11
votes
What do you use for 2fa?
This Lifehacker article recommending Ente Auth reminded me that I am looking to migrate off Authy to something else.
I thought I would see what Tilderinos are using:
- What do you use, and do you like it?
- How do you deal with syncing?
- Do you only generate codes on your phone, or do you use a desktop app too?
- What questions should I be asking that I didn't ask?
Aegis on android. It can back up as part of your phone backup but also can back up to the file system including cloud integrations so mine goes to Nextcloud. The data is encrypted as it used a vault model.
Giving the specific app you mention I think you might be looking for iOS apps, unfortunately I don't have any to recommend there. I just figured I mention Aegis for any android users who come across this.
I use TOTP integrated into KeePassXC and KeePassium. I don't recommend this path except for the patient and technically inclined, as proper syncing via a cloud service is your responsibility.
That said, I have used KeePass or a derivative for over 20 years.
In terms of "is it OK to have TOTP in your password manager?", my personal evaluation is that yes, it's fine. Different folks will take different stances on this, but for me, it boils down to the simple threat model of being more concerned about remote breaches or targeted attacks than access to my password manager itself. My KeePass database is double-authenticated and tuned with many rounds of encryption, and all browser integrations are disabled.
In that vein, Bitwarden also supports TOTP, which eliminates a lot of those syncing problems and makes it a good solution in this problem space (accepting that compromise of your password manager is acceptable risk).
Edit: I very much disagree with that blogger's assessment of:
Literally any password manager is better than the status quo of "use 2-3 minimum-length passwords and reuse them for every site". Even an unencrypted file on the desktop titled "passwords.txt" is preferable to password reuse.
Tavis Ormandy is one of the most talented security engineers I have ever come across. You both agree that unique passwords per site is required. He's aware folks disagree with him, but his arguments for why many password managers are not good and do not live up to their security claims still hold water in 2024.
Oh yes, and that's why I disagree with him (and appreciate his self-awareness that it's a contentious take). And yea, vendors gonna vendor.... that's why I don't trust any product that references where it lands on the Gartner magic quadrant.
I'd rather a diverse ecosystem of potentially-exploitable password managers than a mono-culture of browser built-ins (which don't do too great cross-platform) or the hassle of offline-only for the masses who will then choose to just not use one at all.
It's why it's really annoying that security researchers yell at people for using 3 word passphrases, when that is still preferable to using
Password123$. The people who know enough to not use the 3-word method aren't the ones who need it. Perfect == Enemy of Good.If security is paramount, disable browser Javascript and proceed with caution. Eliminating website Javascript is the first step to having actual web security again.
I tend to agree with you. I personally don't like the UX of the integrated systems like lastpass, but my 80 year old neighbor uses it. It's pretty much at the limit of her technical capability. It's much more secure than any of the options that are realistically available to her.
I'd like to note that Bitwarden has both a standalone TOTP Authenticator app and an integrated TOTP feature that includes the TOTP code generation as part of the vault item. The integrated TOTP is included with the Premium feature set, which you can get with an individual subscription or as a member of one of their paid Organization plans.
I actually already have a pretty robust keepass setup synced over dropbox. I have thought it would be nice to have the 2fa synced some different way, but I suppose most of my 2fa recovery codes are already in the keepass, so compromising it would be a total break anyway.
One good thing about syncing it that way would be apps I share with my wife would give us both access to the 2fa.
I was going to write something but then I thought, "why share the details of my security setup with the world?"
Maybe it doesn't matter if you're anonymous.
Just riffing on this theme, not really commenting on your personal position. But on a grander scale, there’s the notion that a well designed system is secure even if fully described. The idea being that security which is only achieved by obscuring details about your implementation is frail, whereas security that is derived from how components of the system are designed is resilient.
Still, I don’t know how that either scales down to individuals or up to eg state actors or Fort Knox, for example.
That's an important principle in cryptography - algorithms should be public, so they can be reviewed by experts. Source code can benefit from being reviewed by others, too.
I don't think it applies to particular companies or individuals much at all. You're unlikely to get an expert review just from talking about your security setup online, because experts are unlikely to see it and even if they do, it's not their job. If you want expert review, you're going to have to pay some experts.
You do benefit from choosing well-known software that has received a lot of scrutiny. That's getting expert review "for free." It depends on the product, though.
Ah so didn't see this before writing my previous post. Again this is called security through obscurity and is a TERRIBLE practice that is routinely slammed for being outdated, ineffective, and actively problematic.
