[HN Gopher] Aegis Authenticator - Secure 2FA App for Android ___________________________________________________________________ Aegis Authenticator - Secure 2FA App for Android Author : DerekBickerton Score : 135 points Date : 2022-11-02 16:32 UTC (6 hours ago) (HTM) web link (getaegis.app) (TXT) w3m dump (getaegis.app) | acdha wrote: | I've been migrating away from TOTP since it's so easily phished | but my current approach is to use Yubikeys with their app: | | https://www.yubico.com/products/yubico-authenticator/ | | That avoids keeping the seeds somewhere a general attack could | get (and requiring a tap complicates attacks) and works across | all of my devices. The main drawback is that there isn't an easy | way to install a seed on multiple keys when first enrolling. | psanford wrote: | If you are using the yubico-authenticator app then you are | using TOTP, just with the seeds stored on your yubikey. This is | still vulnerable to phishing. | | I hope what you meant to say is that you are switching to using | WebAuthn with your yubikey on all sites that support it, and | then using your yubikey for TOTP on sites that don't support | WebAuthn yet. WebAuthn is the thing that gives you actual | protection against phishing. | [deleted] | acdha wrote: | Yes, that's exactly what I meant: I use the same Yubikeys for | authentication, but fail back to TOTP when sites don't | support something secure. | Semaphor wrote: | I use webauthn where ever available, but considering how rare | that is, I might start using this. | | How well does it work on mobile? Totp via app, tap the nfc key | to the phone? | | And what does "no easy way" mean, how involved is that process? | I'd prefer to have the keys on all 3 (or 4, not sure if the | security key allows TOTP) sticks. | RockRobotRock wrote: | Yes, on mobile you either plug the YubiKey into your devices | USB-C (or lightning) port, or tap the YubiKey to your phone. | The totp secrets live on the yubikey and can't be extracted. | You can only read out the current code. I believe you can | also secure your YubiKey with a password so it must be | entered to see the codes. | | If you wish to have the same TOTPs on multiple YubiKeys, you | are recommended to take a screenshot of the QR code you're | given at the beginning (which contains the secret key), and | manually add it to all the backup keys you prefer, and then | securely erase the screenshot. | | further reading: https://support.yubico.com/hc/en- | us/articles/360013789259-Us... | smeej wrote: | It's worth noting that if you install Yubico Authenticator | on another device and use the same key, you _do_ have | access to the codes, because as you said, they 're stored | on the key. | | I initially thought the codes were stored on my _phone_ and | the key was only required for _access,_ but that 's not the | case. | | That's either a benefit or a drawback, depending on your | threat model, but it's definitely something people should | understand. | croes wrote: | What happens if the Yubikey gets damaged? | Semaphor wrote: | That's why (as with essentially all YubiKey use-cases), | you have backup(s). | acdha wrote: | Yes - on my desktops and laptops, I use USB. For my phones, I | use the same keys with NFC. Basically you start the app, tap | the key next to the phone, and then copy/paste the code. It | means that my daily two factor needs are handled by the | Yubikey I keep on my badge lanyard for both modern and legacy | sites. | | "No easy way" basically means that you either have to save | the seed and repeat the setup process for your backup key or | enroll two separate devices if allowed. It feels like the | authenticator app could have a useful addition where it'd | automate that for you if you have two keys present. | stoplying1 wrote: | "Password Store" ('pass' compatible) for Android also supports | TOTP to tokens and Gpg encryption. | | With Syncthing, 'gopass' and 'Android Password Store', I have a | fully open source, very easy to reason about fully in my | control, password and totp storage, accessible on all my | devices. All of which can only be accessed with my Yubikey that | I keep in my pocket and my GPG PIN. | kornhole wrote: | This is a great switch from AOTP that I just did. | | The more exciting thing I learned here is that I can backup my | entire GrapheneOS phone to my Nextcloud server for recovery. I | just go into Android settings->Backup to get started. This will | save me a lot of time the next time I lose my phone. Thank you! | waynesonfire wrote: | I prefer the insecure ones. /s | Semaphor wrote: | As good a time as any to buy them a beer [0], I have been happily | using it for quite some time. | | [0] https://www.buymeacoffee.com/beemdevelopment | GordonS wrote: | I switched to Aegis recently, and I did it for only 2 reasons: | | 1) I prefer to use OSS when possible | | 2) Aegis supports import/export/backup - so if I get a new phone, | I don't have to spend _days_ setting up my dozens of accounts | again! This also means I can setup the same OTPs in both Keepass | _and_ my phone, so I can always get into my accounts | | I'm really liking it, it does the same job as the