Beware: Authenticator app issues

[TinTinSnowy]

Aegis Authenticator is a free and open source 2FA app that supports both HOTP and TOTP algorithms. Since they are the most used open reference architectures backed by Initiative for Open Authentication, there is no need for any kind of "authorization" to use Aegis for managing 2FA codes for different platforms.

Aegis does not require internet permission and requires only 3 permission to operate. Very safe and privacy friendly.

You can download it from Google Play or F-Droid Store. https://f-droid.org/en/packages/com.beemdevelopment.aegis/

The code is available to inspect and reproduce. https://github.com/beemdevelopment/Aegis and it is recommended by PrivacyGuides. https://www.privacyguides.org/multi-factor-authentication/#authenticator-apps

You can set Aegis to auto backup to any folder on your android device -> Google Drive / OneDrive / Syncthing, etc.

 

[t3chg33k]

Adding the screenshot of the landing page of Microsoft Authenticator with the restore option for reference.

Edit: Photo, since screenshot is blocked.

 

[StygianClaw]

As an open-source option, Aegis certainly seems to be a good cross-platform option with local backup, but haven't used it yet.

It's not cross platform though. AFAIK it's Android only.

 

[t3chg33k]

It's not cross platform though. AFAIK it's Android only.

Should have realised upfront that free open-source apps don't have any incentive to pay Apple $99/year.

On that note, really stupid of Microsoft to not support Windows with Authenticator. Presently use it with the Android subsystem on Windows but makes no sense.

 

[blr_p]

It is the one from the store. You should see an option to Restore on the main screen, just after installation but before using the normal login option.

Bet OP missed that. Yeah i can see why

 

[nRiTeCh]

Are open-source 2f apps even secured, any backdoor thing?

 

[blr_p]

I knew that while enabling 2FA on any app/site, it shows us 8 digit backup codes which we need to store/note down in a secret. I have few codes for few such apps/sites but majorly I dont have as thought Google baba will take the pleasure as always to sync them all inside Google Authenticator.

So, learnt my lessons, hence urging everyone to backup those 8 digit backup codes and store them handy.

FTW I have disabled 2FA on most of the apps and looking for an Authenticator app which can backup everything configured!

So that's the moral of the story. Back up those codes if you use 2FA.

Why have you disabled 2FA though ? lesson learnt no ?

 

[StygianClaw]

On that note, really stupid of Microsoft to not support Windows with Authenticator. Presently use it with the Android subsystem on Windows but makes no sense.

Yeah I was quite surprised at how badly Authenticator was integrated with Windows. Passwords synced to Edge and that's about it. It says something when iCloud Keychain for Windows provides a better experience.

Are open-source 2f apps even secured, any backdoor thing?

Apps like Aegis provide the best security but you miss out on the convenience factor. You don't get cross platform support, multi-device sync and easy to use cloud backups with recovery options. Sure you can upload the encrypted backup files to a local or cloud location of your choosing but it's not a seamless experience.

You have to decide whether you prefer security above all or prefer a reasonable amount of security with a convenience factor. And nothing is stopping anyone from using multiple 2FA apps. If something needs to be kept highly secured you can use the safer but less convenient app for that.

 

[Sponge-Kun]

Thanks, I did not know this OP. I should replace my 2FA from Google Authenticator with something else.

 

[nRiTeCh]

Bet OP missed that. Yeah i can see why

I anyways was not concerned for MS auth app as only my organizations a/c and my personal MS a/c was configured which can anyways be resetted and alternatively logged in and if not then there is toll-free thing.
SO finally giving Aegis a try.

 

[smnrock]

For microsoft accounts, i use microsoft authenticator and authy for rest all due to the support of apple watch, as well multi device support.

 

[ze_cook]

No love for bitwarden? Their 2fa feature is paid, but that's 10usd/year. It syncs across devices and auto enters/copies the 2fa code to clipboard. For added privacy you can even self-host an open source implementation of their backend (vaultwarden).

 

[lockhrt999]

No love for bitwarden? Their 2fa feature is paid, but that's 10usd/year. It syncs across devices and auto enters/copies the 2fa code to clipboard. For added privacy you can even self-host an open source implementation of their backend (vaultwarden).

What's the point of having 2 step auth if you keep both steps locked down in the same place.
----
Google auth is a shit app. I wonder do users not read reviews or see the bad ratings before installing any apps?

 

[logistopath]

Authy has been my default authenticator app for the past couple of years. The multi-device option that it has is all I need to ensure continued access to Authy even when upgrading or reinstalling OSes in mobile or laptop.

 

[gourav]

Aegis has also added automatic backup on Android. So it's a good option for Android users now.

 

[ishanjain28]

Another casualty by Google authenticator

Like everyone said, Use Aegis or AndOTP. Both are OSS applications and implement TOTP/HOTP RFCs. They can encrypt seed phases and back them up to Cloud. Authy is also a decent option. Microsoft authenticator is just not fast compared to the 2 oss apps.

 

[nRiTeCh]

No love for bitwarden? Their 2fa feature is paid, but that's 10usd/year. It syncs across devices and auto enters/copies the 2fa code to clipboard. For added privacy you can even self-host an open source implementation of their backend (vaultwarden).

Lol! who even pays for such thing. 10$ lifetime is fine but per yr is a joke for any aam aadmi.

 

[gourav]

Lol! who even pays for such thing. 10$ lifetime is fine but per yr is a joke for any aam aadmi.

Lifetime licenses only works if the product can be run locally and the devs don't need to maintain a server for it. Since product like Bitwarden require ongoing cost to run, there's no sense in lifetime pricing.

$10 per year for the services they are providing is actually reasonable. It does get inflated for us, due to the exchange rate, but their costs are in USD, and so is their price.

 

[nRiTeCh]

Lifetime licenses only works if the product can be run locally and the devs don't need to maintain a server for it. Since product like Bitwarden require ongoing cost to run, there's no sense in lifetime pricing.

$10 per year for the services they are providing is actually reasonable. It does get inflated for us, due to the exchange rate, but their costs are in USD, and so is their price.

Still paying for something which has many free alternatives with flexibility of local backup etc. makes sense unless someone is too much specific on cloud.

 

[ishanjain28]

Still paying for something which has many free alternatives with flexibility of local backup etc. makes sense unless someone is too much specific on cloud.

Bitwarden does offer a free service but you do not get TOTP as part of that. For that, You need to pay 10 USD/year. It's literally dirt cheap compared to others and god help us if you think paying a minimal amount like this for a security critical product is them asking too much.
Bitwarden Premium features list, https://bitwarden.com/pricing/