A business using such methods would be extremely unlikely to be in compliance with any sort of government standard (HIPAA for example) or insurance standard (whatever company insures their cyber security operation in case a breach does occur).
Resulting only on obscurity is often bad, but as defense in depth it's fine. Government standards don't require anyone to publish details of their computer systems on the Internet.
Sure, but even as part of a layered tactic, it is often one of the weakest layers. To the point of being almost pointless to include.
Obviously you don't post your network diagram, but you have to assume that if you did, you'd still be secure.
I agree.
This is, in essence, the idea behind open source. It's why people claim OSX and Windows are inherently more secure than Linux.
It's difficult to achieve this state, but not impossible.
Only very well-known and widely used open source projects get attention from experts. So I think the word "inherent" doesn't really apply? As you say, it's difficult to get there.
"Windows and OSX are more secure because they are closed" or "Linux is insecure because it is open."
A false trust in closed-source.
What I’m saying is that “is it open source” is good to know, and having source code is useful, but it’s not a shortcut for determining whether software is secure or not. Security holes are found in products in both categories.
Someone has to actually investigate. We’re not security researchers, but people who are can figure out lots of things using disassemblers, so they don’t necessarily need the source, though it helps.
One problem is that the source doesn’t necessarily match the binary. There’s been some good work on reproducible builds, but it’s just getting started. Without reproducible builds, reading the source could be misleading; the binary might do something else.
Also, as a consumer, when you install software, what are you really going by? The reputation of the team and of others who vouch for them. For example, I think Signal is pretty secure but never verified anything myself, so that’s purely a statement about their reputation. Part of that reputation is an assumption that security experts look at their code, but I couldn’t say when that last happened.
I think Apple has a pretty good reputation too. People have found some severe security flaws, but they patch them.
Not disagreeing by any means. Open is a prerequisite to being fully auditable, but the rest of the work still needs to be done. And I wasn't dissing Apple, just dismissing the idea that Apple is more secure because they are closed. If iOS went open source, it would receive a public level of scrutiny that would dwarf almost any other, and would probably be more secure than it is now after a few rough years.
But that's why, when presented contractual options at a roughly equal trust level, backed by the same level of insurance for breach protection, an open solution like Bitwarden is preferable to LastPass.
And on the bottom end of the scale, where audits are likely nonexistent for anybody, I'm more likely to trust the person who puts the source out there over one offering only binaries. It's a great first filter over 'just download the exe"
I mean, the amount this matters is infinitesimal, and is called security through obscurity. If someone were to target one of your accounts, it's trivial to see what kind of authentication they're using and figure out from there.
If you don't feel comfortable sharing, that's fine and I get it, but it will not affect an attack on you unless your model is "oh yeah I post all my passwords on this public google share"
To be almost as vague as @skybrian, even if you use a password manager that handles auth codes and passkeys and syncs cross-platform, you will probably still end up using:
You might also consider whether physical keys are worth setting up for your most critical online accounts. (h/t @kacey)
Decidedly disagree, albeit on the grounds of "personal preference". I know this is a deeply not-secure approach, but I use my password manager(s) without 2FA. The risk is there, but for my personal threat modeling – and that absolutely includes requiring a sufficiently long password (>30 chars) – I prefer knowing I can log in from anywhere if I ever get locked out, accepting that anybody else in possession of the one passphrase that I have to remember could also do it.
Examples that I feel back me up on this:
It’s very probably not the most rational choice, but it lets me feel safer.
Unfortunately, this is also true. Looking at you, banks who can’t seem to follow industry standard…
I use Bitwarden (technically it's a self-hosted vaultwarden), for both general password management and generating TOTP tokens, and I also have a Thetis Fido2 key and a couple Yubikeys that I use for sites and apps that support webauthn.
The self-hosted vaultwarden gets backed up to Backblaze B2 every night with other various things from the machine it's running on (plus all the client apps keep a local snapshot of whatever they most recently synced from the server, so I'm not too worried about losing everything in the event of catastrophic failure of my backups).
I still use Google Authenticator, which I have been wanting to switch away from for ages. I tried switching to Ente Auth but the import was a mess and I didn't have the patience to start double checking what it imported from Google and what it perhaps didn't. It did at least duplicate things a lot and lost names in the process, so I didn't know what was what.
I also have Microsoft's authenticator installed because some Azure services seemed to require it and not play ball with Google's authenticator. And of course banking and such have their own apps.
I save all the recovery codes that are given and I manually sync the Google Authenticator with another Google Authenticator app on a backup phone whenever needed.
