Authenticators for 2FA: any recommendations?

[Tsunami]

I have decided to buy a Yubikey for two-factor-authentication as soon as I have my internet connection in my new home. I'm in the hectic period of relocating, in a month's time I should be connected in my new home.



In the meanwhile, are there any authenticator apps for smartphone that are solid and secure?

I would rather not use Google Authenticator and Authy (the latter has had security breaches and leaks).



I think one of our users (not sure anymore who) recommended FreeOTP here.

Aegis was recommended by someone on Reddit, he says that app works entirely offline so in order to have access to your one-time codes for logging in, someone would need to be able to access your unlocked mobile phone (on top of knowing your username and password).

I've never really researched any good authenticator apps as I quite rapidly decided to buy a Yubikey as soon as the relocation process is over. But for that 1 month in between, which authenticator apps have a good reputation when it comes to security and reliability?

[Avion]

Quote:

Originally Posted by Tsunami

I have decided to buy a Yubikey

I'm shocked! You've actually made a decision? I'm guessing there's many years of searching for recommendations.

Quote:

In the meanwhile, are there any authenticator apps for smartphone that are solid and secure?

As regards to Aegis, I've used this for quite some time and it's been my 'go-to' app for 2FA.

When scanning QR codes in to the authenticator, I always take a screen shot of the code and save that into a KeePassXC database of QR codes. That way, if I were ever to lose the phone with the authenticator app, I would have the existing codes in a secure location ready to use again. Once a month, I also do a backup (export) of the codes held by the authentication app.

[hadaso]

Quote:

Originally Posted by Tsunami

I think one of our users (not sure anymore who) recommended FreeOTP here.

I'm the one who mentioned FreeOTP.
It's open source from Red Hat. No ads. Needs very little permissions (camera to scan the QR code. You can also type in the code instead of scanning the QR, but I don't mind giving camera permission to an app that has no network permissions).
I use it practically every day since I lost my Yubikey. It just works, and does nothing more than it needs to do. There's a backup and restore option. I saves a file locally, and I guess it can read that file to restore.

[Tsunami]

Quote:

Originally Posted by Avion

I'm shocked! You've actually made a decision? I'm guessing there's many years of searching for recommendations.



As regards to Aegis, I've used this for quite some time and it's been my 'go-to' app for 2FA.

When scanning QR codes in to the authenticator, I always take a screen shot of the code and save that into a KeePassXC database of QR codes. That way, if I were ever to lose the phone with the authenticator app, I would have the existing codes in a secure location ready to use again. Once a month, I also do a backup (export) of the codes held by the authentication app.

I actually do make decisions indeed My decision to buy a Yubikey was made already a couple of months ago. I just have to order it, which I'll do early September when I move into my new apartment and can be sure the Yubikey will be delivered at the right address. (Belgian postal services are notoriously slow, so I don't dare to rely on the "I guess it'll arrive before I move" idea).

So you are glad with Aegis?

Is it correct that this app is totally offline, so that the only way for thieves to get access to your backup codes is by stealing your phone and managing to unlock it?

As for the backup codes that you can use to get access into your account in case you'd lose the phone with Aegis authenticator app, isn't it equally good to write down those codes on paper and keep a couple of copies in different places in your house?

So far (I know I may sound old-fashioned) I have always written important-to-remember things down on paper and store it in a very safe place. I don't have the habit to use other apps or programs to store those things I know I should never forget.

Quote:

Originally Posted by hadaso

I'm the one who mentioned FreeOTP.
It's open source from Red Hat. No ads. Needs very little permissions (camera to scan the QR code. You can also type in the code instead of scanning the QR, but I don't mind giving camera permission to an app that has no network permissions).
I use it practically every day since I lost my Yubikey. It just works, and does nothing more than it needs to do. There's a backup and restore option. I saves a file locally, and I guess it can read that file to restore.

Yeah, I don't need 2FA with a lot of features. What I want is to sign into accounts by providing username and password + the one-time code a 2FA authenticator provides (be it Yubikey or an app on smartphone).

What is the purpose of saving a file locally?

I know I'm a bit old-fashioned in some ways. If the 2FA authenticator provides backup codes that can be used to sign in in case you lose the authenticator, then I would probably write those backup codes on paper, put a copy of that paper in another equally safe place, ... Only people who can access my actual house could then access those backup codes.

