De-Googling TOTP Authenticator Codes (opens in new tab)

(imrannazar.com)

105 pointsTwo9A6mo ago135 comments

135 comments

To be clear, the point of storing a secret token on your phone and then typing over some codes that prove you have access to the secret still, is to provide 2FA. If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

That can be fine if that's what you want, but if you wanted 2FA:

- FreeOTP: https://f-droid.org/packages/org.fedorahosted.freeotp

- someone forked that and called it FreeOTP+: https://f-droid.org/packages/org.liberty.android.freeotpplus

- FreeOTP again but from the dark side of the internet: https://play.google.com/store/apps/details?id=org.fedorahost...

- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust

Edit: Even with the PGP option shown at the end of the article, the secret is still accessible to any malware whenever you access it. Unless PGP-based 2FA becomes super widespread, this won't be something malware looks for and so you'll be fine unless you are targeted by intelligence agencies, but still, it's not quite 2FA because it's not something you "have" but something you "know" (the PGP data's unlock password)

ori_b6mo ago

If you log into accounts from your phone, that's also 1fa in the same way. And if you keep your phone in the same place as your laptop, so it can get stolen at the same time, that's also effectively 1fa.

The threats that TOTP protects against are ones that don't involve losing your device. For example, if somebody breaches a password database or phishes your password, TOTP codes prevent them from using the leaked credentials.

Phishing/bulk password dumps are more common issues than device theft.

bkettle6mo ago

It depends on the phone, but for many phones the security story remains very good even when lost, unless someone knows your passcode. So it’s still “something you know” protecting the password and the TOTP code, but it’s different things that you know and strict rate-limiting on the phone side that wouldn’t be possible on an internet-exposed authentication system makes it extremely difficult to guess the phone passcode.

1 more reply

dngray6mo ago

> If you log into accounts from your phone, that's also 1fa in the same way.

Not quite, there's a lot more sandboxing on phones than what might go on with desktop.

2 more replies

lokar6mo ago

If you have a Mac, what about using keychain? It has a cli/api and is protected by the Secure Enclave (so 2nd factor to unlock that)

1 more reply

philipwhiuk6mo ago

Or rather, the people interested in phone/device theft aren't expecting and aren't after your TOTP keys.

styanax6mo ago

I would recommend Aegis Authenticator [1] - available in the Play store or F-Droid. It's been featured on HN now and again. One thing it can do is import the data of all the other OTP apps, and create backup files (the seeds) which you can do whatever you want with.

[1] https://github.com/beemdevelopment/Aegis

zeta01346mo ago

I use this, but recently ran into an issue: I only have one Android device. It's great to be able to back up my secrets, but frustrating to need to spin up an emulator on my computer to run an Android app just to use the backups, if my primary device is offline for whatever reason. Is there a way to use the vault directly?

5 more replies

com2kid6mo ago

Keepass now supports 2fa tokens, just use that. Plenty of open source clients on different platforms and you can sync the encrypted database file using whatever mechanism you like, drop box, one drive, etc.

1 more reply

littlecosmic6mo ago

The risk factor is mainly that someone got the password from a web application hack not that they logged into your computer and accessed your password manager. In the web app scenario it is still a second factor.

Aachen6mo ago

If you use a password manager, or another mechanism that makes each password unique and unguessable, the password and the "2FA" seed token are both the same type of secret string, and both are stored on the same disk. There is no added benefit to 2FA if you store the 2FA secret next to the password when both are generated securely

But I'm not saying you should care about this. Everyone can make their own risk assessment, especially if you know about common attacks like the data breaches that you mention

5 more replies

nerdsniper6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

This is trivially true, but also misses some nuance. Not all "1FA" is created equal. A leaked password can be used by any bad actor remotely who has never met you.

Also your computer could itself have a password and disk encryption, so someone who stole it would still need 2 factors: something you have (your physical laptop) + something you know (laptop password).

