Topic: Aegis Authenticator, a decent alternative to Google Authenticator and Authy (Read 1143 times)

Quote from: ABCbits on October 18, 2021, 06:03:58 AM

Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).

Well, you set pin instead of words in password field and same function in Aegis Tongue

Actually it's good point, although Aegis will spawn QWERTY virtual keyboard rather than numeric virtual keyboard. Should've mentioned there's backup option using OpenPGP instead Roll Eyes

.

There is setting for pin keyboard if you have numeric password Grin

libert19

hero member

Activity: 2464

Merit: 934

Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).

Well, you set pin instead of words in password field and same function in Aegis Tongue

NeuroticFish

legendary

Activity: 3500

Merit: 6205

Looking for campaign manager? Contact icopress!

Do you still recommend Aegis?

I still use and recommend Aegis, it works wonderfully with Firefox on both Android and PC.

ABCbits

legendary

Activity: 2856

Merit: 7410

Crypto Swap Exchange

Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: o_e_l_e_o on March 19, 2020, 04:41:29 PM

Do you still recommend Aegis?

I switched to it a while ago, and I would absolutely recommend it. It is free, open source, encrypts your information, allows you to edit and re-order your entries, and supports encrypted back ups. It has ongoing development (https://github.com/beemdevelopment/Aegis), and it doesn't spy on you like some other 2FA apps such as Authy. It is recommended by both https://www.privacytools.io/#2fa and https://prism-break.org/en/categories/android/#authentication.

Even if you are utilizing the export encrypted back up feature, make sure that you also write down the shared secret codes for each account you add to Aegis as an offline backup. If you forget to do this at the time of adding the account, Aegis lets you go in to the account later and view the shared secret.

JL0

full member

Activity: 817

Merit: 158

Bitcoin the Digital Gold

Do you still recommend Aegis?

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Even better than all that would be to not use Google Authenticator at all, and switch to an open source app with encrypted back ups built in, such as Aegis.

I think it's worth mentioning at this point that there there is an open source version of Authenticator at https://github.com/google/google-authenticator, but this by itself doesn't have backup support. Though I have seen browser extensions based off of this that can backup the IDs and secrets. Authenticator also has a Linux PAM module that I've seen deployed at some university facilities in real life.

Also, I will emphasize again that each and every authentication app is only as secure as the secret lengths fed into it by websites. No matter if you use Authenticator, Aegis, Authy or something else.

Quote from: NotATether on February 29, 2020, 04:14:58 PM

Here is the official Google Authenticator codebase (at least the open source part): https://github.com/google/google-authenticator-android/
This is the part of the code that handles secret entry. Notice how MIN_KEY_BYTES has a value of only 10 i.e. 80 bits: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/EnterKeyActivity.java#L121-L126
And this is the part of the code that hashes the secret into a 6-digit code: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/PasscodeGenerator.java#L152-L163

Clearly these code snippets indicate that while Google Authenticator supports more bits, it foolishly sets the minimum to 80 bits despite strict requirements by RFC 4226 (yes OTP is an RFC standard) to use at least 128 bits and recommends 160 bits, double the amount that Authenticator-aware web services use. Remember that web services are the ones creating these very small keys, not Authenticator.

So while OTP authentication provides strong security if used properly, Authenticator tokens fall very short of the minimum security requirements, so they were never secure to use in the first place. Again though, Authenticator supports more than 80 bits, it's just the web services don't make more bits.

It's worth noting that other TOTP authentication software works with the same sites as Google Authenticator, but are only as secure as the length of the secret key that the web service gives it.

Authenticator lets websites use at least 80 bit keys, I'm not sure about the minimum of Aegis though.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Your Google Authenticator back up codes should ideally be stored offline, written down a piece of paper and stored somewhere secure, much like you would for your bitcoin wallet seed phrase.

Be aware that depending what software you are using to "zip" your file, the password protection may be very weak and easily broken. If you absolutely must store your back up codes on a computer, you should be using proper encryption software to protect them.

Even better than all that would be to not use Google Authenticator at all, and switch to an open source app with encrypted back ups built in, such as Aegis.

libert19

hero member

Activity: 2464

Merit: 934

Quote from: LbtalkL on March 19, 2020, 10:57:07 AM

Quote from: libert19 on March 19, 2020, 12:33:30 AM

Quote from: LbtalkL on March 17, 2020, 10:10:23 AM

Quote from: libert19 on March 19, 2020, 12:33:30 AM

Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.

Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol

Notepad + and Zip it with a password, Already made a copy on Flahshdrive and sdcard incase something bad happen to my Desktop. That is what I do, How about a suggestion? Do you have one it might help than just laughing without a good suggestion? How about you where do you save yours?

Sorry if I come out rude, I use password safe on my android it basically does the same thing as you mentioned, you put your data in it, encrypt with a password and put that backup file wherever you like.

LbtalkL

full member

Activity: 1176

Merit: 162

Quote from: LbtalkL on March 17, 2020, 10:10:23 AM

Quote from: libert19 on March 19, 2020, 12:33:30 AM

Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.

Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol

Notepad + and Zip it with a password, Already made a copy on Flahshdrive and sdcard incase something bad happen to my Desktop. That is what I do, How about a suggestion? Do you have one it might help than just laughing without a good suggestion? How about you where do you save yours?

Subbir

full member

Activity: 770

Merit: 104

🎄 Allah is The Best Planner 🥀

I usually use Google Authenticator to guard my personal code As you only said the notepad doesn't give much protection. If there's a drag with the PC it's likely to be deleted there's no fear of losing Google Authenticator and nobody are going to be ready to easily enter your ID albeit you recognize your password. Because Google Authenticator has code when logging in That's why Google Authenticator may be a safe place to possess your own personal keys.

hd49728

legendary

Activity: 2044

Merit: 1018

I don't think saving backup codes in notepad is a good idea lol

Notepad is a bad tool to store backup codes. As far as I know, notepad does not provide encryption. Important backup codes should be stored on technical devices (but always offline) and simultaneously stored on physical materials, like paper, steel (kind of metal), in vault.
Don't store them on cloud.

libert19

hero member

Activity: 2464

Merit: 934

Quote from: LbtalkL on March 17, 2020, 10:10:23 AM

Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.

Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol

LbtalkL

full member

Activity: 1176

Merit: 162

Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.

Yes, that is what I am looking thanks for the reply. Looks like I will migrate now. Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop but I guess this Aegis Authenticator offers much better options for recovery.

asu

legendary

Activity: 1302

Merit: 1135