[HN Gopher] Aegis Authenticator - Secure 2FA App for Android
___________________________________________________________________
Aegis Authenticator - Secure 2FA App for Android
Author : DerekBickerton
Score : 135 points
Date : 2022-11-02 16:32 UTC (6 hours ago)
(HTM) web link (getaegis.app)
(TXT) w3m dump (getaegis.app)
| acdha wrote:
| I've been migrating away from TOTP since it's so easily phished
| but my current approach is to use Yubikeys with their app:
|
| https://www.yubico.com/products/yubico-authenticator/
|
| That avoids keeping the seeds somewhere a general attack could
| get (and requiring a tap complicates attacks) and works across
| all of my devices. The main drawback is that there isn't an easy
| way to install a seed on multiple keys when first enrolling.
| psanford wrote:
| If you are using the yubico-authenticator app then you are
| using TOTP, just with the seeds stored on your yubikey. This is
| still vulnerable to phishing.
|
| I hope what you meant to say is that you are switching to using
| WebAuthn with your yubikey on all sites that support it, and
| then using your yubikey for TOTP on sites that don't support
| WebAuthn yet. WebAuthn is the thing that gives you actual
| protection against phishing.
| [deleted]
| acdha wrote:
| Yes, that's exactly what I meant: I use the same Yubikeys for
| authentication, but fail back to TOTP when sites don't
| support something secure.
| Semaphor wrote:
| I use webauthn where ever available, but considering how rare
| that is, I might start using this.
|
| How well does it work on mobile? Totp via app, tap the nfc key
| to the phone?
|
| And what does "no easy way" mean, how involved is that process?
| I'd prefer to have the keys on all 3 (or 4, not sure if the
| security key allows TOTP) sticks.
| RockRobotRock wrote:
| Yes, on mobile you either plug the YubiKey into your devices
| USB-C (or lightning) port, or tap the YubiKey to your phone.
| The totp secrets live on the yubikey and can't be extracted.
| You can only read out the current code. I believe you can
| also secure your YubiKey with a password so it must be
| entered to see the codes.
|
| If you wish to have the same TOTPs on multiple YubiKeys, you
| are recommended to take a screenshot of the QR code you're
| given at the beginning (which contains the secret key), and
| manually add it to all the backup keys you prefer, and then
| securely erase the screenshot.
|
| further reading: https://support.yubico.com/hc/en-
| us/articles/360013789259-Us...
| smeej wrote:
| It's worth noting that if you install Yubico Authenticator
| on another device and use the same key, you _do_ have
| access to the codes, because as you said, they 're stored
| on the key.
|
| I initially thought the codes were stored on my _phone_ and
| the key was only required for _access,_ but that 's not the
| case.
|
| That's either a benefit or a drawback, depending on your
| threat model, but it's definitely something people should
| understand.
| croes wrote:
| What happens if the Yubikey gets damaged?
| Semaphor wrote:
| That's why (as with essentially all YubiKey use-cases),
| you have backup(s).
| acdha wrote:
| Yes - on my desktops and laptops, I use USB. For my phones, I
| use the same keys with NFC. Basically you start the app, tap
| the key next to the phone, and then copy/paste the code. It
| means that my daily two factor needs are handled by the
| Yubikey I keep on my badge lanyard for both modern and legacy
| sites.
|
| "No easy way" basically means that you either have to save
| the seed and repeat the setup process for your backup key or
| enroll two separate devices if allowed. It feels like the
| authenticator app could have a useful addition where it'd
| automate that for you if you have two keys present.
| stoplying1 wrote:
| "Password Store" ('pass' compatible) for Android also supports
| TOTP to tokens and Gpg encryption.
|
| With Syncthing, 'gopass' and 'Android Password Store', I have a
| fully open source, very easy to reason about fully in my
| control, password and totp storage, accessible on all my
| devices. All of which can only be accessed with my Yubikey that
| I keep in my pocket and my GPG PIN.