Regardless, TOTP is not phishing resistant, so I do tend to prefer passkeys but I understand they're problematic in terms of losing access to the devices/clouds with passkeys stored and then what do you do? (Sometimes services have an out-of-band process to prove identity and reset passkeys, but not all do)

nicoburns6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA... that can be fine if that's what you want.

A lot of the time that is what I want. 2FA is pretty overkill for low-importance accounts if you're using a long random password anyway. But some services make it mandatory.

Marsymars6mo ago

I quite like TOTP for this reason - it's much less annoying to autofill TOTP than to retrieve a one-time code from SMS or email.

sceptic1236mo ago

That's not 1FA, it's just not using a separate device as the second factor. There is definitely a decrease in security having the 2FA provider on the same device as the password manager, but it doesn't negate the majority of benefits of 2FA.

prism566mo ago

Yeah isn't the threat vector your password being leaked/cracked. You're still safe here.

The argument can me made that logging into something on your phone isn't 2FA either then...

nicce6mo ago

It is not necessarily 1FA even if just use the laptop.

One password could be leaked and if the password alone gives the access, that is 1FA.

If the combination of two tokens forces the each login require access to that laptop and you need some password to unlock the password vault, this adds 2FA layers to services which are not the password manager.

Aachen6mo ago

The password vault can't be copied? (In unlocked state I mean, same as how they could get the password)

Either your laptop is compromised or the server. In either case, if they get access to the password, they also get access to the 2FA secret if that resides in this vault together with the password. Just a password alone is safer than 2FA alone because that at least gets hashed and isn't stored in plain text on the server side

1 more reply

unethical_ban6mo ago

I happily store all my passwords and OTP in the same vault. Is it slightly riskier than having them separate? Yes. Would having all my passwords stored as a horcrux be safer too? Yes.

Do I still get the security of TOTP as a rotating component of my password to prevent breakins from stolen credentials? Yes.

fulafel6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

In estabilished terminology you don't need multiple independent devices. For example email "magic link" is a common second factor.

Aachen6mo ago

Because it requires access to the email system, that's a separate system even if it's being forwarded so long as you have a valid login to the email server

But, yes, the exact boundary is definitely debatable. It's clearly less secure than a separate token generator that you keep on your body at all times; clearly more secure than no second confirmation at all

gear54rus6mo ago

> you're back to 1FA

Which might be exactly what I need if another dumb website wants me add 2fa where I don't want to.

Considering just making a publicly accessible webpage for those codes at this point lol.

sjs3826mo ago

What you describe in the first paragraph isn't 1FA. There's still two factors—its just on one device.

You're conflating "factors" and devices.

dngray6mo ago

I'd probably use Aegis on android https://github.com/beemdevelopment/Aegis?tab=readme-ov-file#... it's a bit more modern.

aragilar6mo ago

But if you log into your phone with the password and TOTP, is that also not 1FA?

Aachen6mo ago

If both are on your phone, then yes. I should qualify, though, that "people [including me] generally consider mobile OSes safer because the permission model and process isolation is on a whole other level" (quoting myself from https://news.ycombinator.com/item?id=45091618)

oulipo26mo ago

1Password works well too (Canadian company I think)

ezst6mo ago

Some time ago I realised how vulnerable I was keeping all my TOTPs in Authenticator __only__, in the event of losing/breaking my device (and no, there is no way I would sync them to Google cloud). This taught me few things:

- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern

- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.

I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.

¹: https://github.com/scito/extract_otp_secrets

AstralStorm6mo ago

And this is why Aegis has a working encrypted offline backup.

NaomiLehman6mo ago

Yubikeys support Google and other TOTPs too

tigrezno6mo ago

For years I've managed all my TOTP codes with KeepassXC. Not a single problem, great software.

blackbear_6mo ago

Just consider that storing TOTP codes in the password manager negates the advantage of two factors authentication, namely the added security of needing a second device. This would keep your logins safe even if somebody managed to breach your KeePassXC database.

StrLght6mo ago

> negates the advantage of two factors authentication

Like with all things it depends on your threat model.

