I love Aegis but I can't help but think that it's sad we ended up in this place with regards to 2FA. When all these temporary codes started they were sent over SMS, which was insecure but at least all I needed to do was to pick up my phone. Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.
It would have been so much more comfortable if we flipped this around a little - the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that "something you have" part is done.
It feels like when the 2FA thing started no one considered that sooner or later all services will require it, and the UX will be terrible.
Some can do that in their own app, e.g. Steam Guard. Too bad that's not a standard. But the FIDO2/webauthn stuff may be similar.
I don't want that to be the standard. I don't want 20 different apps for each bank and each provider.
No, but a standard so that any app could implement that functionality and have it work with any service that supports it
Steam uses "standard" TOTP but displays the code in a non-standard format. You used to be able to extract the secret and use e.g. KeePass to provide the code in the Steam Guard format.
You still can.
If you do that in your own app, you might as well just show a QR code which the user scans and opens up the app for approval. Code as backup. Having to type in an alphanumeric code (talking about Steam Guard, not standard TOTP) when the app is already involved is quite outdated.
I believe Steam Guard already added the scan QR code flow a while ago?
You raise a good point: It seems like this should be possible to integrate into WebAuthN somehow, but currently it isn't.
Passkeys could be coupled with Web Push somehow, for a "confirm action x" type of experience pushed to your (networked) authenticator even when you're not at the website of the relying party that owns it.
you might enjoy Bitwarden (self hosted with vaultwarden) which copies the TOTP to clipboard after logging in to a site.
I'm using Bitwarden, for passwords, but I always felt uncomfortable with the idea of having my 2FA on my laptop too. It feels a little silly - if Bitwarden has both my password and my 2FA code, it's enough to hack my Bitwarden and all this "multi-factor authentication" isn't very "multi" anymore...
You shouldn't lose any security when your vault itself is protected with 2FA.
Theoretically that's true, but practically, Bitwarden (and any other browser-based extension capable of autofill) runs in a much less secure environment than e.g. Aegis or Google Authenticator on a smartphone, and people often keep it unlocked (or at least not requiring 2FA for every password access).
But then it's barely better than 2FA vault & 1FA app. ('Barely' because it's like a bit of depth, and breadth into a few specific attacks revolving around the app's poor handling of your password.)
I almost^ missed a train recently because I tried to book my ticket and for the first time ever (and actually not since either) Amex wanted to send me a verification code. They support only SMS & email, but you can't change it for the current one and it was set to SMS, and I don't have email on my phone anyway & was at the station. Anyway - SMS didn't arrive. Had the same thing recently with them from a bank, it's the network blocking them, suspected spam or whatever.
There's plenty of other reasons not to use SMS 2FA, but it might suddenly not work one day right when you need it, and totally out of your control, is perhaps the most universally compelling?
I'm totally not advocating for 2FA over SMS. It's also just not secure enough.
What if the website presented a QR you can scan with Aegis and then Aegis would make a request with your one time code? You could still type it manually - there would be an input and a QR code next to it.
Kinda surprised banks aren't more current with security, after all even NIST recognizes the problem with 2FA over SMS: https://www.nist.gov/blogs/cybersecurity-insights/questionsa...
Had this crap happen to me the other day with a banking app. Luckily I eventually managed to find a way to get them to call my phone with the code instead.
There are so many problems with SMS.
Fortunately, SMS-OTP isn't considered SCA/PSD2 compliant anymore (by itself, since it's only a single factor – and the card number doesn't count) by the regulator in the EU (not sure about the UK), so hopefully we'll be seeing less of that going forward.
I use Aegis only as backup because the workflow is cumbersome as you say (the app itself is flawless in my book), my primary TOTP authenticator is KeePass. I use the exact same KeePass setup on Linux, Windows and MacOS and copying a TOTP token is only a hotkey away. My KeePass also acts as SSH agent which also works with Cygwin, MSYS and WSL. On Android I use KeePassDX which also supports TOTP. I almost never ever open Aegis and when I do it's mostly to check that I can remember the password. I sync my KeePass databases across all devices and OSes with Syncthing.