| kornhole wrote:
| This is a great switch from AOTP that I just did.
|
| The more exciting thing I learned here is that I can backup my
| entire GrapheneOS phone to my Nextcloud server for recovery. I
| just go into Android settings->Backup to get started. This will
| save me a lot of time the next time I lose my phone. Thank you!
| waynesonfire wrote:
| I prefer the insecure ones. /s
| Semaphor wrote:
| As good a time as any to buy them a beer [0], I have been happily
| using it for quite some time.
|
| [0] https://www.buymeacoffee.com/beemdevelopment
| GordonS wrote:
| I switched to Aegis recently, and I did it for only 2 reasons:
|
| 1) I prefer to use OSS when possible
|
| 2) Aegis supports import/export/backup - so if I get a new phone,
| I don't have to spend _days_ setting up my dozens of accounts
| again! This also means I can setup the same OTPs in both Keepass
| _and_ my phone, so I can always get into my accounts
|
| I'm really liking it, it does the same job as the Google and
| Microsoft Authenticator apps, but import/export/backup means it's
| more usable
| Rygian wrote:
| I can import/export with Google authenticator (via QR codes).
| rootext wrote:
| You can import/export to Google Authenticator only and you
| must have two phones. You cannot backup QR codes because
| screenshot is forbidden for security reason. You cannot
| migrate to another application.
| GordonS wrote:
| IIRC, it didn't used to give you any control over
| import/export, and only supported using an opaque Google
| storage option. Has that changed?
|
| Aegis gives me the actual seed, full control of the data so I
| can do with it as I please.
| cbsmith wrote:
| Tends not to work to well in the scenario where you drop your
| phone into the ocean.
| openplatypus wrote:
| Keep away from oceans.
| cbsmith wrote:
| Sounds like a good plan.
| gigatexal wrote:
| "Secure 2FA" app is an odd title. A 2FA app is nothing if it's
| not secure. The "secure" bit here is redundant. The fact that it
| has to be said is actually a red flag. Are you saying it's secure
| because in reality it really isn't?
| vzaliva wrote:
| Before considering switching it I would love to see a more
| detailed feature comparison to `andOTP` I am presently using.
| From what I can see it is encryption at rest which andOTP may or
| may not do and scheduled backup. andOTP does manual backup.
| Anything else?
| ajvs wrote:
| andOTP isn't really being maintained anymore, which is why I
| switched recently.
| Semaphor wrote:
| Last year, 113 comments:
| https://news.ycombinator.com/item?id=25803996
| RealStickman_ wrote:
| How does this compare to FreeOTP+ ?
| nanomonkey wrote:
| You can securely store and generate TOTP tokens in emacs:
| https://www.masteringemacs.org/article/securely-generating-t...
|
| Since I have emacs on everything, including my phone, it's not a
| bad solution for my purposes.
| pkulak wrote:
| Of course you can.
| Krisjohn wrote:
| The authenticator you use is less important than the process you
| use to store the TOTP QR codes/secret keys. Never just feed it
| into an app, always screenshot it and store it somewhere safe
| THEN put it in something that can generate your TOTP codes.
| 725686 wrote:
| Who makes this? How do I know it is trustworthy? I know its
| supposed to be open source, but when you install from the app
| store you don't really know what you are installing. I trust
| Twilio's Authy a tad more than a random app with a nice home
| page.
| yewenjie wrote:
| I was happily using andOTP but seems like it has been
| unmaintained since June - https://github.com/andOTP/andOTP.
|
| I wish F-Droid or Play Store had a feature like GitHub's
| 'Archived' to inform users.
| kevinfiol wrote:
| I'm still using andOTP and I prefer it over Aegis. Are there
| any reasons to stop using it if it still works? What kind of
| security vulnerability can affect it? Honest questions.
| yellowapple wrote:
| I'm wondering the same thing. It also looks like while Aegis
| is actively developed on GitHub, that hasn't materialized
| into a new release on the Play Store or F-Droid in 7 months.
