Thanks for sharing!
Consider AndOTP over Authy. Open source, great features, and puts you in total control of your secrets backup.
Importantly for me (after having my phone stolen some months ago) it also lacks Authy's cloud-based recovery feature, which could potentially be exploited by an attacker. I personally used it to recover on my new phone and, well, let's just say it was a little too easy and convenient for my liking.
>TOTP
I recommend AndOTP. It supports both TOTP and HOTP. It lets you create a backup so that you can use it on any device and it's open-source which means anyone can contribute to it.
https://github.com/andOTP/andOTP
Hi, I'm the dev of andOTP. Let me try and answer your questions:
I hope that could answer your questions. Feel free to ask anything else you still want to know.
Blizzard uses the default TOTP algorithm, just with 8 digits instead of 6. The only complicated thing is getting the shared secret for your account, you can find a tutorial here: https://github.com/andOTP/andOTP/wiki/Shared-secrets
I store my 2fa codes in my bitwarden premium vault, but it does more than 2fa. I see a lot of people recommend Authy for 2fa. I have also used andOTP and think it's good, it's free and open source.
There is a collection of scripts for that purpose in the Github wiki. Most of them require a PC with adb and root access on your phone. I haven't tried any of them myself, so I don't know how well any of them work.
Fingerprint is a bit of a risk, cause some devices have fairly secure TrustZone implementation and some don't.
AndOTP encrypts your storage with pin or Android KeyStore, so it can't be accessed by other apps or copied from storage with debugging tools.
2fa work by having a shared secret (a long password) between you and the service you are using and generate the codes according to it, this shared secret is encoded in the qr code you scan. In general they are stored in a root folder. For bnet you can use https://github.com/jleclanche/python-bna to recover it using the recovery code. For steam read https://github.com/andOTP/andOTP/wiki/Special-features.
Please do not mess with forces you don't understand, having the shared secret in the open could compromise your 2fa security, they are safe in andotp, it is just that the intermediate steps are kind of a mess, particularly for steam.
There are multiple developers working on andOTP and we are all doing it independently so there is not one way to donate to the whole project currently. You can find the info in the Readme on Github: https://github.com/andOTP/andOTP#contribute
I'm using [andOTP](https://github.com/andOTP/andOTP/) on my phone and it works great. Open-source, you can backup your 2FA database and avoid being a dumbass like me that forgot Authy PIN and lost a bunch of 2FA credentials.
I have the same problem... and the professional account section does not appear without Google Play Services in the Microsoft Authenticator app. Any alternative?
I found this 😰
https://github.com/andOTP/andOTP/issues/374
https://github.com/freeotp/freeotp-android/issues/109
Unfortunately you'd probably have to disable then re-enable your 2fa with it. Porting between apps AFAIK doesn't work too well. The source code for it can be found here and there's links to it on google play store and fdroid on there.
The problem with Steam is that you need to manually extract your accounts "shared secret" before you can enter it into a 3rd party 2FA app like andOTP or Aegis.
We have a short howto in our wiki: https://github.com/andOTP/andOTP/wiki/Shared-secrets#steam
If you want to uninstall the official app after you get the shared secret, please verify that the app you use displays the same code as the official Steam app before you do so!
After a bit of googling, I stand corrected on SMS suggestion. That being said, if someone knows your student I'd and can manage to answer one security q, they have access to everything despite authenticator. I'm gonna start using a andOTP it looks like best open source option: https://github.com/andOTP/andOTP
If you have android I suggest andOTP over google auth. Google doesn't need more data. andOTP is open source, in the f droid store, and actively maintained. You can create backups and restore on multiple devices to have them all synced. https://f-droid.org/packages/org.shadowice.flocke.andotp
>Dass Steam für sein 2FA nicht auf das offene Protokoll setzt, sondern die Nutzung seiner eigenen App erzwingt stinkt auch.
Steams OTP-Implementierung wird auch von ein paar anderen Authenticator-Apps unterstützt. Ich benutze zum Beispiel andOTP auf dem Handy und den Passwortmanager KeepassXC auf dem Desktop. Beide können Steams OTP-Codes generieren.
You can use andOTP but it isn't officially supported. Trade confirmations will not work either since that's a different thing.
https://github.com/andOTP/andOTP/issues/38#issuecomment-337139637
Use at own risk.
FreeOTP is open-sourced free, but it hasn't been updated in a while; that means that while the app may be generally privacy-respecting, it probably isn't that secure since it's quite outdated. Instead, try to look for more newer alternatives like andOTP.
It currently doesn't support it, but there is an open issue for it on Github. If you have a little experience with Python scripts there is a workaround in the last comment.
andOTP is open source, lets you sort/filter your codes using tags, allows you to export (PGP or password) encrypted backups, and also lets you display the QR code to quickly export to another device.
While official support would be nice, you can already extract the secret from the Steam Mobile Authenticator and use it with andOTP & Aegis.
https://github.com/andOTP/andOTP/wiki/Special-features
Aegis even lets you import it directly from the Steam App.
Note however that you will need to be rooted.
Oh, I'd also like to bring up andOTP as another alternative. It let's you export the OTP key backups to a file, and people have written tools for it which allow you to migrate your OTP keys from Authy and Google Authenticator if you have a rooted phone.