If your threat model includes risk of leaking all data from your password manager – then yeah, it worsens your security.

Otherwise it still covers all other risks:

1. it makes bruteforce basically impossible

2. it makes phishing harder (assuming that your password manager supports autofill and that it checks domains correctly)

3. it lowers the risks if a single password leaks

1 more reply

hypeatei6mo ago

It doesn't negate the advantage of 2FA. There are so many scenarios that don't involve your entire password manager database being leaked in plaintext. In that case, you likely have much more to worry about considering the attacker has a bunch of places to pivot from (account recovery flows, recovery email accounts, etc..)

wolvesechoes6mo ago

You are allowed to have two separate databases, with different passwords. You can even store them on different devices!

1 more reply

progbits6mo ago

I can recommend the Aegis app for Android. Works great and has encrypted backups.

0x49d16mo ago

Or Ente Auth: https://ente.io/auth. Opensource, encrypted, can be used on any OS, has sync/backup. The problem with using same password manager for OTP is that you kind of loose 2nd factor: 1 app compromised - passwords and OTP are compromised too. My approach is to use password manager's OTP generator for non critical services and dedicated app for the critical ones..

styanax6mo ago

Replied to another comment with the same recommendation before seeing this, here's the URL for those interested:

https://github.com/beemdevelopment/Aegis

graynk6mo ago

I also store them in KeePass, except I have a separate DB for codes that exists only on my phone. I use Keepassium on iPhone, on Android I believe Keepass2Android is pretty good.

promiseofbeans6mo ago

Ente auth is a great free option with sync and apps for every platform. https://ente.io/auth/

They also have a good Google Photos alternative, which is how they make money.

tripdout6mo ago

> The tool outputs the current date and time, so you can double-check that your code won't expire (at :00 seconds) before you get a chance to type it in

A lot of TOTP verifiers often check within ±1 time interval, so you can often just use the first code you see, no need e.g. to wait for it to roll over.

butz6mo ago

The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.

mid-kid6mo ago

At work we use OneLogin, set to require the app. However, it stores a regular TOTP code in the app, it's just encrypted with the android keystore. I had to hook the base64 decoding function on my rooted phone to extract it, and put it in my password manager instead. I've been unable to figure out how to decrypt keystore-encrypted secrets in any other way.

patrakov6mo ago

You could have also used "fridump" [0] to dump the app memory and search for strings that look like TOTP secrets.

[0] https://github.com/rootbsd/fridump3

1oooqooq6mo ago

same with the european commission. they are turning standard otp off and requiring a custom phone only app.

guess they cannot wait for passkeys to tie you to one apple or google account.

wahlis6mo ago

I believe Aegis has you sorted with Steam as well

FinnKuhn6mo ago

Couldn't Steam break this any second though?

1 more reply

mdaniel6mo ago

https://github.com/beemdevelopment/Aegis/blob/v3.4.1/app/src...

> // NOTE: this assumes that a global root shell has already been obtained by the caller

:-/

My recollection when I last tried this stunt is that it's a boatload of nonsense to try and exfiltrate the Steam credential material, and I wasn't able to find any supporting docs in the Aegis nor on their site about any alternative they have to "root your phone and sniff the keys out of the sibling app"

mid-kid6mo ago

I've been storing OTP secrets using `pass`[0] with `pass-otp`[1]. This does the whole symmetric encryption for me using `gpg`, decodes the URL for me to pass it into oathtool, and allows me to share the codes with my phone using Android Password Store[2]. This is all deceptively simple to set up, assuming you have a git server you trust to synchronize the codes with, or some kind of other method using maybe tailscale or syncthing? As long as you don't need the codes on Windows, where the QtPass app is unmaintained and can't generate OTP codes on Windows, you're mostly good.

Oh and I use `zbarimg` to decode the QR, as I've integrated it with my screenshot script and it can decode more than just QR codes.

