Author

Topic: Aegis Authenticator, a decent alternative to Google Authenticator and Authy (Read 1211 times)

hero member
Activity: 2520
Merit: 952
Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).

Well, you set pin instead of words in password field and same function in Aegis  Tongue

Actually it's good point, although Aegis will spawn QWERTY virtual keyboard rather than numeric virtual keyboard. Should've mentioned there's backup option using OpenPGP instead Roll Eyes.

There is setting for pin keyboard if you have numeric password  Grin
hero member
Activity: 2520
Merit: 952
Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).

Well, you set pin instead of words in password field and same function in Aegis  Tongue

legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Do you still recommend Aegis?

I still use and recommend Aegis, it works wonderfully with Firefox on both Android and PC.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP) which is slightly more popular option and have few different feature (such as encrypt with PIN).
legendary
Activity: 2268
Merit: 18748
Do you still recommend Aegis?
I switched to it a while ago, and I would absolutely recommend it. It is free, open source, encrypts your information, allows you to edit and re-order your entries, and supports encrypted back ups. It has ongoing development (https://github.com/beemdevelopment/Aegis), and it doesn't spy on you like some other 2FA apps such as Authy. It is recommended by both https://www.privacytools.io/#2fa and https://prism-break.org/en/categories/android/#authentication.

Even if you are utilizing the export encrypted back up feature, make sure that you also write down the shared secret codes for each account you add to Aegis as an offline backup. If you forget to do this at the time of adding the account, Aegis lets you go in to the account later and view the shared secret.
JL0
full member
Activity: 817
Merit: 158
Bitcoin the Digital Gold
Do you still recommend Aegis?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Even better than all that would be to not use Google Authenticator at all, and switch to an open source app with encrypted back ups built in, such as Aegis.

I think it's worth mentioning at this point that there there is an open source version of Authenticator at https://github.com/google/google-authenticator, but this by itself doesn't have backup support. Though I have seen browser extensions based off of this that can backup the IDs and secrets. Authenticator also has a Linux PAM module that I've seen deployed at some university facilities in real life.

Also, I will emphasize again that each and every authentication app is only as secure as the secret lengths fed into it by websites. No matter if you use Authenticator, Aegis, Authy or something else.

Here is the official Google Authenticator codebase (at least the open source part): https://github.com/google/google-authenticator-android/
This is the part of the code that handles secret entry. Notice how MIN_KEY_BYTES has a value of only 10 i.e. 80 bits: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/EnterKeyActivity.java#L121-L126
And this is the part of the code that hashes the secret into a 6-digit code: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/PasscodeGenerator.java#L152-L163

Clearly these code snippets indicate that while Google Authenticator supports more bits, it foolishly sets the minimum to 80 bits despite strict requirements by RFC 4226 (yes OTP is an RFC standard) to use at least 128 bits and recommends 160 bits, double the amount that Authenticator-aware web services use. Remember that web services are the ones creating these very small keys, not Authenticator.

So while OTP authentication provides strong security if used properly, Authenticator tokens fall very short of the minimum security requirements, so they were never secure to use in the first place. Again though, Authenticator supports more than 80 bits, it's just the web services don't make more bits.

It's worth noting that other TOTP authentication software works with the same sites as Google Authenticator, but are only as secure as the length of the secret key that the web service gives it.

Authenticator lets websites use at least 80 bit keys, I'm not sure about the minimum of Aegis though.
legendary
Activity: 2268
Merit: 18748
Your Google Authenticator back up codes should ideally be stored offline, written down a piece of paper and stored somewhere secure, much like you would for your bitcoin wallet seed phrase.

Be aware that depending what software you are using to "zip" your file, the password protection may be very weak and easily broken. If you absolutely must store your back up codes on a computer, you should be using proper encryption software to protect them.

Even better than all that would be to not use Google Authenticator at all, and switch to an open source app with encrypted back ups built in, such as Aegis.
hero member
Activity: 2520
Merit: 952
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.
Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol
Notepad + and Zip it with a password, Already made a copy on Flahshdrive and sdcard incase something bad happen to my Desktop. That is what I do, How about a suggestion? Do you have one it might help than just laughing without a good suggestion? How about you where do you save yours?


