If proprietary app is better and more robust I am willing to try it and assess it myself.

    • Cynber@lemmy.ca
      link
      fedilink
      arrow-up
      17
      ·
      1 year ago

      Yep, it works perfectly

      Bitwarden has it too, but eggs in one basket etc.

    • morrowind@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      One of those apps that just does its job, does it well and I never have to worry about it

    • darklamer@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Thank you!

      I’d been a happy user of andOTP for many years, unaware until now that it had been abandoned and that I therefore needed ro replace it. I looked through the recommendations posted here and came to the conclusion that Aegis indeed was the best recommendation.

      Migrating from andOTP to Aegis by exporting an encrypted backup file from andOTP to the local filesystem and importing it in Aegis worked flawlessly.

      One thing that I really liked in andOTP that Aegis doesn’t have was the PGP export, it was just very nice to get encrypted backup files that I could decrypt directly using standard software that I already have and know how to use, entirely independent from any particular app. Aegis instead provides the decrypt.py script to decode and decrypt its own encrypted backup file format and while I’ve tested and verified that this works fine, simply using standard PGP was nicer.

      But that’s a minor detail. All in all, Aegis seems to do everything I need, and does it well.

    • BearPear@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      This is the best option. Love the app. But always remember to keep a backup of your tokens.

      There is also ente.io authenticator app. It is available on fdroid. I think it supoorts cloud synchronisation as well.

  • m-p{3}@lemmy.ca
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    1 year ago

    I’d suggest the following

    The really important step is to make sure to export and backup your 2FA codes in a safe place.

    You don’t want to be left in the mud because you lost or wiped your phone that contains the only method to get into your important accounts.

    • GadgeteerZA@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I see how 2FAS cross-device sync works, but there is no mention for Aegis on their site how they do it? For me, not having good sync across my Android devices and Linux desktop is a showstopper.

      • dana@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        It depends on your risk profile, but yes, it’s less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you’d definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.

        • peregus@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          If you opt to store 2fa keys in Bitwarden you’d definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.

          With the risk of getting locked out if all your devices get logged out of Bitwarden! 🙈

          • dana@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            To clarify, you’d want to enable 2fa for Bitwarden and store the token for that in a different authenticator app - that way you can still log in to Bitwarden without already needing to be logged in

  • GadgeteerZA@beehaw.org
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    Bitwarden and it’s fully cross-platform. I like that it auto copies the 2FA pin to clipboard after filling in login - cuts out extra clicks and copy movements.

    • gressen@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      “Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium or membership to a paid organization (families, teams, or enterprise).”

          • Itookmyprozac@lemmy.ml
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            This!

            Keepassxc is cross-platform, free and open-source. It has also options for iOS and Android.

          • CrescentMadeJr@beehaw.org
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I’m aware. So is Bitwarden if you don’t use their web vault, which KeepassXC does not have. Keepass can use a cloud drive to sync multiple devices whereas Bitwarden requires a self hosted instance to sync. Personally I would rather trust my own hosted instance over that of a cloud provider. But that all depends on your threat model and who you’re willing to trust. Having used both I personally prefer self hosted Bitwarden.

              • CrescentMadeJr@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                I know they exist. I think you’re missing what I’m saying.

                Bitwarden is fully free and self hostable. That is how I use it. Bitwarden needs a self hosted webserver. KeePass can use only a cloud provider or self hosted cloud storage and also set up a web vault.

                With Bitwarden, if you don’t want that hassle you can use their webvault they host. You cannot do that with keepass. That is what costs the $10/year.

                Point is, both are good software that do things a bit differently. I liked KeePass, but I found Bitwarden to do what I wanted better, which was easily sync my passwords across devices without the hassle of self hosting something like Nextcloud. A quick docker container and I’m good.

                Maybe some people are fine with keepass and something like Dropbox for sync. And maybe others don’t want to use a public cloud server but also don’t know how or want to host their own instance of a a password manager or cloud server. So they can use something like Bitwarden’s webvault instead, which is free except for TOTP.

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Kinda makes two factor authentication useless as they are both stored in the same place.

      • GadgeteerZA@beehaw.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I think it is more about passwords being accessible after hacks etc. What you are referring to, is if Bitwarden were to be hacked, both are accessible. Online Bitwarden has securely hashed all the data, so that is pretty useless if anyone gets it. On my devices I use biometric login, and on desktop a Yubiky as 2FA into Bitwarden. I also have it set to request login every time the browser is restarted, just in case someone were to steal the session data from the browser.

        But your point is very valid if a user were to have a weak password for their Bitwarden, or not to have a good 2FA for their Bitwarden login. You want to keep that basket of eggs as safe as you can.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          The whole point of 2FA is for them to be completely separate.

          • GadgeteerZA@beehaw.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            But if the access to the combination of the two requires a separate 2FA (my Yubikey), then it is virtually separated. It is not just one password and you inside Bitwarden. One could argue otherwise, that having a 2FA app on the same phone as your password manager, is also not separate, if the same PIN/biometric gives access to that phone with the two apps on.

            • lud@lemm.ee
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Do you use your Yubikey for 2FA or do you use it instead of a password?

              If it’s the former then I guess it’s fine.

  • Syudagye@pawb.social
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    I personally use KeePassXC (KeePassDX on android), it can have TOTP code generation for 2FA for any service. And since it’s a password manager, it’s secured by a master password.

  • edgan@lemmy.ml
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    1 year ago

    I actually try to use authenticator apps as little as possible. Having to unlock your phone and open the app each time is too much hassle.

    Instead I have four Yubikeys, not security keys, that I store my OTP 2FA codes on. One for personal codes, one for work codes, and the other two as backups for the first two. The backups protect me from hardware failure, the keys being stolen, or lost. One downside of the backup plan is having to scan the QR code twice, once per Yubikey.

    Each Yubikey can store 32 OTP codes on the smart card part of the Yubikey. The 32 code limitation is why I have personal and work codes on separate keys. I did run into this limit.

    This isn’t the cheapest solution. In addition you could argue it also isn’t the most secure, but that depends on the attack vector and circumstance.

    With this setup I can use the Yubico Authenticator desktop to copy and paste the codes into the browser. While mobile I can use the mobile form of the same app. Also all my Yubikeys have NFC, so I can use that method if I want instead of just USB.

    As mentioned in a different comment I highly recommend not storing 2FA codes in password managers like Bitwarden. It creates an all eggs one basket problem, which is exactly what 2FA codes are trying to avoid.

    • s20@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Having to unlock your phone and open the app each time is too much hassle.

      And having to use two USB keys and double code scanning isn’t? I’m glad your system works for you, but it sounds like a pain in the but to me lol.

      • edgan@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I have to use the work one multiples time a day on weekdays. I use the personal one maybe once a week.