| alexbakker wrote:
| You're right, it's been a while, but we actually issued a
| beta release for 2.1 today!
| yellowapple wrote:
| Nice. Will that hit F-Droid at some point? Or do we gotta
| wait for the non-beta release?
| 22c wrote:
| Also a happy andOTP user. Initially I thought you were being
| impatient because no updates for a few months isn't necessarily
| bad, but I see that the project itself has been updated to
| reflect that it is not being maintained by its creator. Thanks
| for the heads up.
|
| Looking at Aegis, it appears to support importing from andOTP
| wanderingmind wrote:
| Aegis is an excellent FOSS Authenticator that is available in
| FDroid. However, offline first apps are challenging to use TOTP
| across multiple devices. These days I just use TOTP provided by
| my password manager (Bitwarden) that is seamless across devices.
| mongol wrote:
| Who are Beem Development?
| alexbakker wrote:
| It's just a group name for the two guys working on it. Source:
| I'm one of them (Hi!)
| barbazoo wrote:
| I used the one by Twilio but switched my TOTP codes over to
| 1Password which I was already using anyway. I get that there's a
| security benefit of not having them in the same app but it's just
| not practical for me.
| virtualritz wrote:
| The killer feature for me is a way to quickly access tokens in my
| (cloud-side, encrypted) vault from a desktop (or web) app in case
| of emergency.
|
| It's not clear to me if Aegis allows this somehow?
|
| The other day I broke my phone. I was traveling and needed to do
| some 2FA level changes to a GH repo asap.
|
| I didn't even know there was an Authy desktop app until then. It
| saved my ass, literally.
| [deleted]
| traceroute66 wrote:
| Don't know if it exists for Android, but for iPhone users there
| is _OTP Auth_ , which can make encrypted backups to a
| destination of your choice.
| PufPufPuf wrote:
| You can export the vault (encrypted or not) to a cloud provider
| (like Google Drive). It's a manual process, but it's simple and
| quick. Besides, how often do you add new 2FA tokens anyway?
| nashashmi wrote:
| Try http://totp.app
| s_ting765 wrote:
| The answer you're looking for is Aegis vault backup + Syncthing
| or Nextcloud. Seriously.
|
| I once lost my Authy app data and didn't have it installed on
| any other of my devices (silly requirement tbh). I don't know
| whether cloud or 2FA is the joke here but Authy slapped me with
| a 24hr wait time for a "device reset".
| pluc wrote:
| Yubikeys store everything on the key. I can lose my phone and
| use _your_ phone to see my 2FA codes. It 's honestly one of the
| only way MFA make sense - otherwise you lock yourself out of
| your entire digital life when you lose your phone and need to
| rely on storing your backup codes (which opens up a storage
| security wormhole).
|
| It's also a lot easier to wear around your neck.
| openplatypus wrote:
| The only downside is limited space on Yubikey.
|
| I am currently carrying 2 tokens :(
| pgalvin wrote:
| Up to 32, for those reading who (like me) didn't know about
| this limitation.
|
| https://support.yubico.com/hc/en-
| us/articles/4404456942738-F...
| SoftTalker wrote:
| So you've moved the worry from losing/breaking your phone to
| losing/breaking your YubiKey?
| hospadar wrote:
| I keep a second key as backup for this reason, which
| honestly is overkill and I only do because I got a second
| one for free at a conference. Easier solution (which I also
| use in case I someday need the second one only to discover
| that the blue smoke leaked out) is to just print out the
| TOTP secrets and keep them somewhere. I'm usually printing
| out recovery codes when I get a new TOTP secret so this has
| never felt like a big deal.
|
| Also easy enough to maintain a keepass[xc] vault for totp
| secrets, you could keep a separate one from your passwords
| if you were feeling paranoid. Great support on mobile and
| desktop for using a keepass db as a TOTP source - and easy
| to sync with dropbox/email/ssh/your web server/whatever
| dathinab wrote:
| who says you only have one or no other backup?