Sorry if I come out rude, I use password safe on my android it basically does the same thing as you mentioned, you put your data in it, encrypt with a password and put that backup file wherever you like.
full member
Activity: 1176
Merit: 162
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.
Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol
Notepad + and Zip it with a password, Already made a copy on Flahshdrive and sdcard incase something bad happen to my Desktop. That is what I do, How about a suggestion? Do you have one it might help than just laughing without a good suggestion? How about you where do you save yours?
full member
Activity: 798
Merit: 104
🎄 Allah is The Best Planner 🥀
I usually use Google Authenticator to guard my personal code As you only said the notepad doesn't give much protection. If there's a drag with the PC it's likely to be deleted there's no fear of losing Google Authenticator and nobody are going to be ready to easily enter your ID albeit you recognize your password. Because Google Authenticator has code when logging in That's why Google Authenticator may be a safe place to possess your own personal keys.
legendary
Activity: 2044
Merit: 1018
Not your keys, not your coins!
I don't think saving backup codes in notepad is a good idea lol
Notepad is a bad tool to store backup codes. As far as I know, notepad does not provide encryption. Important backup codes should be stored on technical devices (but always offline) and simultaneously stored on physical materials, like paper, steel (kind of metal), in vault.
Don't store them on cloud.
hero member
Activity: 2520
Merit: 952
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.
Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol
full member
Activity: 1176
Merit: 162
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.
Yes, that is what I am looking thanks for the reply. Looks like I will migrate now. Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop but I guess this Aegis Authenticator offers much better options for recovery.
asu
legendary
Activity: 1302
Merit: 1136
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.
full member
Activity: 1176
Merit: 162
Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.
sr. member
Activity: 826
Merit: 281
thank you for sharing about Aegis Authenticator, it really helped me move the code from another handphone to my cellphone because my cellphone sometimes got an error, because I used Google Authenticator, instead of demeaning or mocking but I also found it difficult to move it to another cellphone, thanks again friend.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
now it is not that easy to root mobile phone.
3- 6 years ago I rooted every phone I own. now, I do not even bother to do so. I guess I'm getting old, brothers!  Grin
Yeah. I remember.. It was way simpler with my Samsung Galaxy S3 back in the day. Right now chances are you're going to trip the Nox thing and you wouldn't be able to use some features/apps like Samsung Pay and such. I'm sticking with unrooted for now. Probably for security sake also.

by the way, installed Authy and made backup of codes, the app seems nice and easy to use.
Glad it worked out well!
hero member
Activity: 756
Merit: 507

Yep! Hence The Google auth app was widely recommended before when there's not that much good alternatives. As with a rooted phone + Titanium backup, that's what I did in the past too. It's nice to have in-app password encryption though; just a small extra layer of security.

If you're going to switch over and you have a rooted phone, switching over is going to be A LOT easier. Aegis has an "import from app" feature if you have a rooted phone. It can grab the backup codes off Google auth. I suggest trying it out.

now it is not that easy to root mobile phone.
3- 6 years ago I rooted every phone I own. now, I do not even bother to do so. I guess I'm getting old, brothers!  Grin

by the way, installed Authy and made backup of codes, the app seems nice and easy to use.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
Wow that's even better. I guess I will do that today then.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.

Yep! Hence The Google auth app was widely recommended before when there's not that much good alternatives. As with a rooted phone + Titanium backup, that's what I did in the past too. It's nice to have in-app password encryption though; just a small extra layer of security.

If you're going to switch over and you have a rooted phone, switching over is going to be A LOT easier. Aegis has an "import from app" feature if you have a rooted phone. It can grab the backup codes off Google auth. I suggest trying it out.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t).
It definitely shouldn't be on by default. It's just convenient to have that feature, but in exchange for security risks. Definitely not worth it in my opinion.

I hope the application features contained in this application are more complete than those of Google
It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.
sr. member
Activity: 2338
Merit: 365
snip~
I just found out there is an authenticator app besides Google's 2FA Authenticator
this application is a must-try. I hope the application features contained in this application are more complete than those of Google
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
<…> Yes, but the multi-device feature is turned on by default right? <…>
Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t). On my regular devices, I’ve switched it off, since I wasn’t aware of this feature’s behaviour until today. Switching it off on once device syncs the setting with all the synchronized devices (i.e switching multi device off on one does it on the others).
legendary
Activity: 2268
Merit: 18748
Email should never factor in to your 2FA set up, either as 2FA itself (click a link on the email we send you, for example), or as a back up to your 2FA app or codes.

The whole point of 2FA is to be two separate, independent factors. If you are using your email as a login, then chances are you can reset your password via email. If you can also access/transfer/reset your second factor via the same email, then you no longer have two factors, you have one. If someone who gains access to your email can break both your factors, then that's not 2FA.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device).
Yes, but the multi-device feature is turned on by default right? Chances are that the casual Authy user doesn't know the potential problems that could be had with that feature being turned on.

If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.
While that's great, I don't think it's enough to be honest. If an email gets compromised, it could also take a lot of effort to recover the email. Jeebus I remember the last time I tried to recover my old gmail account.
legendary
Activity: 1638
Merit: 1329
Stultorum infinitus est numerus
When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.



