You went to Authy? That was my mistake too (finally requested account deletion yesterday). Read their privacy policy again.
I suggest Aegis, if you don't like the UI of andOTP/freeOTP, but make sure to export a backup and save it somewhere.
I'm not sure if it fits your needs, but I use Aegis on my Android phone and so far it's been awesome. It is fully open source and works offline.
Here: https://getaegis.app/
Well I consider KYC anything that identifies you in an accurate way as an individual.
E-mail is not considered KYC because you can use any email you want. For example you can use simplelogin.io and you will never give your actual mail.
Google 2FA is not KYC as TOTP are an open protocol and you can use many apps, you don't need the Google app. I would recommend you to use Aegis.
Some suggestions
Password manager https://keepassxc.org/ (also has 2FA)
2FA Android: https://getaegis.app/ , https://github.com/beemdevelopment/Aegis
No 3rd party service involved, using services is considered an out of your possession scenario and possible exposure and compromise.
Perhaps start taking responsibility for your own data, security and privacy instead of handing it out to 3rd party services every time.
First and foremost I think you should set some time aside and read through EFF's Surveillance Self-Defense and poke around the rest of their site. I cannot deduce from this post what your threat model is and without that you will not be able to arrive at a coherent plan.
Like is there a reason why you like you might lose all your belongings including things that would generally be on your person? In this scenario are these things totally destroyed or merely unavailable to you? If you think someone might take your stuff then maybe it makes sense to learn about encryption and such. But that is totally different than avoiding spam.
you might find /r/privacy helpful. some people there are Too Much but just ignore them.
I use an email host with unlimited aliases to keep things separate. Here is a chart of many email hosts, look at it to find out you like.
For junk use a redirect service like /r/anonaddy, simplelogin or 33mail.
Password manager: bitwarden. Free and open source software you can /r/selfhost if you want to, but personally I think it's better left to the pros. Some people use KeepassXC and sync themselves but I found it to be a pain in the ass.
2FA upgrade in bitwarden +/or Aegis (if on android). Don't forget to back up the database. I email the file to myself periodically in an encrypted account used just for that.
I recommend Aegis if you are on Android. It is open source and supports backups.
As for moving 2FA codes to Bitwarden, it is up to you. It is a convenience feature that most passwords managers have and there is plenty of discussions about it. I would recommend you go through them and decide for yourself what is best for you. The main take away from those discussions is that you will still benefit from increased protection of TOTP but you will lose the second factor because anyone who has access to your vault has also access to your TOTP codes.
Whatever you end up deciding, make sure you have 2FA enabled and have a unique and strong password for your Bitwarden account.
> You export from Google authenticator
Until pretty recently this wasn't even possible on Google Authenticator, it was tied to your Google Account.
My advice is use a better, separate, open-source alternative like Aegis (available on Google Play and F-Droid), their export feature has been available for years, they have an import feature for major authenticator app you might already use, it's not dependent on cloud storage and you can categorize providers.
I use a 2FA app rather than SMS (In my case Aegis, but there are a lot of good ones.)
That way, someone needs to have actual, physical access to my phone as well as the password for the 2FA app to be able to get into any accounts. Everything important (Cryptos, Email, Bank and anything attached to it like Amazon) goes through that and not just by SMS. :)
Ciao, se fai riferimento all'app OTP per la SPID io ho usato questa guida per far generare il codice da Aegis Authenticator.
According to its website (https://getaegis.app/):
"Aegis Authenticator can create automatic backups of the vault to a location of your choosing. If your cloud provider supports the Storage Access Framework of Android (like Nextcloud does), it can even create automatic backups to the cloud. Creating manual exports of the vault is also supported."
Bem lembrado! Para o usuário leigo pode ser mais recomendado ter dois métodos de 2FA (como TOTP e SMS), mas se você é um usuário mais avançado e realiza backups com frequência isso já não se torna uma preocupação muito grande.
O que me faz ficar com um pé atrás em relação a usar SMS ou e-mail para autenticação é a questão da privacidade. Há alguns anos comecei a ter interesse no assunto e cometi o "erro" de descobrir o r/privacy. Quando se trata de 2FA o pessoal lá costuma recomendar muito o app Aegis.
