If proprietary app is better and more robust I am willing to try it and assess it myself.
I actually try to use authenticator apps as little as possible. Having to unlock your phone and open the app each time is too much hassle.
Instead I have four Yubikeys, not security keys, that I store my OTP 2FA codes on. One for personal codes, one for work codes, and the other two as backups for the first two. The backups protect me from hardware failure, the keys being stolen, or lost. One downside of the backup plan is having to scan the QR code twice, once per Yubikey.
Each Yubikey can store 32 OTP codes on the smart card part of the Yubikey. The 32 code limitation is why I have personal and work codes on separate keys. I did run into this limit.
This isn’t the cheapest solution. In addition you could argue it also isn’t the most secure, but that depends on the attack vector and circumstance.
With this setup I can use the Yubico Authenticator desktop to copy and paste the codes into the browser. While mobile I can use the mobile form of the same app. Also all my Yubikeys have NFC, so I can use that method if I want instead of just USB.
As mentioned in a different comment I highly recommend not storing 2FA codes in password managers like Bitwarden. It creates an all eggs one basket problem, which is exactly what 2FA codes are trying to avoid.
Having to unlock your phone and open the app each time is too much hassle.
And having to use two USB keys and double code scanning isn’t? I’m glad your system works for you, but it sounds like a pain in the but to me lol.
I’m just migrating away from github because of this. Sr.ht is looking promising.
I know it is an unpopular opinion, but it is a huge headache in general. I don’t think the theoretical benefits (which make total sense) actually pay off in reality and are worth the extra headache. I’m not saying they should not have it at all, but it should be at least opt-out instead of forced.
In the case of github, I think it is part of their long drawn out plan of data collection and proprietary lock down. Next they are going to require your house address and government ID. I feel better using an free and open source platform anyway.
Where does this even come from, passwords are increasingly insecure and adding another factor, especially authenticator codes, doesn’t even require you to give up a single new piece of personal information. The entire thing is just adding a local code that your program of choice remembers and uses to generate the one-time password. No data collection, no proprietary software. Other areas might be doing bad shit for all I know, but this change is entirely a forced security measure because people are too bad at passwords.
After seing the frequent attempted logins on my Microsoft account, I’m “just” a lucky guess away from losing it if I do not have another thing blocking access.
When it comes to proprietary apps Authy is nice, it offers synchronisation between devices, but yeah, it involves cloud (someone’s computer) and you need to give them your phone number, so that’s for privacy, in the end you might as well use Google authenticator, it syncs between devices to, it’s about who you trust more
I’ve used Authy for years now without issue. Seems it’s not a popular option anymore.
Is there something I should know about? Or are other options much better now?
For people down voting, please share your reasons for it. If there’s something wrong with the product, sharing that info would be helpful.
andOTP is the only app I know of that’s on F-Droid and has a feature to make an encrypted backup to a file.
Unfortunately it hasn’t been updated in awhilee, but I dont think there’s an alternative.
I see aegis supports automatic backups. I don’t see it explicitly saying ‘encrypted’ backups though I too use andOTP but didn’t realize it’s not regularly maintained. I may check out aegis as it does support import from andOTP
Followup. Aegis does support encrypted backup. I had to do an unencrypted backup in andOTP so Aegis could import. Easy stuff
Edit: automatic backup doesn’t encrypt? Or I am having trouble setting up
I had to do an unencrypted backup in andOTP so Aegis could import.
I just did an en encrypted backup from andOTP to the local filesystem and successfully imported it in Aegis. It worked flawlessly. Just in case someone else is reading this and is hesitant about how to migrate from andOTP to Aegis.
The official GitHub app. Yes, it’s not universal for other sites, but you get 2FA and a much more pleasant browsing experience.
For a universal solution, give Aegis a try.