[JeremyNicoll]

Quote:

Originally Posted by Tsunami

Only people who can access my actual house could then access those backup codes.

If your "very safe place" (mentioned earlier) is in your house ... /access/ (by a thief/vandal) to the house is not the only concern. What about events that might make it impossible for you to get into the house? Fires, floods, landslides ... there's increasingly lots of bad things happening in various parts of mainland Europe...

When my parents were still alive I kept paper copies of some vital info at their house, about 7 miles from my house. But now ... unless I hire a box in a bank vault - a traditional prime target for thieves - how do I find somewhere secure (& fairly readily accessible by me) a few miles from my own home?

[TenFour]

It is far more likely to have your home burn down than to be hacked in a good online system. I know personally two people who had major water pipes burst when they were away, destroying the interiors of their homes. Then there are earthquakes, floods, hurricanes, etc. I always think of a story of a man in Houston who escaped the floods by chopping a hole in his attic roof so he could escape with nothing but the clothes he was wearing. He luckily had everything in Google's cloud drives and though he was displaced hundreds of miles away he was able to simply buy a new Chromebook and was up and running nearly instantly, with no loss of data. We are always worrying about the wrong things.

[Tsunami]

Quote:

Originally Posted by TenFour

It is far more likely to have your home burn down than to be hacked in a good online system. I know personally two people who had major water pipes burst when they were away, destroying the interiors of their homes. Then there are earthquakes, floods, hurricanes, etc. I always think of a story of a man in Houston who escaped the floods by chopping a hole in his attic roof so he could escape with nothing but the clothes he was wearing. He luckily had everything in Google's cloud drives and though he was displaced hundreds of miles away he was able to simply buy a new Chromebook and was up and running nearly instantly, with no loss of data. We are always worrying about the wrong things.

Are you saying just good login credentials are sufficient and you don't need 2FA because of the risks associated with losing your Yubikey or losing your phone with the authenticator app?

I used to think 2FA was not needed too, but in recent months I realised (by reading here and on other forums) that 2FA is really recommended. So in the end you have to take a leap of faith. Your Yubikey could be stolen or get lost, your phone with your authenticator app could be stolen too, ...
But then in those cases you have your backup codes specifically for the case where you lose your Yubikey or your authenticator app on your phone.

Also, I realise houses on fire can happen everywhere. However, the likelihood of that is low enough that I'd trust to have 2FA.
As for earthquakes and flooding... I live in a country that never experienced a serious earthquake, and nowhere near a river that could start flooding. Also, I live quite high in my apartment block, it would almost take a deluge in order for the water reaching high enough to reach my apartment

There is no such thing as "zero risk" but I think 2FA is recommended enough that it is worth having. The risks of losing one's Yubikey or phone are rather low, without saying it cannot happen. But in that case, you have your backup codes.

[TenFour]

Yes, 2FA is good for high-value accounts, but I hate having it tied to a physical device without any form of online backup. I actually do use some security keys (not Yubikey brand) for some very high-value accounts, but I am not 100% comfortable with them. Phones, in particular, are highly likely to be stolen, broken, or lost. I've had several that just died. It takes just one drop in the wrong way to put your phone out of service. Theoretically I have other means of getting back into those accounts via backup codes, etc., so I store that information in online services that won't disappear if the house burns, floods, etc. My point is that I think ordinary disasters that happen every day, like fires and floods, are a bigger threat to most people than having their data hacked online, assuming you are taking the proper precautions. I like the 3-2-1 Backup Rule: Keep 3 copies of your data on 2 different media with 1 copy off-site.

[Tsunami]

Quote:

Originally Posted by TenFour

Yes, 2FA is good for high-value accounts, but I hate having it tied to a physical device without any form of online backup. I actually do use some security keys (not Yubikey brand) for some very high-value accounts, but I am not 100% comfortable with them. Phones, in particular, are highly likely to be stolen, broken, or lost. I've had several that just died. It takes just one drop in the wrong way to put your phone out of service. Theoretically I have other means of getting back into those accounts via backup codes, etc., so I store that information in online services that won't disappear if the house burns, floods, etc. My point is that I think ordinary disasters that happen every day, like fires and floods, are a bigger threat to most people than having their data hacked online, assuming you are taking the proper precautions. I like the 3-2-1 Backup Rule: Keep 3 copies of your data on 2 different media with 1 copy off-site.

