One more step to unhitching from Google…
Right now the only option I see in F-Droid is Aegis.
I’m not sure what to actually look for side from checking for unexpected permissions and reasonably frequent updates.
Hopefully something I can sync with a GNOME app…
You must log in or register to comment.
Ente Auth
I use Aegis on my phone.
since no one mentioned andotp i might have to move away from it…
I think it is not maintained any more: https://github.com/andOTP/andOTP
Aegis for time codes, Nitrokey for physical 2FA tokens.
I use Aegis, automatically backed up every time a new key is added. Was using Authy for a while, but they’re going down the enshittification hole, so I dumped them.
I used to use 2FAS, but recently switched to a self-hosted instance of Ente
I’ve been using Aegis for several years now without any problems. It replaced the Google Authenticator seamlessly.
Stratum
Yubikey. I dont want to trust my phone, so I use some separate hardware instead
What you mean syncing with Gnome app?
Yubikey. It supports TOTP as well as passkeys. Plus is a physical device separate from my phone. Recommend getting 2 to have 1 as backup
I like Aegis.
Proton Authenticator. Has both Desktop and Mobile apps. Free. Don’t have to sync to Proton.
Do they have a Linux client for the desktop?
deb, rpm and aur-bin
Thanks for the speedy reply. On LMDE so Debian it is.
They have no Linux Drive desktop client, so that was pleasent suprise.
Yubikey for 2Fa codes also works well for
sudoandsu(2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience. Things like:
Are there accounts that you didn’t get to work? Do you have separate keys for personal and work accounts? Do you just have it on your keychain an plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense. As far as I know you can’t just clone a key. How easy is it to setup a backup key? Does this work for all accounts? I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys? How is your experience? USB or NFC?
Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience.
I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.
Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.
Do you just have it on your keychain a plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense.
It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.
As far as I know you can’t just clone a key.
So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.
How easy is it to setup a backup key?
While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.
I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys?
So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.
I just realized, the formatting of my last reply got lost somehow, sorry for that. Nevertheless, thank you very much for your response. Really appreciate the insights of a long time user.
I switched from Authy to Aegis like 2 years ago, because I didn’t want to rely on an online service either. Similar to something like Keepass, the database is local and you are in charge of making backups and such. But that is also the great thing about it. If your phone dies you just copy the backup to the new device and your golden. I already thought about the switch to a Yubikey back then, but didn’t go through with it.
With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key
Yes always plugged in works of course, I just meant that you are somewhat compromising the security that you have gained by using dedicated hardware. But as you said, if touch is enabled and the key is password protected you are probably fine. In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.
With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key
Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.
Similar to something like Keepass, the database is local and you are in charge of making backups and such.
I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.
In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.
Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.
Bitwarden as Vaultwarden enables TOTP.
