
14h13m

If you do the latter you'd lose automatic updates.

Obtainium[1] will give you automatic updates from most sources, including Github/Gitlab/Codeberg and F-Droid repos. Especially relevant to this discussion, since Aegis 3.0 hasn't hit F-Droid yet, as at the writing of this comment.

[1] https://github.com/ImranR98/Obtainium

occam65
2 replies
20h55m

I've been using Aegis for a number of years, and have found nothing I don't like about it. It's a perfectly functional app, and I'm looking forward to trying out the new update!

bonki
0 replies
18h55m

I totally agree, it's probably the only app I ever used that I would consider flawless.

Semaphor
0 replies
12h50m

It’s why I was a bit scared when reading the title (though the screenshot makes it look like I’ll be fine), I’ve had two open source apps make their UI/UX vastly worse recently with major updates (granted, I’m assuming some people like the changes), one was Gajim (XMPP messenger) on Desktop, and another Breathly (guided breathing) on mobile.

korm
2 replies
20h50m

Here's a utility to convert exported Aegis JSON to a Keepass 2 or KeepassXC database if anyone's interested https://github.com/GeKorm/atk (binaries in the releases page)

graynk
1 replies
15h53m

Thanks for forking and supporting my initial clumsy tool, glad to see someone else found it useful :)

korm
0 replies
9h15m

Not only did your tool help me with Aegis & Keepass, but it introduced me to Go, so thank you 2x for it!

SushiHippie
2 replies
23h34m

I really like it that more and more apps start using Material 3/You.

Apples UI design was never my cup of tea, but I love the consistency of UI design in most iOS apps, compared to the wild UI inconsistencies on Android.

mrd3v0
1 replies
23h28m

I'd take a more diverse UI experience on Android any day over a more polished yet heavily opinionated experience at iOS.

That being said, I feel like the main complaint about Android apps design is the fact that a lot of apps are just horrible half-assed implementations of old Material UI slapped together on a drag and drop editor like the Android Studio widget system. Offering an incentive for people to build anything and make money off data collection and ads without the corporate tyranny of Apple results in just that. So apps that are on FOSS repositories such as F-Droid are usually much cleaner to use, despite their UI/UX being just as diverse.

SushiHippie
0 replies
20h38m

Agreed I've never owned an iPhone, so I'm kind of used to the android experience and don't mind that much, but I'm just happy that it gets more and more consistent, at least the apps I use.

Though I only use FOSS apps so I can't speak for the playstore apps.

OJFord
2 replies
6h0m

Apparently I missed the memo, still using Authy while everyone's moved to Aegis?

Any particular reason/benefit(/con or breach of Authy), other than being FOSS (which I do see as a benefit)?

PurpleRamen
0 replies
4h12m

Authy has no official backup-solution, it's vendor lockin. They discontinued their desktop-app last week, are owned by a company, and so you never know when they might charge money or discontinue the app as a whole.

There are unofficial solutions for backup, but who knows when those will stop working.

Belphemur
0 replies
5h52m

Not linked to your phone number. It does encrypted backup that can be synced with Google Android backup (if you want).

Support Steam authenticator (if you follow the guide how to get the key).

You can group the MFA provider in groups that make sense to you.

You're in full control and the keys never leave your device unless you want to.

You can see the keys whenever you decide.

And the list goes on. I've been using it for years and it's the best MFA app on the market.

wofo
1 replies
23h40m

Aegis should really be more well-known IMO. I installed it on an old phone that didn't have enough storage for Google Authenticator and was really pleased with the app. The fact that it's a community project is also a nice bonus.

mrd3v0
0 replies
23h23m

The fact that it's a community project is also a nice bonus.

It is more than a bonus. This is the only kind of project you know that tomorrow, the day after or a year from now there wouldn't have profit incentives or a pending IPO to completely abuse your experience as a user and extract as much profit as possible.

nogajun
1 replies
18h5m

FreeOTP, supported by Redhat, is another open source 2FA application. I use it.

FreeOTP: https://freeotp.github.io/

fidelramos
0 replies
3h56m

Same here. I haven't compared it in depth with Aegis, but besides some UI quirks I'm happy with FreeOTP. Am I missing anything important?

kristjank
1 replies
23h15m

I used it until I switched to KeePassXC for all of my secret management means, but it's still a great app to fall back to, and allows for simple information exchange when moving to another app.

