Topic: 2FA added (Read 1711 times)

It is true that perhaps they create these difficulties, so that the person does not easily leave their services.
But we also have to be realistic, that if it were easy to obtain this information, security levels would lower, making it even easier for criminals to obtain this data.

This is the case with Google Authenticator. The application only provides the scanning of a QR code as the way to import the details into another device. The most probable scenario is that a user wants to import the codes into another application using the same smartphone, so they are forced to take a picture of the QR code (ideally with a non internet connected device such as a digital camera) and then scan that picture with their smartphone.

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

Therefore I developed the habit to make a physical backup on paper of the 2FA shared secret when I setup a new 2FA account. If I can get only a QR code for 2FA setup, I scan it with a designated privacy friendly QR code scan app that I have on my phone which allows me to decode the QR 2FA setup code and doesn't share this with any other app or cloud storage.

I don't make a digital photo of the 2FA setup QR code because usually pictures are uploaded to some cloud. If the QR code is displayed on a computer, printing it safely is another option. I make some effort to not leave any digital traces of 2FA setup codes on online digital devices.

Backup and migration is far from user friendly if you're concerned of security, unfortunately.



If you can't migrate a 2FA account or have no physical backup, that's unfortunately the only option to go for setup on a new device or 2FA app. I'd rather go the route to temporarily disable 2FA if that is possible and re-enable it for setup newly. But you have to be careful not to loose access and having to perform some painful recovery with service desk hell.

Aegis supports importing your 2FA codes, so you don't need to add them individually into the application (or, worse, remove them first and add them on Aegis). If you use Google Authenticator you can try any of the methods explained here[1]. Aegis also supports backing up the file so that you can keep it in a safe place in the event that you loose your phone (for example).

---

[1]https://www.theverge.com/21410260/google-authenticator-2fa-how-to-phone-security-iphone-android

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

Small update to my previous entry: Aegis has now reached v3.0 (~8 hours ago)[1] with a couple of neat features which deserves our attention:
For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

---

[1]https://github.com/beemdevelopment/Aegis/releases/tag/v3.0
[2]https://security.googleblog.com/2023/04/google-authenticator-now-supports.html

Yes, I did, I mistyped it  sorry too for not updating my post, I'm now using it and glad that we have this, and thank you for adding this feature here on Bitcointalk.

You can do everything from a single device if you want (for example, most of the testing I did during development took place by ignoring the QR code and just copy-pasting the shared secret into KeePassXC).

I mean, single-device 2FA will make some people wag their finger at you, but I'd personally feel pretty comfortable keeping my shared secret in something like KeePassXC on the same device that I log in from. I'm a little biased though, because I hate using my phone (if I could yeet the contemptible thing into the fuggin' sun, I would; if it wasn't for my wife calmly preaching pragmatism, and trying to keep me on the reservation, so to speak, I probably wouldn't even own one).

I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved.

You mean the QR code? The QR code contains a specially-crafted URI that's meant for convenient importing of your 2FA secret/settings into a TOTP-compatible authenticator application. It's not meant to be navigated to.

It's worth pointing out that scanning the QR code is optional: all of the info you need to manually import your 2FA secret (and related settings) into any TOTP-compatible application can be obtained from the account settings page. (More detailed settings, which are rarely needed because they correspond to widely-compatible default values, are visible when hovering over the "Shared secret (Base32)" field label.)

Like I previously said, Ente Auth was created due the developers of Ente Photos having a "(...) had a hard time finding a place to preserve our two-factor secrets.". The main focus of the Ente team seems to be their main application so I do not know if Ente Auth will get the same amount of development that their main application has. They did released a version 2.0 within a year after the first version was released[2], so who knows if this will develop in one full fledged project. Note the note at the end though:
Do note, however, that they also talk about the possibility of this becoming a paid service[1]. For now it remains free to use.

---

[1]https://ente.io/blog/auth/
[2]https://ente.io/blog/auth-v2/

I heard more recommendations for Aegis than for Ente and code inspection of Ente Auth would take me too much time and I certainly lack also expertise to check the code properly and with confidence. But it's better to have more good options than fewer. I'll give both Aegis and Ente Auth a closer look and try after a quick scan over their codebase (I'm not too happy with the options that FreeOTP gives me. Yes, I can save backups, but I'd want to export individual OTP accounts on occasion.)

It looks good. But it's weird the github has almost 1K stars, while it has only 1K+ download on google play[1]. So i'd continue to recommend Aegis, unless they use Apple device.

[1] https://play.google.com/store/apps/details?id=io.ente.auth

I guess the sqeaky wheel gets the grease! Lmao. Great job with this Theymos it's definitely a huge security development and one that we all needed to batton down the hatches of our forum account. We'll done!!!

ente Authenticator (a secondary product of ente[1]) also allows you to export your codes:

• 1. Click on the hamburger menu
• 2. Data -> Export codes
• 3. Choose if you would like to apply an encryption to the file (recommended) or just let it be plain text (don't do this)
• 4. Enter the desired password and export the file to a custom location

The initial screen of the application may lead you to create an account but you do not need to do that, you can simply click on "Use without backups" when the application first launches to skip that option.

---

[1]https://github.com/ente-io

And it seems the Authy encrypted backup must be stored on their server[1]. Meanwhile, your recommendation (Aegis) let us copy encrypted backup file as we like.

[1] https://authy.com/blog/how-the-authy-two-factor-backups-work/

It does allow that but @Abhishek0.2 you should note that Authy is closed source and had some breaches in the past[1]. If you can I would still recommend that you opt for open sourced application (I have mentioned them[2] in my previous post).

---

[1]https://techcrunch.com/2022/08/26/twilio-breach-authy
[2]https://bitcointalksearch.org/topic/m.63470636

You can write down the secret that is displayed as text and shared to an OTP app via the QR code when you setup or renew the 2FA. Most OTP apps allow a manual setup, that's where you enter the secret text code by typing it.

I advise not to make a screenshot of the QR code, nor save the shared secret text on any digital online device. Why? Pictures very often get synced to some cloud service(s) and you don't have any control who may access or analyse them there. Digital copies may get in wrong hands when an online device gets compromised or lost.

I'm aware that the Authy app allows encrypted backups of your OTP accounts. Well, you need to remember the encryption password, so better write that down on an analog copy, too.

I came on this forum after a several month things changing vastly just tested 2fa, worked fine. Incase of lost otp address is there any backup for this or one address for one time only ? anyway i have attached on authy.

thanks

Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).

---

[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis

Well implemented TOTP 2FA authentication doesn't need the clocks of server and TOTP client app to be strictly in sync. It is recommended that the TOTP code from the current 30-seconds window should not only be accepted on the spot, but also to accept the TOTP code from the previous and the future 30s window. That way you avoid unnecessary authentication fails when clocks drift somewhat apart.

You don't loose security by this, being a bit relaxed clock-wise. Yeah, you can demand that clocks run in sync, but frankly that's not reality and a bit too strict and giving no good user experience.

In most cases Phone's clock never gets out of sync even by a second but if that happens then the user can fix the time manually without any issues. Connecting to internet surely exposes the phones to hackers and for that reason it's always better to use a phone with a Linux based distribution.

A phone like Pine-Phone supports many of the open-source operating systems. You can also use a Linux distribution like Ubuntu touch on Google Pixel Phones, Xiaomi phones, and Oneplus phones. The open-source operating systems based on Linux are still safe and hackers would have to do a lot of work to find vulnerabilities in those operating systems. If fact they don't because they don't really care about less than 0.00001% of members who use Linux based open-source operating systems on their phones.