Are you using the original Keepass or KeepassXC? I need to get off Authy now they've dropped their desktop apps.
The original, never liked KeePassXC and it doesn't support plugins. I also used Authy until I migrated TOTP to KeePass and Aegis years ago :)
I agree this kind of sucks (I have about 40 tokens on there), but it's relatively well mitigated with the search functionality and typing the first few characters of the service. This works for all that I've tried except the root MFA token from AWS, and I could easily fix that by exporting and changing the name and re-importing if I wanted to.
This has two things about it that make me actively not want it:
1. Does not work offline (requires an internet connection to work). The current design for TOTP is super flexible as they only require time syncronization, which doesn't require an internet connection.
2. It means I have to install an app for each service, which I absoulutely do not want to do. I would prefer to only use native apps for things that actually need to be native. PWAs and web UIs are strongly preferred for me. A comprehensive and robust way to manage permissions would mitigate my dislike for native apps somewhat, but this is getting harder and harder (though praise be unto GrapheneOS for their efforts!)
From an engineering perspective, it also feels like unnecesary bloat/complexity and coupling.
I agree regarding the offline ability, though literally all the things I'm using 2FA for are online, as they are about logging-in to services.
As for the 2nd point - I definitely don't think it has to be a separate app for each service. Why would it? Imagine an app that holds a private key, the website showing a QR code, you scan it with the app, the app sends the public key to the service using a URL provided in the QR code, and the service stores your public key. From now on, every time you want to login you're asked to scan a QR code, which makes the app send a signed request to the a URL encoded in it. The service gets the request and proceeds with the login. One app, all services.
Couple things no one's mentioned yet. In Aegis you can add icons to token slots, and manually sort them (alphabetically). This, plus searching, helps a lot in finding tokens quickly. They have pre-existing icons for most of the common sites.
WebAuthN essentially gives you that behavior, with the addition of making it MITM-resistant (which TOTP isn't). It even works cross-platform these days (I think both devices need Bluetooth as a proof-of-proximity, to make sure an adversary isn't relaying you a QR code).
Unfortunately both iOS and Android absolutely insist on syncing these credentials to the cloud, but both now have APIs that would allow a third party to provide a local-only backend.
if you run safari and store all your passwords using icloud “passwords”, safari will automatically prefill the 2fa code. i assume this is the case for other browsers as well?
That's pretty close to webauthn, which works very nicely with yubikeys if the service supports it. 2fa? Please tap yubi button - done.
I just click search and type 2-3 characters and most of the time I can see what I need right away. I'm using way over 20 services with 2FA and that's really the least of my concern.
And I actually don't use search that much since Aegis also has a feature of sorting by the usage so whatever I'm using regularly are already at the top for me.
exactly :(
I wish passkeys get rolled out quickly across all sites, most people use just 2 or 3 trusted devices 99% of the time.
for those edge cases where you are working on an untrusted device, the passkey on your trusted mobile can help with authentication via Bluetooth or some QR code etc,...
I used to quite like the hack that LastPass authenticator had to make it easier.
If you ever encountered a TOTP form in your browser that the LastPass browser extension recognised it would send a push notification to the aunthenticator app on your phone which if approved would send the TOTP code to your browser and submit the form on your behalf.
Unfortunately it only ever worked on the handful of websites Lastpass had implemented bespoke support for, but it was magic when it worked. It would be nice to have a universal standard for push notification 2FA.
At least with aegis I can create groups. So I can separate email, work stuff, etc and only see a few tokens in each group.
Sure the ui isn't great. And it takes a couple extra clicks to the groups. But given the stupid shit that sites do like disabling paste for two factor codes or passwords, i just would never trust them to not fuck up a more streamlined solution. I like a bit more manual control sometimes, at the expense of convenience.
And it also runs and is backed up completely offline, which is nice.
phone making a request means it cannot be airgapped.
working airgapped / offline is a great quality speaking in favor of TOTP