One more step to unhitching from Google…
Right now the only option I see in F-Droid is Aegis.
I’m not sure what to actually look for side from checking for unexpected permissions and reasonably frequent updates.
Hopefully something I can sync with a GNOME app…
Aegis
Bitwarden Authenticator because Bitwarden seems to have a good reputation. I don’t use their password manager, though.
It does seem faintly insecure that it displays all of the codes at once on one page, but I’m having trouble imagining a scenario where it’s actually a problem.I’ve been using KeePassXC. I use Syncthing to keep the database synchronized between computers.
Same here. If it’s TOTP based 2fa, you can keep them in entries and use them from there.
Tbh, if you’re using the same DB for PWs, you’ve successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth
I would say it still counts as 2fa just shifting what is verifying you to your password manager and using the site password and 2fa as a way to verify the password manager with the site. If setup right they would have to have the database and your password to decrypt it not just one or the other and for password managers that sync the database it should require your password and 2fa to sync to a new device so it can’t just be freely grabbed. If that doesn’t count as 2fa then I would like to see an argument about how okta signing you into sites counts as 2fa as it is basically the same thing.
More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn’t compromise full access to your password database, which is still a lot better than using just passwords without a second factor.
that’s like calling strong randomly generated passwords 1.5FA.
with proper MFA, even if you steal my password (database), you won’t be able to steal my account, as you’re missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.
password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they’re not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn’t paying enough attention, as it’s not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.
even if you steal my password (database)
That’s a big leap you’re doing there, equating stealing a password to stealing a password database. Those are very different. Stealing a password can be done through regular phishing, or a host of other methods that don’t require targeted effort. Stealing a password database, if properly set up, is a lot harder than that. It depends of course on what password manager you’re using, but it usually involves multiple factors itself. So equating that to just a password, no matter how strong and random, is just misleading.
Mind you, I agree that it’s less secure than “proper” MFA, and I’m not saying that everybody should just use MFA through a PW manager. I am using physical security keys myself. But for a lot of regular people that otherwise just couldn’t be bothered, it’s absolutely a viable alternative that makes them a whole lot safer for comparatively little effort. Telling them they just shouldn’t bother at all is just going to create more victims. There is no such thing as perfect security, and everyone has a different risk profile.
I use Aegis, it works well
Bitwarden. I don’t self host it, though. $10 a year for password management and 2FA is fine by me.
It’s niche but I like to point it out whenever I get the opportunity: if your workplace uses Bitwarden Enterprise, every licensed user gets a free family plan that can be linked to any account. I haven’t personally paid for BW for years.
As I’ve seen gaming server subscriptions go from £36/y to £23/m (Xbox) in a few years, and cloud CCTV storage from £40/y to £16/m (Google via acquisition of Nest) in a few months, I say we count our stars when a subscription cost remains fair.
Same. Self hosting it sounds nice, and I self host a handful of services, but I don’t want to be stuck without passwords in another country with a dead server at home because a power cut happened at some point.
Bitwarden caches your vault to your device, so you don’t actually need a live connection to the server.
Oh, that’s actually good to know. I guess it makes sense for when you don’t have a good connection as well.
I had fault in my server this summer and my local bitwarden app wouldn’t work without the connection. Same in my laptop, if the connection is blocked by the firewall it doesn’t let me load the vault at all.
1password
Definitely this, especially if you’ll be sharing with a non techie. My wife was able to pick 1password up and use it immediately and she normally turns her nose up at any of my recommendations.
For the 1password accounts 2FA, use a yubikey or aegis. Everything else to 1 password.
I’m currently using FreeOTP from F-droid. Aegis seemed to have way too much extra crap. You don’t want to sync multiple 2fa applications together since the idea of the 2nd factor is it’s only in one place. Even being able to back it up is sort of contra, but if you have to, make sure the backup is well safeguarded.
The basic TOTP algorithm is quite easy to implement fwiw. A dozen or so lines of Python.
Yubikey. I dont want to trust my phone, so I use some separate hardware instead
What you mean syncing with Gnome app?
FreeOTP/FreeOTP+
depending on your goal for this (real 2fa vs just simulated) you shouldn’t have sync in the first place.
you could also look into security keys (hardware solution, webauthn/FIDO2) as an alternative that has strong security with good user experience (no typing anymore), but they’re not as widely accepted.
“Unmodified 20? Yeah, you just know your 2FA without even checking somehow”
I like Aegis.
I used aegis for a long time, switched to protons after they introduced it. Ideally I’d be using something physical though like a yubikey
2FAS Authentication
Been using it for a while. It’s pretty awesome.
Enteauth