RandomGuy456
0 replies
22h52m

Hi!

I use both plus Syncthing to automatically backup my vault to the pc. Great combo!

Fervicus
0 replies
16h21m

Happy Ente user on ios.

borplk
1 replies
17h8m

Does it support folders for separating entries? I like to separate work from personal entries.

microflash
0 replies
16h55m

It supports Groups to organize entries.

Narushia
1 replies
22h7m

I'm currently a happy user of 2FAS[1], any idea how Aegis compares to it? A quick search suggests that Aegis doesn't support multiple devices and is not available on desktop.

[1]: https://2fas.com/

brandensilva
0 replies
21h29m

Let's hope they add a desktop app. I'm on that screen more than my phone. I'm not one to care about having my phone on me all the time.

panick21_
0 replies
22h25m

I use one that has to be activated with the Yubikey over NFC. Pretty slick.

nzeid
0 replies
23h10m

I happened upon this app recently when I was frantically searching for a Google replacement. Couldn't believe something this polished was lurking. I used another open source app several years ago but it got discontinued (FreeTOTP or something).

noman-land
0 replies
23h16m

Aegis is really great. So nice not to use proprietary authenticators. And it can do import and export.

Does anyone know the history of this project? It seems legit but an authenticator is a pretty sensitive application so making sure this app is trustworthy is a little more important than for other apps.

nicoco
0 replies
23h35m

Great app that does the job! The kind I don't mind installing on my phone.

I use it for nextcloud, github and my microsoft account (it was really buried in the settings but it is possible to avoid using MS auth something app).

jonotime
0 replies
20h23m

This looks very nice. Had I not just moved all my 2FA to keepass, I would give it a go. My setup: mac desktop, linux desktops, android with syncthing to tie it all together.

Zuiii
0 replies
16h2m

Truly open-source, available on f-droid, works on everything including low-end android hardware with everything except microsoft (because microsoft). What's not to like.

TrailMixRaisin
0 replies
23h14m

I use this app and are very happy. For me the selling point was the possibility to backup my profile and therefore all the configured keys.

Timber-6539
0 replies
15h1m

Long ago, I used Google Authenticator to store 2FA tokens without giving it much thought.

When I lost the app data to a phone reset, I also lost my 2FA tokens. Got lucky I didn't have many tokens saved at the time and was able to restore all the important accounts despite losing the tokens. Even though it was my fault for not reading the T&C of the Google Authenticator app, I cursed Google for creating an inferior product on an OS they controlled. What was the use of requiring login with a Google account on the Android device if you are not going to persist this kind of data.

Then I moved to Authy which syncs and stores your tokens online to their cloud, allaying all the fears I had from previous experience. Incidentally another phone reset happened.

Now Authy allows you to access your tokens "locally" to any device that can install their app or browser extension. Using more than one "device" locally gives you data redundancy.

I cannot just trust a browser extension with my 2FA tokens (yikes), so at the time I only had my Android device with the tokens locally. When this "trusted device" (read app data) was lost I had to request support for a reset to gain back my data from Authy. That process takes 48 hours after initiating the reset.

(The app data counts as a device, not the other way around; this is the crux of my problem with 2FA application design.)

As soon as I got my tokens back I moved to Aegis and never looked back. I can export backups, save them encrypted on any location and import them anytime without fear of losing app data aka device.

ShoneRL
0 replies
4h23m

Can we just get a 2FA app that's cross-platform and synchronized? I understand the security implications of that but I don't care, I would rather have my social media hacked and have it convenient than just have to go grab my phone whenever I want to login into something.

Authy is discontinuing their desktop app...

ParetoOptimal
0 replies
23h22m

Aegis is good and I enjoy using it.

I hope others don't follow Microsoft Authenticators footsteps in creating their own Authenticator, saying others are insecure, and not allowing Authenticators like Aegis.

KTibow
0 replies
16h4m

While we're talking about places to use 2FA, if you have a watch it might be a good idea to put your 2FA codes there for redundancy.