I love Aegis. Note how insane the Authy export instructions are. "Paste in a bunch of code to an Electron app running Authy in debug mode to dump the tokens as QR codes". It works but :yikes:
Aegis has a nice clean encrypted import/export JSON format.
I did this yesterday as well, Aegis seems really nice. I've got Syncthing up and running with my desktop as a middleman, so my old phone can be whipped out at any time if my current one gets stolen/lost/bricked.
But now I am wondering if I should be re-seeding across all my TOTP-enabled accounts in case we continue to be drip-fed new information about how much worse this breach is getting.
I've triggered the deletion process for my Authy account - the claim is that all my info will be deleted after 30 days.
KeepassXC has OTP functionality but it's very clunky as the URI needs to be crafted. I usually copy the OTP string from another credential and edit the code and name.
There’s also OTP Auth, which is a freemium app with all the basic needs covered in the free option, including an Apple Watch app/Watch Face complication.
Would you recommend using Bitwarden TOTP if you also have access to Yubikeys? I'm uncertain what I would like to transfer to as I'm a long time user and like Bitwarden though am working on trying to self host it and have yubikeys but manually scanning and naming twice to have the TOTP for something like discord or really any website which doesn't have near direct access to financials or private documents seems particularly annoying so if Bitwarden can act as the TOTP that seems like a solve 2 problems with one stone for lower security requirement accounts.
I sorta prefer having it in something separate from the passwords, though. If my 1PW gets compromised, so do the 2FA secrets stored alongside the passwords.
Coincidentally, I switched over to raivo just several weeks ago. There is a way to extract all of your 2fa keys using a deprecated chrome extension, which is what I did. It's quite easy, it spits out everything in a PDF web page with QR codes - I printed the whole page as a backup, then used my phone to add my 20+ accounts in about 5 minutes with the QR code. I have used authy for over 6 or 7 years, but for some reason I was getting uncomfortable with having it tied to my phone number.
There is an ipad app, which I installed on my M2 macbook air, so I can access it on my laptop as well. I also downloaded a version onto my old iphone 6 I keep in a drawer under my bed, just as a backup in case something gets stolen. And I have an ipad mini that I use on a daily nightly basis for reading and browsing. In addition to a ~5 year old windows desktop and a windows laptop form ~2015.
I've been resistant to using apps that only exist in the apple ecosystem, because I generally have only used windows laptops and android phones. But now I use an iphone, I have an m2 macbook air, and quite honestly the quality just blows everything on the windows / android side out of the water. I finally just admitted to myself that there is probably never going to be a scenario where if my phone breaks, I would go out and buy an android phone. It won't happen. The sheer connivence of just getting a new replacement phone, logging in, and having all your settings and files and (2FA codes! - encrypted in icloud!) automatically download is understated.
The price of an old iphone 6 or 6s is ~25-40 dollars on ebay. The price of a yubikey is 50 or 60 bucks.
I actually noticed this, but I consider this a feature, not a bug. In raivo, you are able to export an encrypted zip file, which I did and saved to a flash drive and put it next to my old iphone 6 in a drawer under my bed. It's reassuring in a sense, that if someone does obtain access to that encrypted backup file, they wouldn't be able to do some fuckery and automatically "recover" the backup on a phone that is not mine.
I will say that what surprised me about the exported backup encrypted zip file - it did not work the way I expected. I thought it was going to be some .txt file with a bunch of numbers and things I would have to input into a new 2fa app manually - but no, it's legitimately a a very nice html document that has every 2fa account laid out neatly with a QR code, section by section. When transferring these codes to my old iphone 6 (before I turned on icloud sync), I just held my phone up to my laptop screen and moved it inch by inch every 1 second (tapping accept in between) to scan and add 20+ codes with the camera. It took me 5 minutes to add them initially as I doubled checked the veracity of the 2fa codes generated... but truthfully you could probably add 20+ accounts in under a minute. If not quicker.
I don't consider the lack of an automated way to import the manual backups a bad thing. The encrypted icloud sync works remarkably well. The exported zip backup would, in in the worse case scenario, be where I lost my iphone 12, I lost my macbook air, someone stole my ipad mini, and in the same day, someone broke into my house, went under my bed, and additionally stole the beat up looking iphone 6 in the back of the drawer. But again, since the codes are backed up encrypted in iCloud, just because my devices are stolen doesn't mean I lost access to them. I could also drive 30 minutes downtown, walk into an apple store, buy an iphone on the spot, download raivo from the app store and have it automatically sync my codes from iCloud, and have access to my 2fa codes, all within an hour. Or I could go to craigslist and find someone selling an old ipad, iphone, or whatever and buy it off them for 50 bucks and have access to my codes. My wife also has an old iphone 7 that is laying unused on the bookshelf in our living room, which I could also just log in and access my codes as well.