There's a basic alternative andOTP
I think or something, just haven't used it but heard it's good. I've found the security and usability of Aegis to be second to none. No more Google Authenticator or crap.
I think of Bitwarden as my sword and Aegis as its sheath. Use 2FA to protect your password manager, lest it flail about cutting objects in your vicinity randomly. Ok maybe this analogy doesn't work. But I highly recommend Aegis as it has the same open source ethos as Bitwarden, attention to design (even their homepage is well kempt), and importantly is a separate app. Don't want someone with access to just one of the two have access to the other, which is the original reason to use 2FA.
Welcome to the dark side, we have ~~cookies~~ password managers!
> How has the cloud worked for you?
Pretty good!
I use a strong password and I take regular backups of my vault.
Worst case scenario, I'll be able to import my vault into another password manager.
> What methods of 2fa do you use?
Aegis Authenticator.
Another great open source app.
> How long have you had Bitwarden?
I've been using BW for ~ 1 year now, before BW I used KeePassXC.
> What passwords do you normally salt?
I'm not sure what you meant by salt, but all of my passwords are randomly generated (even my emails, I use unique and randomly generated email aliases for each account) and stored in BW.
> have you had any issues with the service?
I created and deleted multiple BW accounts, exported and imported my vault multiple times, used my vault on multiple devices (Desktop App, CLI and Android App) in the same time and I have over 600 entries (logins, notes and cards).
Not a single issue so far!
BW is one of the few apps that I can't live without anymore.
Also I'm very happy that I was able to convince some of my family and friends to use it, I've only got good feedback from them and they all found it easy to use.
There's really no need to have yet another TOTP app. I recommend the following FOSS app for Android:
​
Like others mentioned, you can also store your TOTP tokens in your password manager like Keepassxc or Bitwarden, if you already use one (you should!). Just know that if your password manager or your credentials for it are ever compromised, that alone would suffice to gain access to all of your accounts, since it will contain both passwords and 2FA secrets. I personally like to keep my 2FA in Aegis, while storing all passwords in Keepassxc / browser.
You have to enter YOUR email address with which you registered, not the activation email. And if you do not know how to use 2fa then please read https://authy.com/what-is-2fa/ and I recommend you to use aegis as your authenticator https://getaegis.app/
I wouldn't rely on anything Google's implemented for what appears to be a temporary transfer to be permanent here. If you're familiar with how Discord logs on, seems like a similar system - the QR code is a temporary token, and scanning it from another device provides authentication.
While it's a pain, to be certain you have backups you will need to back up each account's QR code somehow. I would recommend taking that as an opportunity to put the codes into another TOTP app, such as Aegis (100% free/open source/I'm not affiliated), which allows you to back up your codes.
Just about losing the 2FA, I suggest to use something like Aegis (https://getaegis.app) next time. It allows you to backup the codes, including the qr codes. I do regular backups and store them on a separate storage, just in case.
Well you can check logs like other suggested to know what entries are being blocked while taking backups.. Other than that
I highly recommend you to use Aegis Authenticator . Its open source + with offline backup support + you can import other Authenticators Data into it in 1 click...
I store them in my password manager. I also backup my Aegis database to my laptop, so I always have at least 2 different devices from which I can obtain codes.
I forgot about Aegis, this app is open source and also offers backing up your passwords to the cloud service of your choice:
> To make sure you will never lose access to your online accounts, Aegis Authenticator can create automatic backups of the vault to a location of your choosing. If your cloud provider supports the Storage Access Framework of Android (like Nextcloud does), it can even create automatic backups to the cloud. Creating manual exports of the vault is also supported.
Then you will have reduced your authentication from two factors to one factor back again.
Not sure if this is best practice, but I personally never use backup codes. I store my TOTPs in Aegis, and sync its encrypted export with my other devices using Syncthing, in case my phone is broken or lost.
If anyone reading this is looking for an Android authenticator, Aegis is completely open source and I've had nothing but good things to say about it throughout the time I've used it.
You can store TOTP seeds in multiple locations. Use Aegis or similar to scan the seeds, export the data, store it wherever, use something like totp-cli to generate the TOTPs when you're logging in.
Understanding, of course, that spreading your TOTP seeds around can introduce risks and reduce the security of the solution to 1FA.
