If proprietary app is better and more robust I am willing to try it and assess it myself.

2 points
*

I actually try to use authenticator apps as little as possible. Having to unlock your phone and open the app each time is too much hassle.

Instead I have four Yubikeys, not security keys, that I store my OTP 2FA codes on. One for personal codes, one for work codes, and the other two as backups for the first two. The backups protect me from hardware failure, the keys being stolen, or lost. One downside of the backup plan is having to scan the QR code twice, once per Yubikey.

Each Yubikey can store 32 OTP codes on the smart card part of the Yubikey. The 32 code limitation is why I have personal and work codes on separate keys. I did run into this limit.

This isn’t the cheapest solution. In addition you could argue it also isn’t the most secure, but that depends on the attack vector and circumstance.

With this setup I can use the Yubico Authenticator desktop to copy and paste the codes into the browser. While mobile I can use the mobile form of the same app. Also all my Yubikeys have NFC, so I can use that method if I want instead of just USB.

As mentioned in a different comment I highly recommend not storing 2FA codes in password managers like Bitwarden. It creates an all eggs one basket problem, which is exactly what 2FA codes are trying to avoid.

permalink
report
reply
5 points

Having to unlock your phone and open the app each time is too much hassle.

And having to use two USB keys and double code scanning isn’t? I’m glad your system works for you, but it sounds like a pain in the but to me lol.

permalink
report
parent
reply
1 point

I have to use the work one multiples time a day on weekdays. I use the personal one maybe once a week.

permalink
report
parent
reply
-4 points
*

I’m just migrating away from github because of this. Sr.ht is looking promising.

permalink
report
reply
13 points

Why would you not want to use 2FA?

permalink
report
parent
reply
2 points
*

I know it is an unpopular opinion, but it is a huge headache in general. I don’t think the theoretical benefits (which make total sense) actually pay off in reality and are worth the extra headache. I’m not saying they should not have it at all, but it should be at least opt-out instead of forced.

In the case of github, I think it is part of their long drawn out plan of data collection and proprietary lock down. Next they are going to require your house address and government ID. I feel better using an free and open source platform anyway.

permalink
report
parent
reply
1 point

Well, if you use a password manager such as bitwarden you can store your 2FA one ctrl-v away. Even if this is a less secure setup, that still prevents someone eavesdropping on your password from reusing it.

permalink
report
parent
reply
1 point
*

Where does this even come from, passwords are increasingly insecure and adding another factor, especially authenticator codes, doesn’t even require you to give up a single new piece of personal information. The entire thing is just adding a local code that your program of choice remembers and uses to generate the one-time password. No data collection, no proprietary software. Other areas might be doing bad shit for all I know, but this change is entirely a forced security measure because people are too bad at passwords.

After seing the frequent attempted logins on my Microsoft account, I’m “just” a lucky guess away from losing it if I do not have another thing blocking access.

permalink
report
parent
reply
2 points

How exactly could a site collect more of your data through 2fa?

permalink
report
parent
reply
1 point

Unless you clear cookies constantly, you need to login just once in a while, where is this huge headache? Password get stolen, 2FA protect you from that.

permalink
report
parent
reply
2 points

Most likely because of the “2” in “2FA”

permalink
report
parent
reply
-5 points

When it comes to proprietary apps Authy is nice, it offers synchronisation between devices, but yeah, it involves cloud (someone’s computer) and you need to give them your phone number, so that’s for privacy, in the end you might as well use Google authenticator, it syncs between devices to, it’s about who you trust more

permalink
report
reply
4 points

For people down voting, please share your reasons for it. If there’s something wrong with the product, sharing that info would be helpful.

permalink
report
parent
reply
1 point
*
Deleted by creator
permalink
report
parent
reply
2 points
*

I’ve used Authy for years now without issue. Seems it’s not a popular option anymore.

Is there something I should know about? Or are other options much better now?

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
2 points

The official GitHub app. Yes, it’s not universal for other sites, but you get 2FA and a much more pleasant browsing experience.

For a universal solution, give Aegis a try.

permalink
report
reply
2 points
*

andOTP is the only app I know of that’s on F-Droid and has a feature to make an encrypted backup to a file.

Unfortunately it hasn’t been updated in awhilee, but I dont think there’s an alternative.

permalink
report
reply
5 points

I see aegis supports automatic backups. I don’t see it explicitly saying ‘encrypted’ backups though I too use andOTP but didn’t realize it’s not regularly maintained. I may check out aegis as it does support import from andOTP

permalink
report
parent
reply
5 points
*

Followup. Aegis does support encrypted backup. I had to do an unencrypted backup in andOTP so Aegis could import. Easy stuff

Edit: automatic backup doesn’t encrypt? Or I am having trouble setting up

permalink
report
parent
reply
3 points
*

automatic backup doesn’t encrypt?

It does for me. Are you sure that your backup really isn’t encrypted? Look in the JSON backup file, all your vault data should be encrypted and stored in one single long base64 encoded string with key name “db”. Is that not so for you?

permalink
report
parent
reply
1 point

I had to do an unencrypted backup in andOTP so Aegis could import.

I just did an en encrypted backup from andOTP to the local filesystem and successfully imported it in Aegis. It worked flawlessly. Just in case someone else is reading this and is hesitant about how to migrate from andOTP to Aegis.

permalink
report
parent
reply

Open Source

!opensource@lemmy.ml

Create post

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

  • Posts must be relevant to the open source ideology
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

Community stats

  • 3.8K

    Monthly active users

  • 1.8K

    Posts

  • 30K

    Comments