Comment by GekkePrutser
3 years ago
I use AndOTP on Android. You can export to a PGP-encrypted JSON file so your keys are really your own and not locked into a walled garden like Authy.
3 years ago
I use AndOTP on Android. You can export to a PGP-encrypted JSON file so your keys are really your own and not locked into a walled garden like Authy.
AndOTP is great. Especially if you compare it with all the iOS options.
iOS TOTP apps all suck, it's amazingly bad. I installed like ~15 different ones. After the fifth try, I just had to know if it was just my poor initial selection or a general problem.
Each and every iOS TOTP app has at least one crucial problem - requiring a subscription, mandatory sync to a proprietary cloud, having no export-import, not having a watch companion, being from an unknown/generic developer, no support for longer TOTP codes (worse, some display it truncated!) or they're simply very buggy.
I settled on Step Two because it was like all the others, but not an eyesore...
iOS's security makes a self-hosted/non-third party backup/sync super difficult IIRC. (Unless you use Apple's product) I think unless the app has it built in, it's not easily doable. Android can use syncthing, but even Google is making that more and more difficult with each release.
Is there a standard app developers can use to securely sync/backup to for self-hosters? Is there a 'nice' UX/flow to connect apps to s3-style storage (enabling folks to use AWS/DO/Backblaze/whatever?) or would that be too raw?
You're most likely correct about automatic synchronisation from filesystem like that. That though doesn't mean there can't be any built-in integration with Next/OwnCloud or simply manual export-import.
I have been using OTP Auth for a while. It doesn't get updated a lot but it's working fine.
https://cooperrs.de/otpauth.html
Did you try Ravio OTP? I've seen good things said about it by FOSS people.
https://raivo-otp.com/
Yes. It had no import functionality, no Apple Watch companion, and a relatively convoluted setup process that adds a point of failure without reasonable reduction in any risk.
One would have to set a password that they then store in a password manager, that is then accessed using the same 2FA protected by the password. Plus a mandatory PIN, with the same caveats. Cyclical or duplicate authentication is simply not good design.
Aegis is another open-source option. It can import the andOTP format and can also export the keys, but has the advantage of being able to use fingerprint unlock.
AndOTP can use your fingerprint as well. Settings->Authentication->Device Credentials
I also like that Aegis has folders so I can separate my work and personal stuff. Most of the others are just a flat list.