Google and | Microsoft Authenticator apps, but import/export/backup means it's | more usable | Rygian wrote: | I can import/export with Google authenticator (via QR codes). | rootext wrote: | You can import/export to Google Authenticator only and you | must have two phones. You cannot backup QR codes because | screenshot is forbidden for security reason. You cannot | migrate to another application. | GordonS wrote: | IIRC, it didn't used to give you any control over | import/export, and only supported using an opaque Google | storage option. Has that changed? | | Aegis gives me the actual seed, full control of the data so I | can do with it as I please. | cbsmith wrote: | Tends not to work to well in the scenario where you drop your | phone into the ocean. | openplatypus wrote: | Keep away from oceans. | cbsmith wrote: | Sounds like a good plan. | gigatexal wrote: | "Secure 2FA" app is an odd title. A 2FA app is nothing if it's | not secure. The "secure" bit here is redundant. The fact that it | has to be said is actually a red flag. Are you saying it's secure | because in reality it really isn't? | vzaliva wrote: | Before considering switching it I would love to see a more | detailed feature comparison to `andOTP` I am presently using. | From what I can see it is encryption at rest which andOTP may or | may not do and scheduled backup. andOTP does manual backup. | Anything else? | ajvs wrote: | andOTP isn't really being maintained anymore, which is why I | switched recently. | Semaphor wrote: | Last year, 113 comments: | https://news.ycombinator.com/item?id=25803996 | RealStickman_ wrote: | How does this compare to FreeOTP+ ? | nanomonkey wrote: | You can securely store and generate TOTP tokens in emacs: | https://www.masteringemacs.org/article/securely-generating-t... | | Since I have emacs on everything, including my phone, it's not a | bad solution for my purposes. | pkulak wrote: | Of course you can. | Krisjohn wrote: | The authenticator you use is less important than the process you | use to store the TOTP QR codes/secret keys. Never just feed it | into an app, always screenshot it and store it somewhere safe | THEN put it in something that can generate your TOTP codes. | 725686 wrote: | Who makes this? How do I know it is trustworthy? I know its | supposed to be open source, but when you install from the app | store you don't really know what you are installing. I trust | Twilio's Authy a tad more than a random app with a nice home | page. | yewenjie wrote: | I was happily using andOTP but seems like it has been | unmaintained since June - https://github.com/andOTP/andOTP. | | I wish F-Droid or Play Store had a feature like GitHub's | 'Archived' to inform users. | kevinfiol wrote: | I'm still using andOTP and I prefer it over Aegis. Are there | any reasons to stop using it if it still works? What kind of | security vulnerability can affect it? Honest questions. | yellowapple wrote: | I'm wondering the same thing. It also looks like while Aegis | is actively developed on GitHub, that hasn't materialized | into a new release on the Play Store or F-Droid in 7 months. | alexbakker wrote: | You're right, it's been a while, but we actually issued a | beta release for 2.1 today! | yellowapple wrote: | Nice. Will that hit F-Droid at some point? Or do we gotta | wait for the non-beta release? | 22c wrote: | Also a happy andOTP user. Initially I thought you were being | impatient because no updates for a few months isn't necessarily | bad, but I see that the project itself has been updated to | reflect that it is not being maintained by its creator. Thanks | for the heads up. | | Looking at Aegis, it appears to support importing from andOTP | wanderingmind wrote: | Aegis is an excellent FOSS Authenticator that is available in | FDroid. However, offline first apps are challenging to use TOTP | across multiple devices. These days I just use TOTP provided by | my password manager (Bitwarden) that is seamless across devices. | mongol wrote: | Who are Beem Development? | alexbakker wrote: | It's just a group name for the two guys working on it. Source: | I'm one of them (Hi!) | barbazoo wrote: | I used the one by Twilio but switched my TOTP codes over to | 1Password which I was already using anyway. I get that there's a | security benefit of not having them in the same app but it's just | not practical for me. | virtualritz wrote: | The killer feature for me is a way to quickly access tokens in my | (cloud-side, encrypted) vault from a desktop (or web) app in case | of emergency. | | It's not clear to me if Aegis allows this somehow? | | The other day I broke my phone. I was traveling and needed to do | some 2FA level changes to a GH repo asap. | | I didn't even know there was an Authy desktop app until then. It | saved my ass, literally. | [deleted] | traceroute66 wrote: | Don't know if it exists for Android, but for iPhone users there | is _OTP Auth_ , which can make encrypted backups to a | destination of your choice. | PufPufPuf wrote: | You can export the vault (encrypted or not) to a cloud provider | (like Google Drive). It's a manual process, but it's simple and | quick. Besides, how often do you add new 2FA tokens anyway? | nashashmi wrote: | Try http://totp.app | s_ting765 wrote: | The answer you're looking for is Aegis vault backup + Syncthing | or Nextcloud. Seriously. | | I once lost my Authy app data and didn't have it installed on | any other of my devices (silly requirement tbh). I don't know | whether cloud or 2FA is the joke here but Authy slapped me with | a 24hr wait time for a "device reset". | pluc wrote: | Yubikeys store everything on the key. I can lose my phone and | use _your_ phone to see my 2FA codes. It 's honestly one of the | only way MFA make sense - otherwise you lock yourself out of | your entire digital life when you lose your phone and need to | rely on storing your backup codes (which opens up a storage | security wormhole). | | It's also a lot easier to wear around your neck. | openplatypus wrote: | The only downside is limited space on Yubikey. | | I am currently carrying 2 tokens :( | pgalvin wrote: | Up to 32, for those reading who (like me) didn't know about | this limitation. | | https://support.yubico.com/hc/en- | us/articles/4404456942738-F... | SoftTalker wrote: | So you've moved the worry from losing/breaking your phone to | losing/breaking your YubiKey? | hospadar wrote: | I keep a second key as backup for this reason, which | honestly is overkill and I only do because I got a second | one for free at a conference. Easier solution (which I also | use in case I someday need the second one only to discover | that the blue smoke leaked out) is to just print out the | TOTP secrets and keep them somewhere. I'm usually printing | out recovery codes when I get a new TOTP secret so this has | never felt like a big deal. | | Also easy enough to maintain a keepass[xc] vault for totp | secrets, you could keep a separate one from your passwords | if you were feeling paranoid. Great support on mobile and | desktop for using a keepass db as a TOTP source - and easy | to sync with dropbox/email/ssh/your web server/whatever | dathinab wrote: | who says you only have one or no other backup? | | anyway I wouldn't but s Yubikey for TOTP. OTP sucks. Sure | it's better than no 2FA and TOTP is better than SMS OTP | still it's not grate. | | WebAuthn-like auth can provide all the benefits of TOTP | while being way more secure and in some cases even not | convenient. | | The main drawback is how to backup your 2FA which makes it | less of a choice for a "casual" user. | pluc wrote: | Sure. I have a backup key but yes, you can't get MFA | without adding a device that you may lose; whether that's | your phone or a key. Like I said I prefer a key because I | can't put my phone on a chain around my neck or on my | keychain. | alexbakker wrote: | Aegis is fully offline and doesn't have an official desktop | application. You could of course create an export of your Aegis | vault and import it in a third-party desktop application, like | GNOME's Authenticator or OTPClient. | tlaundal wrote: | This is what I do. Two "live" authenticators with my phone | and laptop and a secure offsite backup. | | I don't add new keys particularily often, so it isn't that | big of a hassle two manually sync the authenticators. | rsync wrote: | "I didn't even know there was an Authy desktop app until then. | It saved my ass, literally." | | That's a really unexpected outcome - can you provide any | details ? | wingmanjd wrote: | I didn't know Aegis supported the Nextcloud backup target! I was | hacking my way around on earlier versions of Android using Solid | Explorer's connection to my Nextcloud, but that stopped working | somewhere along the way. | | Reconnected via the Storage Access Framework and backups are | syncing! | | Thank you, alexbakker | Lucent wrote: | Just keep TOTP in your password manager at this point. Whatever | security is lost by it not being a "true second factor" is made | up for by not having to recover or restore backups due to a lost | or stolen phone. | arepublicadoceu wrote: | I would argue that the most important account to have TOTP | enabled IS your password manager. So, if you already have a | TOTP app to generate codes for your Password Manager why not | consolidate it? | | Besides, if you dont have a physical and digital backup of your | TOTP seeds you really like to live dangerously. | howinteresting wrote: | 2fa for your password manager is good, but that doesn't have | to be TOTP. That can just as well be something like the | 1password secret key (something you have). | plumeria wrote: | I think that's the idea behind using a key file and a | password in KeepassXC. | unethical_ban wrote: | The one place I intentionally don't have TOTP is my password | manager. | | there is a base case somewhere in a backup strategy where | TOTP is not feasible. The base case for me is "Keepass file | backed up to multiple locations and my master key written | down in an envelope in my house in case I hit my head". | | Why would I lock my passwords away behind a TOTP that can get | lost? My TOTP in Authy is protected by a long random key. | Where do I store the key? In my password manager. | | You can't use a password manager and TOTP to back each other | up. | arepublicadoceu