Comment on Authy got hacked, and 33 million user phone numbers were stolen
Creat@discuss.tchncs.de 2 months agoWell to be frank, the fact that you’re asking this shows you haven’t really understood what makes something secure or insecure, or it isn’t as important to you as you claim. If you want your stuff to be secure, your phone is the only “thing” that generates the 2nd factor. Especially things that are critical shouldn’t have duplicate devices being able to also generate codes. If you do want to generate codes for less critical accounts somewhere else, you should register a 2nd TOTP generator with that service and use one each per other machine. That way, if something gets compromised, you can just revoke those devices preventing any damage without having to re-setup existing 2fa again for the devices that weren’t compromised.
Now aegis is Android only, like you said. It also has no way of syncing with another instance (by design). It’s local only, it can just do backups. Having it send the highly critical information anywhere kind of defeats the security-purpose of it being local only. It adds a whole communications protocol that has to be secured, and somehow you have to authenticate the other side and so on. This also probably doubles the complexity (or at least size of the codebase) for the project, which then makes audits harder et cetera.
Now for an actual answer: Most password-managers can also generate TOTP codes, like KeePass or KeePassXC to name two open source ones. But it’s their secondary purpose, with the primary obviously being storing the passwords. I’m not going to get into the implications of storing a TOTP code generator secret together with the password of the account it protects, let’s just say there are some. Since the actual secrets are stored in a (secured) database, you can sync these between devices. Or you can just create multiple TOTP generators for a single service and keep them separate.
Or we circle back to something server based, like BitWarden, which is primarily a password manager but also does TOTP. It’s a commercial, server based solution that is free for individuals. I’m not sure what the current limitations are for those accounts, like number of entries or just who you can share stuff with and so on. There is a open source implementation of their protocol called VaultWarden, where you can self-host the back end and not rely on the company securing their servers properly (and/or not being collateral damage in a breach of some kind). Again, combining password + TOTP-storage in the same service that is accessible online should be done with considerable thought to how it’s secured, but you could use this to only store the 2fa aspect as well.
9point6@lemmy.world 2 months ago
Well yes, the most secure way would be a single source of OTPs, however I’m happy to compromise that slightly for convenience. Having 3-4 devices with access to the OTP database isn’t a huge increase in my attack surface. An attacker would still need to steal one of my devices, rather than one specific device. Those devices would also naturally be protected by additional factors.
I understand I would have to handle the syncing of the database for aegis, I was more curious if you knew of other clients that could use the same database format on other platforms.
I’m very aware it’s a bad idea to keep your OTPs in the same database as your passwords (and in fact already make use of keepass). I would probably not even sync the databases using the same mechanism
Bitwarden/vaultwarden does seem to be the front running option if there aren’t suitable clients for reading an Aegis database on other platforms, and I’ll just ignore the password manager aspects of it even if that means it’s a heavier solution than I’d have preferred.
Thanks for bearing with me on this
Creat@discuss.tchncs.de 2 months ago
As far as I’m aware, the aegis database format is only used by them. You also can’t do an automatic import (only export), so keeping multiple systems in sync (particularly more than 2) can only be tedious.
If that’s what you’re after, just use a KeePass database, in particular if you’re already using one anyway. Most clients can sync with a remote storage (like Keepass2Android or KeePassXC on multiple platforms), and I do mean real sync: Both sides can have modifications, and it’ll consolidate them correctly (of course unless both have modified the same entry, then you’ll be prompted). Just throw the database onto a nextcloud or something, as the clients can also usually talk to that directly without another app doing the file transfer (at least Keepass2Android can).
BitWarden has a pretty good reputation, and is a frequent recommendation as well. But then again, so was Authy… With your own VaultWarden as the backend (if you can easily host that yourself) it would be a no brainer as a near universal solution. And this would probably also be “secure enough” for normal, everyday purposes. It can import and export a KeePass database btw, if that helps.
Since I haven’t actually said anything about how I’m handling this, here’s a quick summary: Critical accounts use a complex password (stored in my password manager) and the 2FA is only stored in Aegis. There are generally backup codes on paper stored “somwhere safe”, if this is supported by the service (google does, steam does, …). On any account that just happens to require 2FA, but I don’t use it for anything critical, the TOTP is just stored inside my password manager, for convenient auto-filling. Examples are a Twitch account (I don’t stream, I just happen to have an account for chat and stuff). My password manager is also KeePass-based and used on multiple systems, sync’d via nextcloud and with a mf’er of a password (plus an additional factor). I generally don’t reuse passwords anymore, at all, ever: They are generated, at least 24 characters long (usually longer) unless the service prohibits passwords of that length (yes, this happens, surprisignly often actually). The password database is of course backed up in like 3+ different locations, and some are located somewhere physically different (i.e. not at home).