|
| anyway I wouldn't but s Yubikey for TOTP. OTP sucks. Sure
| it's better than no 2FA and TOTP is better than SMS OTP
| still it's not grate.
|
| WebAuthn-like auth can provide all the benefits of TOTP
| while being way more secure and in some cases even not
| convenient.
|
| The main drawback is how to backup your 2FA which makes it
| less of a choice for a "casual" user.
| pluc wrote:
| Sure. I have a backup key but yes, you can't get MFA
| without adding a device that you may lose; whether that's
| your phone or a key. Like I said I prefer a key because I
| can't put my phone on a chain around my neck or on my
| keychain.
| alexbakker wrote:
| Aegis is fully offline and doesn't have an official desktop
| application. You could of course create an export of your Aegis
| vault and import it in a third-party desktop application, like
| GNOME's Authenticator or OTPClient.
| tlaundal wrote:
| This is what I do. Two "live" authenticators with my phone
| and laptop and a secure offsite backup.
|
| I don't add new keys particularily often, so it isn't that
| big of a hassle two manually sync the authenticators.
| rsync wrote:
| "I didn't even know there was an Authy desktop app until then.
| It saved my ass, literally."
|
| That's a really unexpected outcome - can you provide any
| details ?
| wingmanjd wrote:
| I didn't know Aegis supported the Nextcloud backup target! I was
| hacking my way around on earlier versions of Android using Solid
| Explorer's connection to my Nextcloud, but that stopped working
| somewhere along the way.
|
| Reconnected via the Storage Access Framework and backups are
| syncing!
|
| Thank you, alexbakker
| Lucent wrote:
| Just keep TOTP in your password manager at this point. Whatever
| security is lost by it not being a "true second factor" is made
| up for by not having to recover or restore backups due to a lost
| or stolen phone.
| arepublicadoceu wrote:
| I would argue that the most important account to have TOTP
| enabled IS your password manager. So, if you already have a
| TOTP app to generate codes for your Password Manager why not
| consolidate it?
|
| Besides, if you dont have a physical and digital backup of your
| TOTP seeds you really like to live dangerously.
| howinteresting wrote:
| 2fa for your password manager is good, but that doesn't have
| to be TOTP. That can just as well be something like the
| 1password secret key (something you have).
| plumeria wrote:
| I think that's the idea behind using a key file and a
| password in KeepassXC.
| unethical_ban wrote:
| The one place I intentionally don't have TOTP is my password
| manager.
|
| there is a base case somewhere in a backup strategy where
| TOTP is not feasible. The base case for me is "Keepass file
| backed up to multiple locations and my master key written
| down in an envelope in my house in case I hit my head".
|
| Why would I lock my passwords away behind a TOTP that can get
| lost? My TOTP in Authy is protected by a long random key.
| Where do I store the key? In my password manager.
|
| You can't use a password manager and TOTP to back each other
| up.
| arepublicadoceu wrote:
| I realise now that I was not clear on my post. Using TOTP
| or second factor is useful for those heathens that insist
| in using cloud based service for password manager (I'm
| one). Not for local keepass/pass synced by
| syncthing/rsync/ssh etc.
|
| I treat my kdbx as a single password encrypted backup of my
| bitwarden vault on my computer and external hard-drive.
|
| I care much less about second factor if it's something
| offline on my computer than something accessible by a web
| interface to anyone in the world.
| andrewaylett wrote:
| I use Bitwarden for TOTP, because I have become convinced that
| it still provides a true second factor even if both the
| password and the TOTP seed are in the same entry in my password
| manager.
|
| This is because every access to Bitwarden requires two factors:
| a device I've already logged in with, and either the passphrase
| or a biometric unlock. Bootstrapping a new device requires the
| passphrase and a token.
