Bitwarden has 2FA built in, and you can host it yourself if you want.
Comment on Authy got hacked, and 33 million user phone numbers were stolen
9point6@lemmy.world 4 months ago
Does anyone have a suggested alternative for authy?
I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:
Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.
At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.
I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
ikidd@lemmy.world 4 months ago
9point6@lemmy.world 4 months ago
I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
ikidd@lemmy.world 4 months ago
Oops, missed that part. Not that I know of, though SMS is a terrible way to do 2FA. It annoys me so many businesses and banks use it.
9point6@lemmy.world 4 months ago
I agree it’s much worse than using a modern OTP app, but I need a way to access my OTP database when the only form of digital identity I have access to is my phone number.
Authy currently supports this scenario for me (with a load of checks, it doesn’t happen instantly), so I would require a like for like replacement
ITGuyLevi@programming.dev 4 months ago
If you self host vaultwarden you won’t have an SMS backup, but provided you need the code to login to something online, you can log into Vaultwarden from anywhere with an internet connection.
Enoril@jlai.lu 4 months ago
Do you really need that ?
Self hosting means you have outside your phone your real vault and the phone is just connecting to it to refresh its local data.
I’ve setup my vaulwarden in my local network, my phone, tablet or simple webbrowser can connect to it when i’m home.
If i travel, i have just to start my openVpn session and connect to my home but it’s only needed if I want to update something (the encrypted cache it’s enough for consulation).
If my phone is stolen the data are safe (cache is encrypted, source is not on the phone). I revoke the vpn access by precaution and move one. No sms scenario needed here.
You only need to have a backup phone or computer to setup your new access on the new phone.
9point6@lemmy.world 4 months ago
Do you have a second factor for your VPN? Or is it literally just a passphrase and you’re in? I also need a shared key to access mine, which puts new back at square one (I will not compromise on this)
I do really need what I’ve described because it’s literally a situation I’ve been in.
Matth78@lemm.ee 4 months ago
9point6@lemmy.world 4 months ago
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
Creat@discuss.tchncs.de 4 months ago
The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don’t even need to self host anything, there is nothing to host.
Not everything needs to be “in the cloud”. I think this event illustrates nicely why.
9point6@lemmy.world 4 months ago
This is specifically a scenario where I’m starting from a single blank device because I’ve just been robbed on the other side of the planet.
notabot@lemm.ee 4 months ago
If you’re talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.
That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.
Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn’t need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn’t need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with
gpgsymmetric encryption so you don’t have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend’s address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you’ll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they’re sure it’s you. To be more secure, split each code into two halves and have each held by a different person.
danielfgom@lemmy.world 4 months ago
I highly recommend 1Password. It’s cross platform, including Linux, and it’s not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.
Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
EncryptKeeper@lemmy.world 4 months ago
2FAS
9point6@lemmy.world 4 months ago
This is a new one to me, but a quick look at their homepage doesn’t seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?
ANIMATEK@lemmy.world 4 months ago
This. Superior in any way to authy.
Infernal_pizza@lemmy.world 4 months ago
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account
darkstar@sh.itjust.works 4 months ago
Aegis. Make an encrypted backup. Store the backup safely. Done
ruse8145@lemmy.sdf.org 4 months ago
Ente auth is new, but open and cross-plat, unlike aegis. Aegis still wins on Android but ente can import aegis encrypted backups.
ITGuyLevi@programming.dev 4 months ago
Like many others in this thread I love Aegis, I regularly back it up to my nas and it hasn’t failed me yet, but I also selfhost Vaultwarden. Recently I’ve found myself copying a lot of my secrets over so if I don’t have my phone, I still have a way to use TOTP.
Appoxo@lemmy.dbzer0.com 4 months ago
I use Aegis
beerclue@lemmy.world 4 months ago
I use Aegis, which I periodically back up manually off phone.
9point6@lemmy.world 4 months ago
(reposted from another comment mentioning aegis)
kambusha@sh.itjust.works 4 months ago
I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.
I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.
9point6@lemmy.world 4 months ago
Oh, in that case it’s not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.
I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.
ryannathans@aussie.zone 4 months ago
Sames, aegis ftw