I think if you store the backup codes securely (which will help you sign in should you ever lose your physical key or your authenticator app) should give peace of mind.

Of course you can take precautions like having an up-to-date protection on your computer (these days Windows Defender is as reliable as McAfee or Norton), but for your most important accounts I'd say 2FA is no unneeded luxury.

I would probably also not go as far as setting up 2FA even for social media accounts and such, only for my most important email account and for webhosting accounts etc.

A good idea is to write down your backup codes and give a copy to a person you really trust, such as a very close friend or very close family members. Then it would already require two houses being broken into, flooded or damaged in another way before you risk to be locked out of your account.

[TenFour]

Quote:

A good idea is to write down your backup codes and give a copy to a person you really trust, such as a very close friend or very close family members. Then it would already require two houses being broken into, flooded or damaged in another way before you risk to be locked out of your account.

Yes, that satisfies the one copy offsite part of the 3-2-1 backup rule if you don't want to use an online service. One thing I forgot to add is you also need to keep an emergency sheet someplace that tells loved ones where to find everything if/when you are gone or incapacitated. Nothing worse than leaving behind a digital mess for your loved ones to struggle to solve.

[Gankaku]

I use KeePass for all my passwords. They have a huge page of addons for this PC+mobile software. Two of them are OTP tools. The one I use is KeePassOTP. So you have your secure passwords, and your otp all in one place.


I still use Authy on my phone. They no longer have PC support.

[Tsunami]

Quote:

Originally Posted by Gankaku

I still use Authy on my phone. They no longer have PC support.

Authy had some security leaks in the past, which is why I am trying to stay away from them.

Anyways, I'll go with Yubikey. I only have one service I use that does not support Yubikey as yet. For that one service I'll have to find another reliable 2FA authenticator (maybe Aegis, FreeOTP, or maybe I'll look into KeePass too) but other than that 1 service all services I use support Yubikey.

[Gankaku]

Quote:

Originally Posted by Tsunami

Authy had some security leaks in the past, which is why I am trying to stay away from them.

Anyways, I'll go with Yubikey. I only have one service I use that does not support Yubikey as yet. For that one service I'll have to find another reliable 2FA authenticator (maybe Aegis, FreeOTP, or maybe I'll look into KeePass too) but other than that 1 service all services I use support Yubikey.

Yeah if that works for you, stuck with it. I would choose another OTP rather than using KeePass, because the KeePass solution is a little overkill because it's primarily a password keeper, with all those additional add-ons like KeepassOTP. So you'd have to learn how to use both. A little too much. GOod that you found a solution!

[hadaso]

I asked Gemini to compare using a Yubikey to using TOTP.
Apparently a Yubikey can be used (together the Yubico Authenticator app) with any site that supports TOTP, and this is supposed to provide some extra level of security.
I used to have a Yubikey and I lost it, which is one disadvantage of a tiny device. Also as a physical device it has electric contact that wear over time and usage. A TOTP app is quite trivial to use and the security it provides is good enough for me.

[TenFour]

Quote:

Originally Posted by hadaso

I asked Gemini to compare using a Yubikey to using TOTP.
Apparently a Yubikey can be used (together the Yubico Authenticator app) with any site that supports TOTP, and this is supposed to provide some extra level of security.
I used to have a Yubikey and I lost it, which is one disadvantage of a tiny device. Also as a physical device it has electric contact that wear over time and usage. A TOTP app is quite trivial to use and the security it provides is good enough for me.

You should at a minimum register two Yubikeys and keep a backup someplace safe. I too am wary of using physical devices that can be lost, stolen, or broken very easily. I also find that inevitably I don't have the security key with me sometimes when I need it. For example, I've been on vacation in a remote place when I received a phone message concerning a financial problem that needed to be taken care of immediately. I don't normally carry the security key with me when I go out, so I could be locked out. A phone app is better for that problem since I would always be carrying it, but a phone is also more likely to be lost, stolen, or broken since it is used constantly. Just one drop in the wrong way and your phone can be out of commission.