| unethical_ban wrote:
| If you have a TOTP app that allows exoprts, I agree.
|
| If the individual site allows backup codes, I agree.
|
| But you first need an app that hosts your TOTP that has
| exportable secrets.
| theandrewbailey wrote:
| A password database file is sort-of a second factor (something
| you have).
| Semaphor wrote:
| Restoring backups is extremely easy, though.
| petre wrote:
| It's the only decent authenticator that I've found on the play
| store.
| rounakdatta wrote:
| Thanks for supporting the Nextcloud backup - win win! App is
| perfect, just a single feedback: Possibly find a way to auto-
| populate the logo images of the apps?
| Sytten wrote:
| I am considering switching from authy because it still doesn't
| have folders or collections or tags but the transition is
| annoying without root on android. Also wondering how people
| ensure they can restore if your phone dies?
| Semaphor wrote:
| Aegis supports automatic backups, I backup my Aegis database
| encrypted to my nextcloud.
|
| edit: Also, it allows (after checking the "I know what I'm
| doing" warning) plaintext secret export, if you want that for
| some reason.
| Macha wrote:
| Aegis at least lets you export a password encrypted backup
| tlaundal wrote:
| I did the transition by extracting keys from the desktop app
| using the scripts mentioned in this gist[1] and its comments.
| Of course, you should not do this unless you are comfortable
| verifying the security of the scripts yourself.
|
| Importing to Aegis afterwards was quite straight-forward.
|
| [1]:
| https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
| thr0wnawaytod4y wrote:
| I just put a 2FA implant in my arm
| mnd999 wrote:
| I'd much prefer having my phone stolen than my arm stolen.
| gchamonlive wrote:
| Update your threat scenario to encompass dismemberment and
| create a recovery protocol accordingly. Not sure you would be
| able to do drills, at least not a second time.
| robertlagrant wrote:
| A drill would be a valid vector.
| jaimehrubiks wrote:
| I prefer to calculate the numbers on paper every time. But you
| need to do it fast enough to make it in less than 30 seconds.
| branon wrote:
| Recently had a hard time exporting 20+ OTP secrets from Google
| Authenticator.
|
| I believe I discovered a bug in the app: if you long press a
| secret > edit > leave an empty string as the comment, and then
| export a QR code containing this secret, your other device will
| fail to import ("QR code cannot be interpreted.").
|
| I've only seen this happen with secrets where the comment is put
| in parentheses and appended to the regular, immutable name of the
| secret. There's another type of secret where the entire name can
| be edited, this I did not test. But if you try the import/export
| flow on a secret whose name contains `()` I bet you'll hit the
| bug.
|
| I briefly tried Aegis but you must have Aegis+Authenticatior
| installed, and be root, or you can exfiltrate Authenticator's
| database file from private storage, which best as I can tell,
| also requires root. Shouldn't have gone with Authenticator at
| all, I've learned.
|
| It seems optimal to simply retain the original secret (QR code or
| whichever medium) you are given when 2FA is initially enabled.
|
| Later found this equivalent: https://mattscodecave.com/posts/how-
| to-move-from-google-auth...
| alexbakker wrote:
| There's a third option to switch from Google Authenticator to
| Aegis. You can simply scan those export QR codes of Google
| Authenticator with Aegis.
| chinathrow wrote:
| Wouldn't that need a second device since one can't screenshot
| Google Authenticator?
| password4321 wrote:
| Or take a picture of the phone screen, say with a webcam.
| alexbakker wrote:
| Correct.
| notRobot wrote:
| I've been having a great experience with this!
| voidee wrote:
| FYI: For iOS users looking for alternatives to Google
| Authenticator or Authy, I highly recommend the open source Raivo.
| https://raivo-otp.com/
|
| Recently moved all of my TOTPs to it. Encrypted iCloud sync and
| local backup if desired.
___________________________________________________________________
(page generated 2022-11-02 23:00 UTC)