This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

Authy has an extra protection feature when you swap devices or sim card, to prevent this exact issue.
legendary
Activity: 2338
Merit: 10802
There are lies, damned lies and statistics. MTwain
<...>
According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device). If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

see: https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?
legendary
Activity: 1638
Merit: 1329
Stultorum infinitus est numerus
even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)
SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

It's too bad, but i could move it as soon as backup process is done.
See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

Authy, by default, does not actually enable the 2FA. When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.
legendary
Activity: 2268
Merit: 18748
Using bitcoin should be an easy way of sending funds, not a new problem to manage.
So we shouldn't be teaching newbies about best security practices because they are difficult? Just let them use insecure methods because they're easier? I don't think so.

Downloading and using a single authenticator app is hardly challenging. I stand by my original point: Of the commonly offered 2FA methods - SMS, email, app, hardware keys - SMS is by far the least secure. Just as we shouldn't be encouraging anyone to leave their coins on an exchange because it's "easier", we shouldn't be encouraging anyone to use SMS 2FA, and those who are should be encouraged to upgrade to an authenticator app.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat,
Oh it's definitely insecure and could be a massive threat. Though I'd say SMS auth is better than no auth at all, there's zero reason for a person to not use app 2fas.

beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.
Dozen apps? You use one authenticator app for literally almost all important accounts you have all over the web, not only crypto-related apps. Also, you're most likely not going to need 2fa if you're using a non-custodial wallet to start with. Unless you're keeping funds on exchanges(which of course you shouldn't do unless you're a daytrader).

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source Smiley
Sure! Hope it could help.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source Smiley

legendary
Activity: 2604
Merit: 2353
even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)
SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.
Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat, beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.
legendary
Activity: 2268
Merit: 18748
even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)
SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

It's too bad, but i could move it as soon as backup process is done.
See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.
legendary
Activity: 1554
Merit: 1014

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

i just know about this that the company stored our 2FA backup and after this, i will definitely try Aegis Auth
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

True. But there's a really really huge difference between a lot of Binance accounts being hacked through means user-targetted attacks like  social engineering the user's accounts through phishing links and such, compared to Binance's cold storage actually being hacked. Now THAT'S a big difference. Pretty much like what happened to MtGox and Bitfinex in the past, but multiplied a multiple times.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.
True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.
legendary
Activity: 1638
Merit: 1329
Stultorum infinitus est numerus


The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).


this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic  Cool

Just use Authy, it supports virtually everything. A very good interface for 2FA, extensions for PC, app for PC, Android, iOS even SMS 2FA if I am not mistaken (I receive SMS from them from time to time) also, it backs itself up automatically after you set it up so even if you lose your device, you can always recover it.
hero member
Activity: 756
Merit: 507


The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).


this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic  Cool
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I would like banks to offer 2FA for fiat for a start. As it stands I could (I don't, but I could) log in to my online banking using just a password of 7 letters and 1 number, and access my banking app on my phone with either finger print or facial recognition. I've set them both up to require both a much better password as well as a PIN to access, and disabled all biometrics, but it is worrying that they even offer this, since I bet the majority of the average population are more than happy to protect their life savings with facial recognition or something equally insecure. Proper 2FA to both access as well as make any transfers or withdrawals would be nice.

I do agree with you though, and I'm sure when bitcoin goes mainstream and we start seeing JPMorgan, HSBC, ICBC bitcoin accounts, the vast majority of people will be more than happy to ignore the entire point of bitcoin and let the banks hold their coins for them.

As bankers are centralized, I think that they have more elegant ways to keep funds safety.
They can block suspicious transactions, they have insurance, they can revert transfers...

There are other solutions which I believe vary from country to country. Almost all my life savings are in a fiat exchange here in Brazil, which doesn't allow any transfer to another account which is not mine (checked by id). This particular fiat exchange has a 2fa (which I hate , but all users are obligated), but there isn't really no need since none can steal from me there (as funds can't go to other id)
legendary
Activity: 2268
Merit: 18748
I think in a few years we will see banking offering that kind of services for BTC.
I would like banks to offer 2FA for fiat for a start. As it stands I could (I don't, but I could) log in to my online banking using just a password of 7 letters and 1 number, and access my banking app on my phone with either finger print or facial recognition. I've set them both up to require both a much better password as well as a PIN to access, and disabled all biometrics, but it is worrying that they even offer this, since I bet the majority of the average population are more than happy to protect their life savings with facial recognition or something equally insecure. Proper 2FA to both access as well as make any transfers or withdrawals would be nice.