[0]: https://www.passwordstore.org/

[1]: https://github.com/tadfisher/pass-otp

[2]: https://f-droid.org/packages/app.passwordstore.agrahn/

geoka96mo ago

> This does the whole symmetric encryption for me using `gpg`

gpg actually uses a public/secret key pair with pass which has a pretty cool effect that you don't need to enter your passphrase when adding an entry to the store, because it uses the public key to encrypt.

mid-kid6mo ago

You're right, gpg does asymmetric encryption. Don't know how I got that wrong, lol. But yeah the asymmetric part isn't really used in this context.

cookiengineer6mo ago

I actually built a tool that can do this from camera photos or screenshots. You know, for pentesting purposes :)

https://github.com/cookiengineer/forensics-tools

BallsInIt6mo ago

At least Google lets you export the keys. Authy removed that ability and now Twilio is forever on my shit-list.

theshrike796mo ago

I'm just boring and use 1Password for this along with my passwords.

eek21216mo ago

I wish there was a way to export my codes from Microsoft authenticator on iOS. If anyone knows of a way to do this, please feel free to reply. I would like to move to an open source solution.

mrweasel6mo ago

Learned that the hard way, never ever add ANYTHING to the Microsoft Authenticator app if you can avoid it. It is impossible to migrate to something else.

I had a client where I got a new phone and forgot about the Microsoft Authenticator. Three months later I had to go on site with the client to reset my Authenticator as signups could only be done from their network.

Aachen6mo ago

Keep in mind that perfect is the enemy of good! You don't have to switch all at once. Start adding new tokens to a better manager and see if/when you get around to migrating the ones that are currently locked into Microsoft. That way, the task will get smaller rather than larger over time :)

riedel6mo ago

I also have the same problem, however, I think Microsoft started to use some proprietary protocol wit some challenge / response scheme.

Aachen6mo ago

Yes, Microsoft tries to get you to use their proprietary mechanism by default. You need to click on the "use a different method" link when doing the setup to get a code that is compatible with e.g. Google Authenticator, FreeOTP, and all the other ones

1 more reply

henriks6mo ago

I've been storing TOTP codes in on my Yubikeys for many years now, it works pretty decently. They have an app for it (https://www.yubico.com/products/yubico-authenticator) which has gotten better over the years. For redundancy I've stored keys on two devices.

tedk-426mo ago

Most people don't really know how these TOTP codes work but yeah for the longest time I've just put the plain text secret in a place where I can wrap it with my own golang utility

https://github.com/edify42/otp-codegen

Way easier to open a terminal on my computer and pipe to `pbcopy` and paste it onto the screen.

zimpenfish6mo ago

I did the same for a work code that I have to use multiple times a day - compiled up a standalone binary (with hardcoded TOTP code) using the `otp` crate.

(One nice thing it does is wait for the next number if the expiry is within 5s before outputting the code.)

WhyNotHugo6mo ago

I’ve been using a Yubikey for TOTP codes for years.

When it’s plugged into my laptop, I use a fuzzy-search UI to pick the right credential, tap the Yubikey, and it writes the TOTP code into the focused text field.

There are iPhone and Android apps to generate codes. On iPhone, it works with nfc.

The same device also works for webauthn and for gpg. It has no network capabilities.

8cvor6j844qw_d66mo ago

This reminds me of Steve Gibson storing his 2FA seeds by printing them out [1].

> "Steve: So in my drawer I have all of my QR codes printed."

> "Steve: They're in a safe place. And if it ever comes to the point where I need to set up a new authenticator, not a problem. I just scan the QR codes once again, and we're back in business. So the other thing to look for is an authenticator that will allow you to do that because it is nice to have hard copy backup."

---

I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].

> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."

[1]: https://www.grc.com/sn/sn-921.htm

whartung6mo ago

This is actually an interesting idea.

I have my e.g. GitHub recovery codes printed out. I have to assume that the recovery codes are more flexible, but rescanning the original QR code would be better UX in case of loss simply because GitHub is not involved, they're nevertheless wiser.

But the recovery codes are process agnostic. I imagine they work whether you're using TOTP or any other 2FA mechanic. If GitHub deigns to discontinue support for TOTP, then the printer QR code won't be much help.

In the end, however, I have a piece of paper (or other visual artifact) with security information to manage.

I will keep the persistent QR code concept in my bonnet for potential consideration in the future.

fersarr6mo ago

+1. I stopped using google authenticator when they randomly wiped the app for me and lost all the codes.

eminemence6mo ago

Liked the 'Written by human not by AI' bagde

radu_floricica6mo ago

I get the feeling. Got a pretty bad experience with google when I migrated phones, and it messed up the data for a pretty important app (no damage, because I'm paranoid and have backups). I keep an offline phone with synced Authenticator because of this.

freehorse6mo ago

What is the reasoning that google makes it so complicated to export the TOTPs? Is it just to make it harder to migrate to other authenticators (which does not make much sense because other authenticators just build their tool to import this anyway) or is it just a bad case of "security through obscurity"? I cannot imagine any minimally dedicated attacker that has already put the effort to get the export qr code not being able to actually read it, but it just makes it harder for "common" people to actually get their codes. I remember I had to go through what the article describes to access my TOTPs and migrate to another authenticator.

patrakov6mo ago

There was a misguided line of reasoning that if you can back up a digital artifact, it is no longer eligible as a "something you have" type of security credential.

Earlier versions of Google Authenticator did not have any export functionality at all, and the only way to transfer the codes to a new phone was to use a Google backup of the old phone, which is only possible during the initial setup.

chaz66mo ago

I have said time and time again, keep a copy of the QR code (or the text encoded within) before adding it to an authenticator app. You may find out too late that you cannot recover the keys. You can do this by simply taking a photo or screenshot of the QR code and storing it in a safe place.

Even better, avoid any MFA mechanism that relies on short codes with low entropy. Instead you could use U2F which uses a hardware token in which the key material is designed to be extremely difficult to extract, and requires physical access to the device to even attempt.

plumeria6mo ago

This is the nice thing about keeping it in Keepass XC. The seed is saved as an attribute in the database, you can easily add it to another app if needed.

catlikesshrimp6mo ago

I love the post. I know this is not the topic: There is a google-auth replacement which has appropiate qr scanning and doesn't require any connection permission, in f-droid. I don't know why freeOTP is more popular since it asks for full network permission.

https://fxedel.gitlab.io/fdroid-website/en/packages/org.shad...

andOTP.

daneel_w6mo ago

Go for Aegis if you're on Android, 2FA Authenticator (2FAS) or Authenticator (by Matt Rubin) if you're on iOS.

bramhaag6mo ago

+1 for Aegis. Encrypted backups, easy to import/export multiple formats, and very customizable.

akssri6mo ago

If you use Emacs on GNU-Linux, you can have it run oathtool and copy the code to the clipboard which you can straightaway middle-click-paste.

https://gist.github.com/akssri/92a3b240c89212815a66e86c60eab...

catchafish6mo ago

Can I put a recommendation out there for andOTP?

https://github.com/andOTP

* Open source

* Support for encrypted backups

* It allows you to peek at the previous 30 seconds code (so it doesn't just vanish if you're halfway through typing it)

* Lockable via pin or pass etc

* Filterable views

44za126mo ago

Shameless plug.

I’ve been using a cli tool i had created for over 2 years now, it just works. I had more ideas but never got to incorporate those.

https://github.com/44za12/horcrux

tedk-426mo ago

6 years for me if we're counting :)

https://github.com/edify42/otp-codegen

44za126mo ago

Love the minimalism.

jqpabc1236mo ago

If it has a "Google" label, it's not in your best interests and best avoided. This is just another in a long list of examples and confirmations of this fact.

The solution to most 2FA/TOTP issues (including the one described here) is Stratum. It offers a full array of import and exports features (with or without strong encryption) including the ability to import directly from Google's user-hostile abandon ware.

https://stratumauth.com/

anonymousiam6mo ago

I've been waiting for this for years. I'll put this in a VM for some isolation, and I'll have more security and more convenience.

nabogh6mo ago

I actually write down the secret for all my totp codes in a notebook as a backup

Arch-TK6mo ago

I'd be more curious to know what the traffic data google maps alternative is.

frizlab6mo ago

He’s asking for one, he does not have one.

I use (Apple) Maps, personally.

j / k navigate · click thread line to collapse

135 comments

Aachen6mo ago

That can be fine if that's what you want, but if you wanted 2FA:

- FreeOTP: https://f-droid.org/packages/org.fedorahosted.freeotp

- someone forked that and called it FreeOTP+: https://f-droid.org/packages/org.liberty.android.freeotpplus

- FreeOTP again but from the dark side of the internet: https://play.google.com/store/apps/details?id=org.fedorahost...

- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust

ori_b6mo ago

Phishing/bulk password dumps are more common issues than device theft.

bkettle6mo ago

1 more reply

dngray6mo ago

> If you log into accounts from your phone, that's also 1fa in the same way.

Not quite, there's a lot more sandboxing on phones than what might go on with desktop.

2 more replies

lokar6mo ago

If you have a Mac, what about using keychain? It has a cli/api and is protected by the Secure Enclave (so 2nd factor to unlock that)

1 more reply

philipwhiuk6mo ago

Or rather, the people interested in phone/device theft aren't expecting and aren't after your TOTP keys.

styanax6mo ago

[1] https://github.com/beemdevelopment/Aegis

zeta01346mo ago

5 more replies

com2kid6mo ago

1 more reply

littlecosmic6mo ago

Aachen6mo ago

But I'm not saying you should care about this. Everyone can make their own risk assessment, especially if you know about common attacks like the data breaches that you mention

5 more replies

nerdsniper6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

This is trivially true, but also misses some nuance. Not all "1FA" is created equal. A leaked password can be used by any bad actor remotely who has never met you.

nicoburns6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA... that can be fine if that's what you want.

A lot of the time that is what I want. 2FA is pretty overkill for low-importance accounts if you're using a long random password anyway. But some services make it mandatory.

Marsymars6mo ago

I quite like TOTP for this reason - it's much less annoying to autofill TOTP than to retrieve a one-time code from SMS or email.

sceptic1236mo ago

prism566mo ago

Yeah isn't the threat vector your password being leaked/cracked. You're still safe here.

The argument can me made that logging into something on your phone isn't 2FA either then...

nicce6mo ago

It is not necessarily 1FA even if just use the laptop.

One password could be leaked and if the password alone gives the access, that is 1FA.

Aachen6mo ago

The password vault can't be copied? (In unlocked state I mean, same as how they could get the password)

1 more reply

unethical_ban6mo ago

I happily store all my passwords and OTP in the same vault. Is it slightly riskier than having them separate? Yes. Would having all my passwords stored as a horcrux be safer too? Yes.

Do I still get the security of TOTP as a rotating component of my password to prevent breakins from stolen credentials? Yes.

fulafel6mo ago

> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

In estabilished terminology you don't need multiple independent devices. For example email "magic link" is a common second factor.

Aachen6mo ago

Because it requires access to the email system, that's a separate system even if it's being forwarded so long as you have a valid login to the email server

gear54rus6mo ago

> you're back to 1FA

Which might be exactly what I need if another dumb website wants me add 2fa where I don't want to.

Considering just making a publicly accessible webpage for those codes at this point lol.

sjs3826mo ago

What you describe in the first paragraph isn't 1FA. There's still two factors—its just on one device.

You're conflating "factors" and devices.

dngray6mo ago

I'd probably use Aegis on android https://github.com/beemdevelopment/Aegis?tab=readme-ov-file#... it's a bit more modern.

aragilar6mo ago

But if you log into your phone with the password and TOTP, is that also not 1FA?

Aachen6mo ago

oulipo26mo ago

1Password works well too (Canadian company I think)

ezst6mo ago

- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern

- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.