> double-auth which is kind of a mess if you get your smartphone stolen
You should look into andOTP which is FOSS and lets you make encrypted backups OTP secrets that you can then store in a secure secondary location.
Not always. Yes, Authy has it's own standard which some sites use, but they also support the standard TOTP algorithm which most other 2FA solutions use. In that case they mostly just force the user to use their own enrollment so they can't use another app. As far as I know thats whats happening in the case of Twitch. But it is possible to extract the secret from Authy afterwards and use it in other apps, a short description can be found here and the here is the full source.
🤷🏽♂️ easy fix, replace with https://github.com/andOTP/andOTP via google or f-droid and activate the setting to block accessibility apps, which most people don't really need.
google rightfully forced apps to justify why the need to be an accessibility service anyway, to help prevent this sort of attack.
They try to force you down that road, yes. But in the end their implementation is also just based on the default TOTP algorithm. They just try to hide it by using letters in addition to numbers to encode the tokens.
In addition to that you have to extract your accounts "shared secret" manually to enter it in 3rd-party apps, which is not really straightforward.
andOTP encrypts the vault with either the Android Keystore, or a password/PIN.
In the former, it's the band encryption library for Android itself, and is using all of the latest cryptographic best practices, designed by Google's security and encryption team.
In the latter, it's using AES-GCM, which is an authenticated encryption mode, and considered best practice, and is the same encryption used in Aegis.
andOTP uses PBKDF2 for deriving the symmetric key from the password/PIN, and Aegis uses scrypt. andOTP does stick with a weak default iteration count, as Aegis actually uses a sane cost for scrypt. While scrypt is memory-hard, as well as CPU-hard, both PBKDF2 and scrypt are "best practice" for key derivation from a human-supplied secret.
So, I'm not sure I would say Aegis "has better encryption" than andOTP, without doing a deeper security audit of their code bases.
Pour le 2FA, je déconseille fortement Google Authenticator et FreeOTP. Google Authenticator n'a pas de fonction d'export, impossible de récupérer les tokens en case de perte/casse. FreeOTP est quant à lui vieillissant.
Je conseille :
Curious, what do you have against the author?
Open source as in the code is available online for anyone to modify/check/whatever. Which is handy if you don't necessarily trust the developer, as others can check the insides and see if everything is all right (no nasty code being inserted etc.)
TBH, no. I have no prejudice towards non-open source, so it serves my needs. I've read their white papers and blog on the subjects of security and architecture, and I am satisfied with it.
I do know there is andOTP and Aegis, both of which are open-source authenticators.
They both have encrypted/protected exports available, which you could use with your private cloud storage of choice to mimic sync. More work obviously and not something I personally have done.
Sorry I don't have a better answer for you.
Try using only free software not coming from Google Play, it will make your life easier down the road in your DeGoogling.
I might have misunderstood. I am not sure you can add the 2FA field directly in the Android app, but you can definitely see it if you did add it beforehand through the desktop version.
If you just want an Android app for 2FA, might I recommend andOTP?
Note: It might not suit your needs if you want to be able to access it from a desktop, though.
Yep! I used the top option in all of the options on this page. I had planned on importing the JSON directly, but I think I just scanned the QR codes.
Yeah! Steam works using the method found here, although you obviously can't use andOTP to approve trades or any of the more complicated stuff that the Steam app does.
Instructions for Paypal, Battle.net, and Twitch can be found on this page.
They're a bit of extra work for first-time setup, but they've all worked great for me after that first hurdle.
I used the guide found here.
Oddly, I think the update offset is slightly different for andOTP, so I thought I'd failed at first because andOTP was giving me different codes than Steam Authenticator. Not until I tried logging in again did I figure out that it was working properly.
Ok, I see your problem now. Here's what you can do (remember, this is a very hacky way to do it, but I didn't want to spend much time to explore it.
Assuming that the debug mode on your phone is on. First we are making backup of the app: adb backup -f freeotp.bak org.fedorahosted.freeotp
then you need to unpack the resulting freeotp.bak file: ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 freeotp.bak ) | tar xfvz -
there were some error messages here, but the only file you are gonna need (tokens.xml) is unpacked, check the folder apps/org.fedorahosted.freeotp/sp
Now you need to decode this tokens.xml file to extract your secret. You're gonna need a python script from here: https://github.com/andOTP/andOTP/issues/66
Just checked it myself, it works perfectly. You'll get your 16 characters alphanumeric secret you can use later.
You can even switch to FreeOTP+ so you won't be needing this magic :)
I would recommend andOTP. You can also export and import backups (plaintext, encrypted with password, and PGP encrypted) easily. I just switched to it from FreeOTP a week ago.
You can also get Steam and a few others to work with it, but you need to enable the secret settings for it.
I'm also a new owner of the Google Titan Security Key. Is there any password manager app that works with it, free if possible? andOTP (https://github.com/andOTP/andOTP)?
Well, actually not all digits and letters are in use by steam's implementation (as you can see here), so it turns out that the guy you replied to was accidentally right.
There is a collection of scripts on the Github wiki for that. Most of them require a PC with adb, Python and a rooted phone. I never tried them myself so I can't say anything more about them.