wrote: | I realise now that I was not clear on my post. Using TOTP | or second factor is useful for those heathens that insist | in using cloud based service for password manager (I'm | one). Not for local keepass/pass synced by | syncthing/rsync/ssh etc. | | I treat my kdbx as a single password encrypted backup of my | bitwarden vault on my computer and external hard-drive. | | I care much less about second factor if it's something | offline on my computer than something accessible by a web | interface to anyone in the world. | andrewaylett wrote: | I use Bitwarden for TOTP, because I have become convinced that | it still provides a true second factor even if both the | password and the TOTP seed are in the same entry in my password | manager. | | This is because every access to Bitwarden requires two factors: | a device I've already logged in with, and either the passphrase | or a biometric unlock. Bootstrapping a new device requires the | passphrase and a token. | unethical_ban wrote: | If you have a TOTP app that allows exoprts, I agree. | | If the individual site allows backup codes, I agree. | | But you first need an app that hosts your TOTP that has | exportable secrets. | theandrewbailey wrote: | A password database file is sort-of a second factor (something | you have). | Semaphor wrote: | Restoring backups is extremely easy, though. | petre wrote: | It's the only decent authenticator that I've found on the play | store. | rounakdatta wrote: | Thanks for supporting the Nextcloud backup - win win! App is | perfect, just a single feedback: Possibly find a way to auto- | populate the logo images of the apps? | Sytten wrote: | I am considering switching from authy because it still doesn't | have folders or collections or tags but the transition is | annoying without root on android. Also wondering how people | ensure they can restore if your phone dies? | Semaphor wrote: | Aegis supports automatic backups, I backup my Aegis database | encrypted to my nextcloud. | | edit: Also, it allows (after checking the "I know what I'm | doing" warning) plaintext secret export, if you want that for | some reason. | Macha wrote: | Aegis at least lets you export a password encrypted backup | tlaundal wrote: | I did the transition by extracting keys from the desktop app | using the scripts mentioned in this gist[1] and its comments. | Of course, you should not do this unless you are comfortable | verifying the security of the scripts yourself. | | Importing to Aegis afterwards was quite straight-forward. | | [1]: | https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d... | thr0wnawaytod4y wrote: | I just put a 2FA implant in my arm | mnd999 wrote: | I'd much prefer having my phone stolen than my arm stolen. | gchamonlive wrote: | Update your threat scenario to encompass dismemberment and | create a recovery protocol accordingly. Not sure you would be | able to do drills, at least not a second time. | robertlagrant wrote: | A drill would be a valid vector. | jaimehrubiks wrote: | I prefer to calculate the numbers on paper every time. But you | need to do it fast enough to make it in less than 30 seconds. | branon wrote: | Recently had a hard time exporting 20+ OTP secrets from Google | Authenticator. | | I believe I discovered a bug in the app: if you long press a | secret > edit > leave an empty string as the comment, and then | export a QR code containing this secret, your other device will | fail to import ("QR code cannot be interpreted."). | | I've only seen this happen with secrets where the comment is put | in parentheses and appended to the regular, immutable name of the | secret. There's another type of secret where the entire name can | be edited, this I did not test. But if you try the import/export | flow on a secret whose name contains `()` I bet you'll hit the | bug. | | I briefly tried Aegis but you must have Aegis+Authenticatior | installed, and be root, or you can exfiltrate Authenticator's | database file from private storage, which best as I can tell, | also requires root. Shouldn't have gone with Authenticator at | all, I've learned. | | It seems optimal to simply retain the original secret (QR code or | whichever medium) you are given when 2FA is initially enabled. | | Later found this equivalent: https://mattscodecave.com/posts/how- | to-move-from-google-auth... | alexbakker wrote: | There's a third option to switch from Google Authenticator to | Aegis. You can simply scan those export QR codes of Google | Authenticator with Aegis. | chinathrow wrote: | Wouldn't that need a second device since one can't screenshot | Google Authenticator? | password4321 wrote: | Or take a picture of the phone screen, say with a webcam. | alexbakker wrote: | Correct. | notRobot wrote: | I've been having a great experience with this! | voidee wrote: | FYI: For iOS users looking for alternatives to Google | Authenticator or Authy, I highly recommend the open source Raivo. | https://raivo-otp.com/ | | Recently moved all of my TOTPs to it. Encrypted iCloud sync and | local backup if desired. ___________________________________________________________________ (page generated 2022-11-02 23:00 UTC)