Basically, what I'm saying, is that as long as an encrypted copy of my 2fa codes exist in icloud, I can log into any idevice and have access to my 2fa codes. The chance of me having to manually use my encrypted .zip backup is virtually nil. The only scenario I can envision is if someone stole every device I own, burned my house down, sim swapped my phone and stole my cell phone number, burned down the local google data center (likely centers) where my iCloud user data is stored on Google Cloud, and also bought every iphone, ipad, macbook, and apple device in a 100 mile radius, including used models, and including breaking into and robbing every apple store in the vicinity so I couldn't procure a new idevice. That is legitimately the only scenario I can foresee in where I would lose access to my 2fa codes.
Apple devices are ubiquitous in the US. I still have a windows laptop and desktop that I had considered as my "main" computers for the longest time. I had a real come to jesus moment several months ago when I realized my way of thinking was a bit outdated. I had thought that in order to reduce the attack surface, I would need to manually backup all my codes, print them out, make several copies so I wouldn't lose one of them, and use my 2fa codes only on one device. But truthfully - there is another way of ensuring ubiquitous access to my 2fa codes, and it didn't involve much more effort on my part.
I want to switch devices, install the app, put in my password and have all my codes sync'd into the app directly. I don't want to bother with scanning 50+ accounts (I use 2fa for everything), by hand in the name of pseudo security. After 2+ years, that feature should be fixed.
But that is what happens, when you use the icloud backup. You log in, you you create a new passcode, and the app automatically looks in your icloud folder for a backup, then restores it automatically. There is no account creation involved in the process. What you are asking for already exists.
What you are asking for is the manual backup you create to automatically restore.
Raivo is not letting me proceed without setting a master password.
I tried an 8 digit long key. 9 char long string. 9 char + 3 spaces. 9 char + 3 hyphens.
It just keeps rejecting them saying weak passwords without telling me what does it need.
I finally set a long randomly generated password and it was accepted. I like to remember passwords of my password manager and TOTP tool. It I knew the requirement I would have set something longer but memorable.
Thanks for the recommendation. I use Lockdown (the TOTP app, not the firewall) and even wrote an exporter for it, but it’s essentially unsupported now.
After a lot of trouble, I was able to extract my private keys from Authy by installing their deprecated Chrome extension and using some hacky javascript found in a gist. Now, I'm on the search for something else to load my keys into.
All the other 2FA apps out there that I've looked at are lacking in some way or another. Ideally, I'd like as a basis: iOS and MacOS app (not electron) support, easy import/export, no requirement for a phone number, some sort of encrypted 'cloud' backup, open source, decent UX.
I'm half tempted to just import into Bitwarden (which I happily pay for) and call it a day, but I'd like to keep my password manager separate from my 2fa... just seems awkward to combine them.
Maybe worth looking into getting some Yubikeys (get a spare, it's just easier) and using those in combination with their 2FA app. They can do some other neat tricks as well with SSH and PGP.
Clarification edit: they offer a 2FA token app which you unlock with your hardware key, which is separate and can be used in conjunction with hardware token authentication with any service that offers it.
Note that their cheaper blue or newer biometric keys don't support all the same things their mainline black ones do, but should work just fine.
No affiliation, just happy with their products and had a really awesome (business) customer support experience where they replaced several broken (through my own fault) keys for free.
I use Bitwarden. If someone owns my phone they’ll own all my apps so separating factors isn’t useful to me. I mostly use 2FA in case of a specific bug at a site that allows for something like a password reset attack. I use a FIDO key for the important stuff, including Bitwarden, so I feel like that’s pretty good protection overall. I’ll never be a target of anything more than common criminals, too, never a nation state or anyone looking for crypto or anything.
Just be aware that it might violate your threat model depending on what you're protecting against. There's a benefit to having your second factor also be more or less separated from your password manager, especially for Bitwarden, which doesn't enforce that devices are registered to log in (unlike e.g. 1password does). I say this as a bitwarden user.
Just to note, extraction works well ( I did the same thing to migrate ) but services with Authy-integrated MFA ( like Twitch ) are "managed" by Authy so it can regenerate the secret on the fly and transparently to the end user, at which point your previously extracted secret will no longer be valid.
This doesn't affect any of the MFA secrets you manually added to Authy, and these days many of the integrated services will let you additionally add standard TOTP mfa to your account ( unfortunately Twitch still requires you to set up an Authy account first, though )
Is it still two factor if remote actor can access the second factor with only your master password? (I guess they also need to your email, to verify a new device...)
To add a new device, you need the email address (just the address, not access to the email account), the master password, and the account key. The last one is encouraged to be printed out and kept in a secure, physical location.
I haven't found anything better. Some people aren't happy with them for reasons like their subscription model and their move to Electron for some formerly-native clients.
