Aegis Authenticator, a decent alternative to Google Authenticator and Authy - page 2.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: asche on October 18, 2019, 03:08:38 AM

If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.

Yep! Hence The Google auth app was widely recommended before when there's not that much good alternatives. As with a rooted phone + Titanium backup, that's what I did in the past too. It's nice to have in-app password encryption though; just a small extra layer of security.

If you're going to switch over and you have a rooted phone, switching over is going to be A LOT easier. Aegis has an "import from app" feature if you have a rooted phone. It can grab the backup codes off Google auth. I suggest trying it out.

asche

legendary

Activity: 1484

Merit: 1491

I forgot more than you will ever know.

Quote from: mk4 on October 17, 2019, 09:39:30 PM

It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: DdmrDdmr on October 17, 2019, 10:30:38 AM

Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t).

It definitely shouldn't be on by default. It's just convenient to have that feature, but in exchange for security risks. Definitely not worth it in my opinion.

Quote from: Renampun on October 17, 2019, 04:39:31 PM

I hope the application features contained in this application are more complete than those of Google

It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

Renampun

sr. member

Activity: 2338

Merit: 365

Quote from: mk4 on October 14, 2019, 11:50:00 PM

snip~

I just found out there is an authenticator app besides Google's 2FA Authenticator
this application is a must-try. I hope the application features contained in this application are more complete than those of Google

DdmrDdmr

legendary

Activity: 2338

Merit: 10802

There are lies, damned lies and statistics. MTwain

Quote from: mk4 on October 17, 2019, 09:26:34 AM

<…> Yes, but the multi-device feature is turned on by default right? <…>

Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t). On my regular devices, I’ve switched it off, since I wasn’t aware of this feature’s behaviour until today. Switching it off on once device syncs the setting with all the synchronized devices (i.e switching multi device off on one does it on the others).

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Email should never factor in to your 2FA set up, either as 2FA itself (click a link on the email we send you, for example), or as a back up to your 2FA app or codes.

The whole point of 2FA is to be two separate, independent factors. If you are using your email as a login, then chances are you can reset your password via email. If you can also access/transfer/reset your second factor via the same email, then you no longer have two factors, you have one. If someone who gains access to your email can break both your factors, then that's not 2FA.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: DdmrDdmr on October 17, 2019, 05:57:40 AM

According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device).

Yes, but the multi-device feature is turned on by default right? Chances are that the casual Authy user doesn't know the potential problems that could be had with that feature being turned on.

Quote from: DdmrDdmr on October 17, 2019, 05:57:40 AM

If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

While that's great, I don't think it's enough to be honest. If an email gets compromised, it could also take a lot of effort to recover the email. Jeebus I remember the last time I tried to recover my old gmail account.

Deathwing

legendary

Activity: 1638

Merit: 1329

Stultorum infinitus est numerus

Quote from: mk4 on October 17, 2019, 05:49:54 AM

Quote from: Deathwing on October 17, 2019, 12:42:27 AM

When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

Authy has an extra protection feature when you swap devices or sim card, to prevent this exact issue.

DdmrDdmr

legendary

Activity: 2338

Merit: 10802

There are lies, damned lies and statistics. MTwain

Quote from: mk4 on October 17, 2019, 05:49:54 AM

<...>

According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device). If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

see: https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: Deathwing on October 17, 2019, 12:42:27 AM

When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

Deathwing

legendary

Activity: 1638

Merit: 1329

Stultorum infinitus est numerus

Quote from: o_e_l_e_o on October 16, 2019, 03:26:04 PM

Quote from: Deathwing on October 16, 2019, 11:19:00 AM

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

Quote from: ?? on ??

It's too bad, but i could move it as soon as backup process is done.

See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

Authy, by default, does not actually enable the 2FA. When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Saint-loup on October 16, 2019, 03:52:40 PM

Using bitcoin should be an easy way of sending funds, not a new problem to manage.

So we shouldn't be teaching newbies about best security practices because they are difficult? Just let them use insecure methods because they're easier? I don't think so.

Downloading and using a single authenticator app is hardly challenging. I stand by my original point: Of the commonly offered 2FA methods - SMS, email, app, hardware keys - SMS is by far the least secure. Just as we shouldn't be encouraging anyone to leave their coins on an exchange because it's "easier", we shouldn't be encouraging anyone to use SMS 2FA, and those who are should be encouraged to upgrade to an authenticator app.

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: Saint-loup on October 16, 2019, 03:52:40 PM

Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat,

Oh it's definitely insecure and could be a massive threat. Though I'd say SMS auth is better than no auth at all, there's zero reason for a person to not use app 2fas.

Quote from: Saint-loup on October 16, 2019, 03:52:40 PM

beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.

Dozen apps? You use one authenticator app for literally almost all important accounts you have all over the web, not only crypto-related apps. Also, you're most likely not going to need 2fa if you're using a non-custodial wallet to start with. Unless you're keeping funds on exchanges(which of course you shouldn't do unless you're a daytrader).

Quote from: asche on October 16, 2019, 05:26:07 PM

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source

Sure! Hope it could help.

asche

legendary

Activity: 1484

Merit: 1491

I forgot more than you will ever know.

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: o_e_l_e_o on October 16, 2019, 03:26:04 PM

Quote from: Deathwing on October 16, 2019, 11:19:00 AM

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat, beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Deathwing on October 16, 2019, 11:19:00 AM

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

Quote from: ?? on ??

It's too bad, but i could move it as soon as backup process is done.

See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

ronaldo40

legendary

Activity: 1554

Merit: 1014

Quote from: mk4 on October 14, 2019, 11:50:00 PM

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

i just know about this that the company stored our 2FA backup and after this, i will definitely try Aegis Auth

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: bitmover on October 16, 2019, 11:42:23 AM

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

True. But there's a really really huge difference between a lot of Binance accounts being hacked through means user-targetted attacks like social engineering the user's accounts through phishing links and such, compared to Binance's cold storage actually being hacked. Now THAT'S a big difference. Pretty much like what happened to MtGox and Bitfinex in the past, but multiplied a multiple times.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: mk4 on October 16, 2019, 11:21:50 AM

True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

mk4

legendary

Activity: 2870

Merit: 3873

Paldo.io 🤖

Quote from: bitmover on October 16, 2019, 08:30:47 AM

Quote from: mk4 on October 16, 2019, 07:39:15 AM

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.

True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

Topic: Aegis Authenticator, a decent alternative to Google Authenticator and Authy - page 2. (Read 1207 times)