I do agree with you though, and I'm sure when bitcoin goes mainstream and we start seeing JPMorgan, HSBC, ICBC bitcoin accounts, the vast majority of people will be more than happy to ignore the entire point of bitcoin and let the banks hold their coins for them.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Do people not write down the codes? Every website you activate 2FA on should provide an alphanumeric code alongside the QR code which you can copy down. If they don't provide a code, good 2FA apps will turn the QR code in to an alphanumeric one after you scan it.

I have a strong dislike of backing anything up on cloud servers or non airgapped machines, even if encrypted. I have my 2FA database (encrypted) backed up on an airgapped device, but I also have all my codes written down on paper and stored much like my mnemonic phrases (albeit separately).

No doubt airgapped computer is the best option.

I do not have an airgapped machine (and I think very few people from developing countries do, as even old computers are expensive).
I think a good alternative is to print the QR codes, as mentioned here, or just put them or the keys in a flash drive.

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Do people not write down the codes?

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.
legendary
Activity: 2268
Merit: 18748
Do people not write down the codes? Every website you activate 2FA on should provide an alphanumeric code alongside the QR code which you can copy down. If they don't provide a code, good 2FA apps will turn the QR code in to an alphanumeric one after you scan it.

I have a strong dislike of backing anything up on cloud servers or non airgapped machines, even if encrypted. I have my 2FA database (encrypted) backed up on an airgapped device, but I also have all my codes written down on paper and stored much like my mnemonic phrases (albeit separately).
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

This was actually my surprise with the Google 2FA back in the day. Knowing it was Google, I automatically expected that the backup codes were somewhat synced to my Google account; hence when I downloaded and installed Google 2FA on my freshly factory restored mobile phone(without making a backup of the keys), well, let's just say I didn't have a pleasant experience trying to contact all the service representatives from 5+ accounts I had with 2FA activated..
legendary
Activity: 2352
Merit: 6089
bitcoindata.science

The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.


that is a heavy argument, I must admit. Well I see, that I learned something new today and I'll give it a try, thank you guys for this info
it is interesting to find something new and useful



The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

I wrote about it here. Why you shouldn't use GA, or use it very carefully
https://bitcointalksearch.org/topic/2fa-important-precautions-with-google-authenticator-3178131
hero member
Activity: 756
Merit: 507

The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.


that is a heavy argument, I must admit. Well I see, that I learned something new today and I'll give it a try, thank you guys for this info
it is interesting to find something new and useful

mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right? it would be eliminated, yes, but some people can suffer.

You could also say the same with close sourced apps(the distribution of "bad" apps). In fact, unethical and immoral people do that all the time. They create scammy app versions of some famous websites that doesn't really have official apps in the hopes of victims thinking that it's the official app. Like what o_e_l_e_o said, simply don't download from unofficial sources; and this applies for both open source and closed source software.
legendary
Activity: 2268
Merit: 18748
strange, but yobit, for example, is not working with any authenticator. but google
Have you tried using a different authenticator? Many websites, including some that I use with andOTP, say the user needs to use Google Authenticator, but work just fine with other authenticators.

i thought that every Authenticator should have own algo inside it
The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right?
So don't download from unofficial sources. Problem solved.

I agree that we do not know what's inside google auth, but it is used very wide,so if there was a security breach I think it would be known already.
This is a flawed argument I'm afraid. Windows is far more widely used than Google Authenticator. So is iOS. So is Android. So is Chrome, and Firefox, and Edge, etc, etc. All of these have been subjected to very bad security breaches and exploits. Widely used does not automatically mean safe.
hero member
Activity: 756
Merit: 507
Every 2FA works everywhere. The site has no idea if you are scanning the QR code with Google, Authy, andOTP, Aegis, or any other app. Hell, you could be writing down the shared secret and calculating your code by hand if there wasn't a time limit. The website doesn't know. All it cares about is the code you return.

strange, but yobit, for example, is not working with any authenticator. but google :

"Two-factor authorization (2fa) improves safety dramatically requesting not only login-password, but also special authorization code. Yobit.net uses 2fa of Google Authenticator utility. To use this possibility please download Google Authenticator on you mobile phone and scan QR-code."

i thought that every Authenticator should have own algo inside it, and on exchange there is a server part of app, while customer has a client part.
so once a customer scan the code which server gives him, they are synchronized to each other.


Open source doesn't mean anyone can edit it and push changes to the app stores. It means anyone can view the code and suggest changes. Changes still have to be agreed upon by the developers, and the community will see these changes before it goes live. Compare that with Google Authenticator which could have any code added to and everyone would be none the wiser. Just because it is released by Google doesn't automatically make it more trustworthy; in fact, I would trust it less. Google Authenticator also hasn't been updated in over 2 years. Not great.