It would be better to store the passwords and 2FA codes separately, just so there is not a single point of failure, however unlikely it may be. Personally, I encrypt the 2FA tokens and store them in my encrypted notes app, I then use <strong>Aegis</strong> on Android alternate apps for other platforms.
For me, it is important to keep my 2FA easily accessible, since I'm constantly using it, but also I do want them to be as separate as possible from any passwords
My backup codes are not stored electronically, instead I used a simple cypher to obscure them, and hand-wrote them in a notebook hidden among a bunch of random letters and numbers, and I keep the notebook somewhere safe and well-hidden. That may be overkill, but since my 2FA tokens are backed up, I've never once needed to use the recovery codes before, so they don't need to be super accessible.
If you have an Android device try out Aegis.
It's totally offline, supports db encryption and backup, import from other such apps, codes of different length-refresh time-algorithm (including Twitch and Steam custom setups)
It's also open source, also available on F-droid, they're active on GitHub and reacting quickly to new issues
>Sitze im selben Boot, und muss ehrlich fragen, wer zahlt das?
Das frage ich mich auch. Was ich mich auch frage: Was machen wir mit diesem ganzen E-Schrott? Die Wegwerfgesellschaft ist einfach unverantwortlich in vielerlei Hinsicht. Ich versuche, meine Smartphones mit LineageOS so lange wie möglich zu nutzen. Beispielsweise hatte ich mein Galaxy S3 ca. 5 Jahre lang, mein Mi Mix 2S habe ich jetzt 2 Jahre und das wird wohl noch ne Weile halten.
Das nächste Smartphone, das ich mir hole, wird vermutlich ein Pinephone. Kostet <200€ und basiert auf Linux, also unbegrenzte Updates und beliebig krasse Sicherheit.
>nicht das große Wissen darüber, welche Androidgeräte wie gut sind
Ja, das ist richtig beschissen. Ich muss auch jedes Mal Stunden recherchieren. Mittlerweile ist mein Modus Operandi: Wenn's kein offenes Betriebssystem gibt oder eines in Aussicht ist, weil einer der Vorgänger bspw. LineageOS hatte, wird's nicht gekauft. "No Tux, no bucks" – gibt auch /r/lineageOS, wo man sich beraten lassen kann.
>wie sieht es aus damit, Authenticatoren auf das neue Handy zu kriegen?
Das frage ich mich auch oft. Welche meinst du? Wenn es um den Google Authenticator geht: Nicht nutzen, sondern Aegis installieren. Das kann Backups.
A fingerprint is not the equivalent of a PIN, it is more like a username. A PIN you can change, a fingerprint you can not and it is something you leave on anything you touch.
Aegis does allow biometric unlock
I am unsure how Microsoft authenticator would be more secure than Authy, as both are (as far as I am aware) proprietary applications for HOTP/TOTP 2FA use. Instead, I would choose a libre/open source alternative. What platform(s) do you need to run the authenticator upon?
While there are options for Desktop (Win/MacOSX/Linux) OS use, the most common use cases for applications generating 2-Factor Authentication One Time Passwords are typically mobile . I don't use iOS so I won't speak on it save that I've read there are libre/open source options there too, but I am familiar with those on Android.
FreeOTP+, andOTP, and Aegis Authenticator are the three stand-alone auth apps that are updated with frequency and have a good feature set. Overall, they'll all likely do what you need and have significant feature overlap but I listed them in order of increasing preference, with Aegis being the top choice at current. Aegis offers encrypted database, the ability to set a separate password (and/or biometric) to access it, and perhaps most importantly multiple import/export/backup functions (including compatibility with the other two listed) for your 2FA pairings, making it easier to change devices and the like without having to manually deactivate and reactivate 2FA etc.
Aegis Authenticator's homepage is - https://getaegis.app/ - which provides more information. It is available via Google Play, manual APK download and install from Github, and F-Droid, offering multiple methods to acquire the app itself.
Hope this helps!
P.S. Password managers KeePassDX and (possibly, with self-host or Premium subscription on official hosted) BitWarden can also generate 2FA codes of common the HOTP/TOTP types, providing other options for those who want a comprehensive password management suite vs a stand-alone authentication app