I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.

¹: https://github.com/scito/extract_otp_secrets

AstralStorm6mo ago

And this is why Aegis has a working encrypted offline backup.

NaomiLehman6mo ago

Yubikeys support Google and other TOTPs too

tigrezno6mo ago

For years I've managed all my TOTP codes with KeepassXC. Not a single problem, great software.

blackbear_6mo ago

StrLght6mo ago

> negates the advantage of two factors authentication

Like with all things it depends on your threat model.

If your threat model includes risk of leaking all data from your password manager – then yeah, it worsens your security.

Otherwise it still covers all other risks:

1. it makes bruteforce basically impossible

2. it makes phishing harder (assuming that your password manager supports autofill and that it checks domains correctly)

3. it lowers the risks if a single password leaks

1 more reply

hypeatei6mo ago

wolvesechoes6mo ago

You are allowed to have two separate databases, with different passwords. You can even store them on different devices!

1 more reply

progbits6mo ago

I can recommend the Aegis app for Android. Works great and has encrypted backups.

0x49d16mo ago

styanax6mo ago

Replied to another comment with the same recommendation before seeing this, here's the URL for those interested:

https://github.com/beemdevelopment/Aegis

graynk6mo ago

I also store them in KeePass, except I have a separate DB for codes that exists only on my phone. I use Keepassium on iPhone, on Android I believe Keepass2Android is pretty good.

promiseofbeans6mo ago

Ente auth is a great free option with sync and apps for every platform. https://ente.io/auth/

They also have a good Google Photos alternative, which is how they make money.

tripdout6mo ago

> The tool outputs the current date and time, so you can double-check that your code won't expire (at :00 seconds) before you get a chance to type it in

A lot of TOTP verifiers often check within ±1 time interval, so you can often just use the first code you see, no need e.g. to wait for it to roll over.

butz6mo ago

The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.

mid-kid6mo ago

patrakov6mo ago

You could have also used "fridump" [0] to dump the app memory and search for strings that look like TOTP secrets.

[0] https://github.com/rootbsd/fridump3

1oooqooq6mo ago

same with the european commission. they are turning standard otp off and requiring a custom phone only app.

guess they cannot wait for passkeys to tie you to one apple or google account.

wahlis6mo ago

I believe Aegis has you sorted with Steam as well

FinnKuhn6mo ago

Couldn't Steam break this any second though?

1 more reply

mdaniel6mo ago

https://github.com/beemdevelopment/Aegis/blob/v3.4.1/app/src...

> // NOTE: this assumes that a global root shell has already been obtained by the caller

:-/

mid-kid6mo ago

Oh and I use `zbarimg` to decode the QR, as I've integrated it with my screenshot script and it can decode more than just QR codes.

[0]: https://www.passwordstore.org/

[1]: https://github.com/tadfisher/pass-otp

[2]: https://f-droid.org/packages/app.passwordstore.agrahn/

geoka96mo ago

> This does the whole symmetric encryption for me using `gpg`

mid-kid6mo ago

You're right, gpg does asymmetric encryption. Don't know how I got that wrong, lol. But yeah the asymmetric part isn't really used in this context.

cookiengineer6mo ago

I actually built a tool that can do this from camera photos or screenshots. You know, for pentesting purposes :)

https://github.com/cookiengineer/forensics-tools

BallsInIt6mo ago

At least Google lets you export the keys. Authy removed that ability and now Twilio is forever on my shit-list.

theshrike796mo ago

I'm just boring and use 1Password for this along with my passwords.

eek21216mo ago

I wish there was a way to export my codes from Microsoft authenticator on iOS. If anyone knows of a way to do this, please feel free to reply. I would like to move to an open source solution.

mrweasel6mo ago

Learned that the hard way, never ever add ANYTHING to the Microsoft Authenticator app if you can avoid it. It is impossible to migrate to something else.

Aachen6mo ago

riedel6mo ago

I also have the same problem, however, I think Microsoft started to use some proprietary protocol wit some challenge / response scheme.

Aachen6mo ago

1 more reply

henriks6mo ago

tedk-426mo ago

Most people don't really know how these TOTP codes work but yeah for the longest time I've just put the plain text secret in a place where I can wrap it with my own golang utility

https://github.com/edify42/otp-codegen

Way easier to open a terminal on my computer and pipe to `pbcopy` and paste it onto the screen.

zimpenfish6mo ago

I did the same for a work code that I have to use multiple times a day - compiled up a standalone binary (with hardcoded TOTP code) using the `otp` crate.

(One nice thing it does is wait for the next number if the expiry is within 5s before outputting the code.)

WhyNotHugo6mo ago

I’ve been using a Yubikey for TOTP codes for years.

When it’s plugged into my laptop, I use a fuzzy-search UI to pick the right credential, tap the Yubikey, and it writes the TOTP code into the focused text field.

There are iPhone and Android apps to generate codes. On iPhone, it works with nfc.

The same device also works for webauthn and for gpg. It has no network capabilities.

8cvor6j844qw_d66mo ago

This reminds me of Steve Gibson storing his 2FA seeds by printing them out [1].

> "Steve: So in my drawer I have all of my QR codes printed."

---

I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].

> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."

[1]: https://www.grc.com/sn/sn-921.htm

whartung6mo ago

This is actually an interesting idea.

In the end, however, I have a piece of paper (or other visual artifact) with security information to manage.

I will keep the persistent QR code concept in my bonnet for potential consideration in the future.

fersarr6mo ago

+1. I stopped using google authenticator when they randomly wiped the app for me and lost all the codes.

eminemence6mo ago

Liked the 'Written by human not by AI' bagde

radu_floricica6mo ago

freehorse6mo ago

patrakov6mo ago

There was a misguided line of reasoning that if you can back up a digital artifact, it is no longer eligible as a "something you have" type of security credential.

chaz66mo ago

plumeria6mo ago

This is the nice thing about keeping it in Keepass XC. The seed is saved as an attribute in the database, you can easily add it to another app if needed.

catlikesshrimp6mo ago

https://fxedel.gitlab.io/fdroid-website/en/packages/org.shad...

andOTP.

daneel_w6mo ago

Go for Aegis if you're on Android, 2FA Authenticator (2FAS) or Authenticator (by Matt Rubin) if you're on iOS.

bramhaag6mo ago

+1 for Aegis. Encrypted backups, easy to import/export multiple formats, and very customizable.

akssri6mo ago

If you use Emacs on GNU-Linux, you can have it run oathtool and copy the code to the clipboard which you can straightaway middle-click-paste.

https://gist.github.com/akssri/92a3b240c89212815a66e86c60eab...

catchafish6mo ago

Can I put a recommendation out there for andOTP?

https://github.com/andOTP

* Open source

* Support for encrypted backups

* It allows you to peek at the previous 30 seconds code (so it doesn't just vanish if you're halfway through typing it)

* Lockable via pin or pass etc

* Filterable views

44za126mo ago

Shameless plug.

I’ve been using a cli tool i had created for over 2 years now, it just works. I had more ideas but never got to incorporate those.

https://github.com/44za12/horcrux

tedk-426mo ago

6 years for me if we're counting :)

https://github.com/edify42/otp-codegen

44za126mo ago

Love the minimalism.

jqpabc1236mo ago

If it has a "Google" label, it's not in your best interests and best avoided. This is just another in a long list of examples and confirmations of this fact.

https://stratumauth.com/

anonymousiam6mo ago

I've been waiting for this for years. I'll put this in a VM for some isolation, and I'll have more security and more convenience.

nabogh6mo ago

I actually write down the secret for all my totp codes in a notebook as a backup

Arch-TK6mo ago

I'd be more curious to know what the traffic data google maps alternative is.

frizlab6mo ago

He’s asking for one, he does not have one.

I use (Apple) Maps, personally.

j / k navigate · click thread line to collapse