I don't use desktop apps.
On iOS, I use OTP Auth, and on Android, I used FreeOTP. Both just do what they say on the tin, and support exporting for backups (on Android you need to use adb, iirc).
I’d strongly recommend that you use this time to audit your recovery codes and backup plans, too.
Ah, also, try not to use TOTP token generators (ie these apps) if possible. It’s still possible to socially engineer you to give up the code, so it’s better to use a FIDO or webauthn physical token instead (but anything is better than either nothing or an SMS second factor). I think they make them with NFC these days, but I always just use mine over USB.
I use a Yubikey. It provides actual 2FA without syncing because I always have the physical device with me. I can access the TOTP codes using the Yubico Authenticator app on whatever device I am using at the time.
Including TOTP secrets in a password manager that syncs (or anything that syncs) is fundamentally breaking 2FA. It might be a reasonable tradeoff for you in your situation, but it defeats the point of 2FA. If you are confident you don't actually need the security of 2FA and are good with bypassing it, then syncing is a reasonable choice.
The exception to the above is if you have a reasonable guarantee that wherever you store your 2FA secrets itself requires strong 2FA to access. That's usually not the case for people though, because the whole reason they store 2FA secrets outside the 2nd factor is because they don't want to accept the convenience tradeoffs that come from 2FA security.
I always see this talking point and have never agreed with it. As with everything in security, it's all a matter of tradeoffs. The main goal of 2FA is to put less weight on passwords, which tend to get reused and/or leaked. So to that end, it doesn't really matter where your secret is stored; the fact that it's enabled at all buys you a decent amount of security. If you know that my tildes password is
hunter2, that doesn't get you into my account regardless of where my 2FA secret is stored.If your risk profile is more concerned with someone getting access to your vault, then sure, putting all your eggs in one basket isn't probably great. But if we assume your password vault is secure (which is probably true for anything that's not LastPass), then it's probably the safest place you can store a 2FA secret (as opposed to yet another app that has to get maintained and secured indefinitely).
If you've got security clearance and your password manager is under active attack from a state actor, then it might make sense to keep 2FA secrets offline and on your person. But for most people, enabling it at all goes a long way and it's important that there not be extra impediments towards storing it safely.
Here's more good reading on this topic: https://www.reddit.com/r/1Password/comments/1247mho/help_with_changing_from_1password_2fa_to_third/jdyker6/
I don't think this is completely true. I agree that putting your 2fa secrets behind the same passphrase as your password weakens the second factor, but only in the case where your attack model is "compromise of the password manager".
If your model is "passwords stored by the provider are compromised" (which I think is the more likely case), the 2fa still does its job, assuming those secrets were not also compromised.
As I wrote elsewhere, if you store your 2fa recovery codes in your password manager (or if your 2fa can be reset by requesting a reset through email, and your email can be accessed from your password manager), then getting your password manager compromised is still a total break.
I also think you could have a syncing 2fa app on an independent stack from the password manager and that would still be a secure second factor.
If I actually care about 2FA for the site, Aegis.
If I don't actually care but the site does something even more annoying if I don't enable it (like SMS codes or email magic links), then I just put it in Bitwarden. Technically that means it's back to 1FA instead of 2FA, but it's about ease of access at that point.
I use Duo, and only on my phone. It can do backup and restore onto another phone. I don't think there's particularly anything special about it, other than it's popular enough to be supported by a few services that I use (like my password manager) to get push notifications instead of having to do TOTP tokens, though I use it for that as well.
Ever since Authy switched the mobile only, I found and have been using 2FAS. It's still also mobile only but there's a browser extension that allows you to push a request to your device, where you then approve and permit the request, and then it auto-fills the code on your browser.
It's an open-source solution too, for those interested.
My situation is currently a mess of apps that I NEEED to consolidate. That said i've been using and am happy with Entre Auth and to some lesser extent Proton Pass. There's a lot of "ok how do I handle this situation" that I still need to research, and figure out what my actual model is (i'm heavily against any model that could lead to full lockout if you lose your PW manager), but overall something is better than nothing.
Do you use a password manager? Because all of the well-known ones have 2FA built into them. Is there a reason you wouldn't want to use that?
Yup, although I still use the original Keepass app. I did not know (until today) that Keepassxc supports 2fa.
I recently switched to Ente. Works great on Desktop and phone. Have Aegis\Bitwarden as a backup just in case.
When you say backup, do you mean you register TOTP in Aegis and Ente?