> I'm half tempted to just import into Bitwarden and call it a day, but I'd like to keep my password manager separate from my 2fa... just seems awkward to combine them.
FWIW, In practice I find that this is natural and super-convenient.
Correct me if I’m wrong but U2F tokens are an antidote to TOTP seeds being leaked, right?
Edit: some reading: https://en.m.wikipedia.org/wiki/Universal_2nd_Factor I have the advantages and disadvantages section a read and I believe I got it right. The one major disadvantage I’ve read about is that there is no backup. At a place I worked, we registered two keys and kept one as a backup. It seemed to work okay.
> The remaining issues, however, are phishing and man-in-the-middle attacks, the most infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.
Later, on FIDO U2F:
> Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.
I thought ‘public’ means it can be shared widely without there being a risk to the private key. What threat model would consider it a risk to have a public key exposed?
Sorry, I was asking about U2F as an alternative to TOTP and not a method of implementing such. If I’m not mistaken that was unclear on my part and you were led to interpret what I said a different way than I intended.
Bloody Twilio, because of them I've lost access to my Twitch account.
For some historical reason, at my previous job the SendGrid account was connected to my phone number. When I quit, I migrated Authy, which was required to log into SendGrid, to another employee.
Now, months later, I find that Twitch has migrated its 2FA to Authy, and I am unable to get the codes anymore so I'm locked out. I'm pretty sure my codes are now being sent to this other employee, and neither Twitch nor Authy's support are keen to help.
I don't know if I should blame Twitch or Twilio but fuck this shit and I will not give either any more or business.
I use Bitwarden for password management and 2FA now. I recommend them instead.
Can someone explain the significance of this? Aren’t the secrets suppose to be encrypted on the device side before being sent to the Twilio servers? I don’t get how the attackers were able to get access to the MFA codes.
The Twilio exploit allowed the hackers to add a new device to existing Authy accounts. This allowed them to sync the keys between devices within the same account
It is not optional if you have a backup password set. Once you log into your account using your phone number, you still need to enter your backup password once to decrypt and actually start generating codes.
The reminder you are talking about is when you are already using Authy to re-enter your backup password so that you dont forget it. That is the prompt you can dismiss, not the once needed to setup Authy on new machine.
This must be the case. The whole point of 2-step auth in this case is something you have(authy storage) and something you know(your authy backup password).
Tangential: I’ve seen Authy recommended around (including in an Ars Technica article about 2FA), but never understood why linking a phone number (subject to SIM jacking or other kinds of loss) was preferred or even thought of as a decent idea. Using 2FA for security but choosing SMS OTP as the authentication for the 2FA provider seems…weird.
There are many other apps that provide syncing (the accounts and seeds) across devices without needing a phone number and SMS OTP authentication. There your threats are primarily your phone and what service is used for the sync.
I see Authy recommended by service providers because it provides a recovery mechanism that doesn't involve expensive customer support and headache.
That said, using it is a choice that compromises the underlying principle of 2FA, which is verifying something "you have" in addition to something "you know" (your login credentials). This is a choice that should more clearly be explained to users, in that expanding the pool of things "you have" and allowing that pool to be expanded using nothing but SMS auth significantly increases the possibility of nullifying 2FA security entirely.
I say this as the author of a password-store extension that stores and syncs TOTP and HOTP keys. I understand that users can choose to defeat 2FA entirely by storing keys alongside their passwords without a second factor needed to decrypt those keys. But users can also choose to keep the store decryption keys on a hardware token such as a Yubikey, which effectively replaces OTP 2FA with hardware token-based 2FA, with the possibility to restore from a backed-up PGP private key.
Obviously that option is complicated, which is why I admire the sync solutions implemented by Keybase and Signal like you describe.
This is probably related to the fact that Authy has two modes — a traditional MFA mode using TOTP (6-digit codes) and another 2FA method using server-pushed secrets (used by Gemini, possibly Coinbase and others). The codes are longer than 6-digits, and aren’t encrypted. That’s when a service “enrolls” you in 2FA using Authy.
I don’t think they compromised the encrypted / non-Authy-issued codes.
I don't understand using 2FA for most things. My iCloud has its own 2FA, as it should. That relies on special systems to share keys between my devices. Everything else can use a randomly generated password that my Keychain stores. That's the same level of security as every site using 2FA with my one 2FA app (equally resistant to attackers with password databases and equally fallible to fully compromised sites) but far less of a hassle. If I were in Google's ecosystem, it'd be similar. If I want to switch ecosystems, I can export my passwords.
I have zero trust in Authy or RSA SecurID. As far as I am concerned, for a security product, one strike and you’re out. This is Authy’s second at least.
At this point I also won’t consider anything but U2F secure 2FA.
Instructions:
https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
Aegis-specific export:
https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...