Pages:
Author

Topic: Aegis Authenticator, a decent alternative to Google Authenticator and Authy - page 3. (Read 1207 times)

legendary
Activity: 1638
Merit: 1329
Stultorum infinitus est numerus


The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).


this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic  Cool

Just use Authy, it supports virtually everything. A very good interface for 2FA, extensions for PC, app for PC, Android, iOS even SMS 2FA if I am not mistaken (I receive SMS from them from time to time) also, it backs itself up automatically after you set it up so even if you lose your device, you can always recover it.
hero member
Activity: 756
Merit: 507


The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).


this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic  Cool
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I would like banks to offer 2FA for fiat for a start. As it stands I could (I don't, but I could) log in to my online banking using just a password of 7 letters and 1 number, and access my banking app on my phone with either finger print or facial recognition. I've set them both up to require both a much better password as well as a PIN to access, and disabled all biometrics, but it is worrying that they even offer this, since I bet the majority of the average population are more than happy to protect their life savings with facial recognition or something equally insecure. Proper 2FA to both access as well as make any transfers or withdrawals would be nice.

I do agree with you though, and I'm sure when bitcoin goes mainstream and we start seeing JPMorgan, HSBC, ICBC bitcoin accounts, the vast majority of people will be more than happy to ignore the entire point of bitcoin and let the banks hold their coins for them.

As bankers are centralized, I think that they have more elegant ways to keep funds safety.
They can block suspicious transactions, they have insurance, they can revert transfers...

There are other solutions which I believe vary from country to country. Almost all my life savings are in a fiat exchange here in Brazil, which doesn't allow any transfer to another account which is not mine (checked by id). This particular fiat exchange has a 2fa (which I hate , but all users are obligated), but there isn't really no need since none can steal from me there (as funds can't go to other id)
legendary
Activity: 2268
Merit: 18711
I think in a few years we will see banking offering that kind of services for BTC.
I would like banks to offer 2FA for fiat for a start. As it stands I could (I don't, but I could) log in to my online banking using just a password of 7 letters and 1 number, and access my banking app on my phone with either finger print or facial recognition. I've set them both up to require both a much better password as well as a PIN to access, and disabled all biometrics, but it is worrying that they even offer this, since I bet the majority of the average population are more than happy to protect their life savings with facial recognition or something equally insecure. Proper 2FA to both access as well as make any transfers or withdrawals would be nice.

I do agree with you though, and I'm sure when bitcoin goes mainstream and we start seeing JPMorgan, HSBC, ICBC bitcoin accounts, the vast majority of people will be more than happy to ignore the entire point of bitcoin and let the banks hold their coins for them.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Do people not write down the codes? Every website you activate 2FA on should provide an alphanumeric code alongside the QR code which you can copy down. If they don't provide a code, good 2FA apps will turn the QR code in to an alphanumeric one after you scan it.

I have a strong dislike of backing anything up on cloud servers or non airgapped machines, even if encrypted. I have my 2FA database (encrypted) backed up on an airgapped device, but I also have all my codes written down on paper and stored much like my mnemonic phrases (albeit separately).

No doubt airgapped computer is the best option.

I do not have an airgapped machine (and I think very few people from developing countries do, as even old computers are expensive).
I think a good alternative is to print the QR codes, as mentioned here, or just put them or the keys in a flash drive.

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Do people not write down the codes?

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.
legendary
Activity: 2268
Merit: 18711
Do people not write down the codes? Every website you activate 2FA on should provide an alphanumeric code alongside the QR code which you can copy down. If they don't provide a code, good 2FA apps will turn the QR code in to an alphanumeric one after you scan it.

I have a strong dislike of backing anything up on cloud servers or non airgapped machines, even if encrypted. I have my 2FA database (encrypted) backed up on an airgapped device, but I also have all my codes written down on paper and stored much like my mnemonic phrases (albeit separately).
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

This was actually my surprise with the Google 2FA back in the day. Knowing it was Google, I automatically expected that the backup codes were somewhat synced to my Google account; hence when I downloaded and installed Google 2FA on my freshly factory restored mobile phone(without making a backup of the keys), well, let's just say I didn't have a pleasant experience trying to contact all the service representatives from 5+ accounts I had with 2FA activated..
legendary
Activity: 2352
Merit: 6089
bitcoindata.science

The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.


that is a heavy argument, I must admit. Well I see, that I learned something new today and I'll give it a try, thank you guys for this info
it is interesting to find something new and useful



The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

I wrote about it here. Why you shouldn't use GA, or use it very carefully
https://bitcointalksearch.org/topic/2fa-important-precautions-with-google-authenticator-3178131
hero member
Activity: 756
Merit: 507

The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.


that is a heavy argument, I must admit. Well I see, that I learned something new today and I'll give it a try, thank you guys for this info
it is interesting to find something new and useful

mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right? it would be eliminated, yes, but some people can suffer.

You could also say the same with close sourced apps(the distribution of "bad" apps). In fact, unethical and immoral people do that all the time. They create scammy app versions of some famous websites that doesn't really have official apps in the hopes of victims thinking that it's the official app. Like what o_e_l_e_o said, simply don't download from unofficial sources; and this applies for both open source and closed source software.
legendary
Activity: 2268
Merit: 18711
strange, but yobit, for example, is not working with any authenticator. but google
Have you tried using a different authenticator? Many websites, including some that I use with andOTP, say the user needs to use Google Authenticator, but work just fine with other authenticators.

i thought that every Authenticator should have own algo inside it
The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right?
So don't download from unofficial sources. Problem solved.

