Follow

Also I am trying to reduce the number of sites that I use Google Authenticator app with. If you ever swap phones it’s a hassle to access your account again.

@darnell Yes, Google Authenticator sucks, but 2FA is a standard so you don't have to use it even for a Google account.

I've been using andOTP for several years and I'm very happy both with the UI and the secure backup/restore features:
github.com/andOTP/andOTP#andot
#andotp #android #security

@codewiz Thanks! If I ever buy an Android phone that will be blessing. Many sites now present me with the option of sending an SMS, using email or (the smart ones) realize I am using multiple mobile devices & will have me confirm via push notification on one of those (iPhone, iPad or Apple Watch).

However, there are a few that were a nightmare to navigate around, & I had to have tech support disable the Authenticator login after swapped phones.

@darnell @codewiz

Another option is to switch to a hardware 2FA device, that you can put on your keychain.
I find it both the easiest and most convenient to use and it is by far the most secure 2FA method.
(I use a YubiKey yubico.com)

@JonathanTreffler @darnell I use Yubikeys too, but not all websites support FIDO2.

And even those who do, often don't let you enroll multiple dongles (I have 3).

@codewiz

Yes, I think much more websites should have FIDO2 support.

But YubiKeys actually also have OTP support. You still need to open an app and copy them, so it works similarily to normal OTP apps, but the secrets are stored on the YubiKey, which could resolve the multiple device problem @darnell is facing.

@JonathanTreffler @codewiz Arrrggghhhh! Apparently they do not support iPad Pro as they lack NFC as well as a lightening port (I loathe lightening ports!). support.yubico.com/hc/en-us/ar

I am searching for a workaround.

@JonathanTreffler @codewiz I remember Google trying to sell these to me but at the time the places I needed them were beyond my control (other services that I use). My job also uses them but they only hand them to certain individuals.

@darnell @JonathanTreffler Yubikeys are quite expensive... I don't understand why nobody undercuts them by selling an equivalent product for $5.

@codewiz @JonathanTreffler Yes, they are expensive! But it might be worth the cost.

Right now I am relying on a mixture of 2FA over SMS/Push Notifications & Face ID for security.

I still think it’s crazy & hilarious that I can use Yubikeys for my iPhone 📱 & (theoretically) Apple Watch ⌚️ but not for my iPad Pro.

@codewiz
I hear andOTP is recently discontinued?
I switched to Aegis a few years back. Can bring a backup/export from andOTP.
Aegis is great, built by someone who clearly knows their stuff.

Heres an assessment from a someone whos into cryptography and does some security bug hunting
github.com/lynn-stephenson/ana @darnell

@darnell Google Authenticator doesn't have to be tied to your phone.

Any TOTP app that complies with RFC 6238 will work (for example FreeOTP, Bitwarden, or many other TOTP authenticators)

@darnell you can export to one or more qr codes (Settings > Transfer accounts) and directly scan them into your new phone. You aren't allowed to screenshot them for later which is irritating but I guess makes sense. But if you don't have both phones then yes it is a hassle.

Authy solves this, but I like the simplicity of Google Authenticator.

@kauer Yeah, ran into the issue when I upgraded to a new iPhone. Most sites simply sent me an SMS so logging in was not a hassle. A few critical sites did not have this option so I had to call tech support multiple times. It is frustrating sometimes, but it was a painful lesson for me to learn.

@darnell I save all the secrets (or if not available the actual qr codes) in an encrypted wallet as a worst-case backup...

Sign in to participate in the conversation
Darnell (One)

Just a personal instance of Mastodon that is intended for one person. :-)