Comment by ayewo
3 years ago
I use Duo Mobile [1] with my Apple Watch.
Authy gets recommended often here but got turned off of them because they require a phone number to set up the app on iOS. There's no phone number requirement for TOTP implementations so I eventually found Duo Mobile. This was before they got bought by Cisco.
The phone number gets used during account recovery; when I reset my iPhone once without a second Authy device to activate it, I was locked out for 24h while it bombarded my number with calls and texts about the impending restore. I appreciated that safety measure.
And I don't appreciate being forced into a "feature" that specifically subverts the entire god damn point of 2FA codes and leaves them in an unprotected state on some third party server.
Great!
It is, indeed, great to have choices.
(Side note: Authy backups are encrypted client-side with the user's backup password. They're not unprotected on a third-party server; Authy has no ability to decrypt them. https://authy.com/blog/how-the-authy-two-factor-backups-work...)
1 reply →
The TOTP secrets are encrypted with a passprhase locally. You need the phone number to download the encrypted secrets but then need to use your passphrase to decrypt the restored backup locally.
I use AndOTP on Android. You can export to a PGP-encrypted JSON file so your keys are really your own and not locked into a walled garden like Authy.
AndOTP is great. Especially if you compare it with all the iOS options.
iOS TOTP apps all suck, it's amazingly bad. I installed like ~15 different ones. After the fifth try, I just had to know if it was just my poor initial selection or a general problem.
Each and every iOS TOTP app has at least one crucial problem - requiring a subscription, mandatory sync to a proprietary cloud, having no export-import, not having a watch companion, being from an unknown/generic developer, no support for longer TOTP codes (worse, some display it truncated!) or they're simply very buggy.
I settled on Step Two because it was like all the others, but not an eyesore...
iOS's security makes a self-hosted/non-third party backup/sync super difficult IIRC. (Unless you use Apple's product) I think unless the app has it built in, it's not easily doable. Android can use syncthing, but even Google is making that more and more difficult with each release.
Is there a standard app developers can use to securely sync/backup to for self-hosters? Is there a 'nice' UX/flow to connect apps to s3-style storage (enabling folks to use AWS/DO/Backblaze/whatever?) or would that be too raw?
1 reply →
I have been using OTP Auth for a while. It doesn't get updated a lot but it's working fine.
https://cooperrs.de/otpauth.html
Did you try Ravio OTP? I've seen good things said about it by FOSS people.
https://raivo-otp.com/
1 reply →
Aegis is another open-source option. It can import the andOTP format and can also export the keys, but has the advantage of being able to use fingerprint unlock.
AndOTP can use your fingerprint as well. Settings->Authentication->Device Credentials
I also like that Aegis has folders so I can separate my work and personal stuff. Most of the others are just a flat list.
Ah! I used Authy because it was one of the very early OGs of TOTP Apps.