I agree that we do not know what's inside google auth, but it is used very wide,so if there was a security breach I think it would be known already.
This is a flawed argument I'm afraid. Windows is far more widely used than Google Authenticator. So is iOS. So is Android. So is Chrome, and Firefox, and Edge, etc, etc. All of these have been subjected to very bad security breaches and exploits. Widely used does not automatically mean safe.
hero member
Activity: 756
Merit: 507
Every 2FA works everywhere. The site has no idea if you are scanning the QR code with Google, Authy, andOTP, Aegis, or any other app. Hell, you could be writing down the shared secret and calculating your code by hand if there wasn't a time limit. The website doesn't know. All it cares about is the code you return.

strange, but yobit, for example, is not working with any authenticator. but google :

"Two-factor authorization (2fa) improves safety dramatically requesting not only login-password, but also special authorization code. Yobit.net uses 2fa of Google Authenticator utility. To use this possibility please download Google Authenticator on you mobile phone and scan QR-code."

i thought that every Authenticator should have own algo inside it, and on exchange there is a server part of app, while customer has a client part.
so once a customer scan the code which server gives him, they are synchronized to each other.


Open source doesn't mean anyone can edit it and push changes to the app stores. It means anyone can view the code and suggest changes. Changes still have to be agreed upon by the developers, and the community will see these changes before it goes live. Compare that with Google Authenticator which could have any code added to and everyone would be none the wiser. Just because it is released by Google doesn't automatically make it more trustworthy; in fact, I would trust it less. Google Authenticator also hasn't been updated in over 2 years. Not great.

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right? it would be eliminated, yes, but some people can suffer.
I agree that we do not know what's inside google auth, but it is used very wide,so if there was a security breach I think it would be known already. I do not trust to google as well, but in given case I consider it as a less evil.


It works, sure, but it is the bare minimum. There is no way to export or back up your database. You can't encrypt or password protect access to it. Not to mention everything owned or developed by Google is spyware. It is a poor choice.

yeap, you are right, that luck of features is a problem, but i'm ok with that. I can't be sure if google auth is a spyware, cause I do not have access to its code. it could be a spyware with the same probability as it could be clean ))
it is not poor choice, I'd say it's careful choice, imo. 
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
See my first paragraph in this post and my previous post. Every 2FA app will work on every site.

Hey thanks. This is groundbreaking for me. This will change the way I use internet now. I didn't notice your message before because there are just so many replies here. It all got a little mixed up. Thanks once again.
legendary
Activity: 2268
Merit: 18711
also it is important that google is working on every exchange
Every 2FA works everywhere. The site has no idea if you are scanning the QR code with Google, Authy, andOTP, Aegis, or any other app. Hell, you could be writing down the shared secret and calculating your code by hand if there wasn't a time limit. The website doesn't know. All it cares about is the code you return.

anyone who have good skill in programming may add some bad code to it, compile and you can download this bad app
Open source doesn't mean anyone can edit it and push changes to the app stores. It means anyone can view the code and suggest changes. Changes still have to be agreed upon by the developers, and the community will see these changes before it goes live. Compare that with Google Authenticator which could have any code added to and everyone would be none the wiser. Just because it is released by Google doesn't automatically make it more trustworthy; in fact, I would trust it less. Google Authenticator also hasn't been updated in over 2 years. Not great.

it is working, right? so let it be working further
It works, sure, but it is the bare minimum. There is no way to export or back up your database. You can't encrypt or password protect access to it. Not to mention everything owned or developed by Google is spyware. It is a poor choice.

I would like for someone to confirm or deny this please.
See my first paragraph in this post and my previous post. Every 2FA app will work on every site.
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?

As far as I know, the platform/service doesn't even know what 2 factor authenticator app you're using. So this shouldn't really be a problem to be honest. You could probably even use a 2FA app you develop yourself(if you know how to, of course).

(correct me If I'm wrong, though I'm very sure of this.)

No. Well as far as I know I mean.
I know some platforms want you to use Google authenticator only. Or Authy only. Or whatever app it its that they are supporting. I would like for someone to confirm or deny this please.
Because otherwise this could change the way I use 2fa because obviously I have been doing it wrong.
hero member
Activity: 756
Merit: 507
i'm using google Authenticator and have no plans to change it.
why?  I do not care about design of app, all I need is the raw functionality
also it is important that google is working on every exchange
and I have a little more trust to it, then let's see this open source app - yes, it is open source, that is good for any who is ok with the code, but if you know nothing about programming, then for you it is no use.
anyone who have good skill in programming may add some bad code to it, compile and you can download this bad app.. surely this bad code will be detected and wiped out, but it will take some time, while you will be on risk..
that is why I think for me there is no cause to change Google Authenticator for something else.
it is working, right? so let it be working further  Cool
legendary
Activity: 2268
Merit: 18711
All my authentications were lost and I had a lot of trouble.
Regardless of which 2FA app you are using, you should still be writing down the back up codes given by each site on to paper and storing them securely, much like a mnemonic phrase.

(correct me If I'm wrong, though I'm very sure of this.)
You are correct. Even sites which specify "Download the Google Authenticator app" (which unfortunately many sites do), will still work just fine with a different 2FA app.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?

As far as I know, the platform/service doesn't even know what 2 factor authenticator app you're using. So this shouldn't really be a problem to be honest. You could probably even use a 2FA app you develop yourself(if you know how to, of course).

(correct me If I'm wrong, though I'm very sure of this.)
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
Once I lost my phone and with it by google authenticator. All my authentications were lost and I had a lot of trouble. This seems like a great way to replace the need of Google authenticator in my life but the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?
Pages:
Jump to: