welp
this post was submitted on 05 Jul 2024
1 points (100.0% liked)
Technology
59587 readers
2940 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Does anyone have a suggested alternative for authy?
I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:
Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.
At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.
I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don't even need to self host anything, there is nothing to host.
Not everything needs to be "in the cloud". I think this event illustrates nicely why.
This is specifically a scenario where I'm starting from a single blank device because I've just been robbed on the other side of the planet.
Edit: for added weight, I've been in this exact scenario. I was able to get my ESIM reprovisioned to a new phone and recover everything within a day. I don't want to replace authy with a solution that doesn't cover that scenario
Well I thought this was kinda obvious what I meant, but I guess not. What you say is a requirement (sms recovery of a cloud account) is just one of many solutions to your specific problem. I'll just list off a few solutions below that involve neither SMS (the most insecure communication method in common use today) and only optionally a cloud account. For cimplicity sake I'll stick to Aegis, where you can create password-protected local backups you can then put wherever you want. This password needs to be very strong for obvious reasons: I would recommend a long sentence (40 characters or more) that you can just remember, like a quote from a movie/tv show/book/poem or something, including normal punctuation as a sentence for example.
Solution 0: This is more of a trivial solution I wouldn't actually recommend. You can allow account recovery via eMail and have your eMail not use 2fa, but a long/good password so you can login from memory (see above). This is probably more secure than SMS for the recovery-case, but less secure for the everyday use case of eMail, therefore "not recommended".
Solution 1: USB Sticks are tiny, as in the size of a USB port (slightly longer but slimmer for USB-C). If you want to have a backup "on you", I'm sure you can find a place where it wouldn't get robbed with the phone/wallet. A tiny pocket somewhere, a string around your ankle, make a compartment in your shoe, or just have it with your luggage at the hotel. I'm sure you get the point. You get your new phone, you plug in the USB, you install Aegis and restore the backup.
Solution 2a: Dedicated "online" storage. This can be self hosted, or a free account of any cloud provider, but the important part is that it does NOT require 2FA and you do NOT use it for anything else. You have the backup in there. It also needs a very secure password (again: long, but easy to remember, no garbled letter nonsense), but obviously not the same as the Aegis-Backup. So you now need to remember 2 long passwords. You get your new phone, you log in, get the backup and proceed as usual.
Solution 2b: If not having 2FA is not an option for the solution above, you can have a friend/family store the 2FA on his phone. To log in, you go to the login page and enter your password (which your friend doesn't need to know), and you ask him over the phone for the current 2FA-Code, which he tells you and you can log in, download the backup and proceed as above. I assume such a high security isn't that critical, since you have been using something involving SMS. Restore then goes as per usual.
Solution 3: Store the whole backup with a friend and when you need it he just temporarily puts it somwhere you can access, and removes it again after. Since the backup is protected by a monster of a password, and the accessibility is temporary anyway, this isn't security critical.
Solution 4: If you absolutely must, you can find a cloud-provider for 2FA, and use it only as the "first stage". The only 2FA code in there is the one you need to get access to your main online storage/account where you then have your real Aegis-Backup and/or other files. Obviously this service would need to allow you to login without 2FA, and the usual password rules resulting fom that apply. You can just add the 2FA of your primary service to more than 1 app or service, or if it allows for this, you can generate multiple authenticators so you can also revoke them serperately if needed.
load more comments
(5 replies)
load more comments
(2 replies)
I use Aegis, which I periodically back up manually off phone.
(reposted from another comment mentioning aegis)
Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.
I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.
Oh, in that case it's not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.
I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.
load more comments
(1 replies)
Sames, aegis ftw
2FAS
This is a new one to me, but a quick look at their homepage doesn't seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?
This. Superior in any way to authy.
Bitwarden has 2FA built in, and you can host it yourself if you want.
I've looked into this before and unfortunately it doesn't support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
Oops, missed that part. Not that I know of, though SMS is a terrible way to do 2FA. It annoys me so many businesses and banks use it.
I agree it's much worse than using a modern OTP app, but I need a way to access my OTP database when the only form of digital identity I have access to is my phone number.
Authy currently supports this scenario for me (with a load of checks, it doesn't happen instantly), so I would require a like for like replacement
Bitwarden has a 2FA recovery code possible so you could use a unlabeled hard copy of the code. It cycles after every use so it would get you one recovery and doesn't use SMS so it's immune to SMS shenanigans.
load more comments
(1 replies)
load more comments
(2 replies)
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source
I highly recommend 1Password. It's cross platform, including Linux, and it's not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.
Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
load more comments
(4 replies)
'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended.
Sure. Except you're wrong and have absolutely idea of what people in this community say about things. Let me be a dick and literally googz this for you and find an embarassing answer because you couldn't do it yourself.
load more comments
(4 replies)
load more comments
(5 replies)
With due respect, you are wrong.
hack
...
- (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Exactly what this is. Read the disclosure. What about your response doesn't fit that?
They did not do it by manipulating code. This wasn't the result of a code vulnerability. If you leave the door wide open with all your stuff out for the entire neighbourhood to see, you can't claim you were "broken into". Similarly, if you don't secure your endpoints, you can't claim you were "hacked".
load more comments
(10 replies)
With due respect, you are wrong.
hack
...
- (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Hint -- by manipulating or exploiting its code
Which I am explaining, they...did...not...do...
They did nothing to the code. They didn't break the code, they didn't cause the code to do anything it wasn't designed to do. They did not exploit any code. They used an API endpoint that was in the open. For its intended purpose, to verify phone numbers. The api verified phone numbers, they verified phone numbers.
You're arguing with someone who was agreeing with you 😑
load more comments
(2 replies)
This isn't about being pedantic but sure, mate.
load more comments
(1 replies)
Why does it require a phone number to use?!
They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.
Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
load more comments
(3 replies)
Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
This isn't about you and your silly follies
GA now backups your codes in your Google account, so this doesn't happen anymore.
load more comments
(2 replies)
Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
I've started putting mine into my Bitwarden vault as well as Google auth, mainly because I'm a bit paranoid I'll wind up locked out of something by trusting a second factor too much
load more comments
(2 replies)
I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.
I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.
Call my job and tell them this please. I have to use this shite everyday and it sucks.
load more comments
(1 replies)
I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.
Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.
load more comments
(1 replies)
view more: next ›