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right? it would be eliminated, yes, but some people can suffer.
I agree that we do not know what's inside google auth, but it is used very wide,so if there was a security breach I think it would be known already. I do not trust to google as well, but in given case I consider it as a less evil.


It works, sure, but it is the bare minimum. There is no way to export or back up your database. You can't encrypt or password protect access to it. Not to mention everything owned or developed by Google is spyware. It is a poor choice.

yeap, you are right, that luck of features is a problem, but i'm ok with that. I can't be sure if google auth is a spyware, cause I do not have access to its code. it could be a spyware with the same probability as it could be clean ))
it is not poor choice, I'd say it's careful choice, imo. 
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
See my first paragraph in this post and my previous post. Every 2FA app will work on every site.

Hey thanks. This is groundbreaking for me. This will change the way I use internet now. I didn't notice your message before because there are just so many replies here. It all got a little mixed up. Thanks once again.
legendary
Activity: 2268
Merit: 18748
also it is important that google is working on every exchange
Every 2FA works everywhere. The site has no idea if you are scanning the QR code with Google, Authy, andOTP, Aegis, or any other app. Hell, you could be writing down the shared secret and calculating your code by hand if there wasn't a time limit. The website doesn't know. All it cares about is the code you return.

anyone who have good skill in programming may add some bad code to it, compile and you can download this bad app
Open source doesn't mean anyone can edit it and push changes to the app stores. It means anyone can view the code and suggest changes. Changes still have to be agreed upon by the developers, and the community will see these changes before it goes live. Compare that with Google Authenticator which could have any code added to and everyone would be none the wiser. Just because it is released by Google doesn't automatically make it more trustworthy; in fact, I would trust it less. Google Authenticator also hasn't been updated in over 2 years. Not great.

it is working, right? so let it be working further
It works, sure, but it is the bare minimum. There is no way to export or back up your database. You can't encrypt or password protect access to it. Not to mention everything owned or developed by Google is spyware. It is a poor choice.

I would like for someone to confirm or deny this please.
See my first paragraph in this post and my previous post. Every 2FA app will work on every site.
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?

As far as I know, the platform/service doesn't even know what 2 factor authenticator app you're using. So this shouldn't really be a problem to be honest. You could probably even use a 2FA app you develop yourself(if you know how to, of course).

(correct me If I'm wrong, though I'm very sure of this.)

No. Well as far as I know I mean.
I know some platforms want you to use Google authenticator only. Or Authy only. Or whatever app it its that they are supporting. I would like for someone to confirm or deny this please.
Because otherwise this could change the way I use 2fa because obviously I have been doing it wrong.
hero member
Activity: 756
Merit: 507
i'm using google Authenticator and have no plans to change it.
why?  I do not care about design of app, all I need is the raw functionality
also it is important that google is working on every exchange
and I have a little more trust to it, then let's see this open source app - yes, it is open source, that is good for any who is ok with the code, but if you know nothing about programming, then for you it is no use.
anyone who have good skill in programming may add some bad code to it, compile and you can download this bad app.. surely this bad code will be detected and wiped out, but it will take some time, while you will be on risk..
that is why I think for me there is no cause to change Google Authenticator for something else.
it is working, right? so let it be working further  Cool
legendary
Activity: 2268
Merit: 18748
All my authentications were lost and I had a lot of trouble.
Regardless of which 2FA app you are using, you should still be writing down the back up codes given by each site on to paper and storing them securely, much like a mnemonic phrase.

(correct me If I'm wrong, though I'm very sure of this.)
You are correct. Even sites which specify "Download the Google Authenticator app" (which unfortunately many sites do), will still work just fine with a different 2FA app.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?

As far as I know, the platform/service doesn't even know what 2 factor authenticator app you're using. So this shouldn't really be a problem to be honest. You could probably even use a 2FA app you develop yourself(if you know how to, of course).

(correct me If I'm wrong, though I'm very sure of this.)
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
Once I lost my phone and with it by google authenticator. All my authentications were lost and I had a lot of trouble. This seems like a great way to replace the need of Google authenticator in my life but the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
I downloaded the app on my old phone to have a play around with, and when I tried to export my database I was met with a pop-up containing a check box for "Keep the database encrypted". I assume you have to have first encrypted the database with a password before being offered this, so perhaps if you haven't added a password then your back ups will be in plain text.
Oh wow I don't know how I missed that. I probably tried to backup before I added the password.

I don't agree authy is like blockchain.com

*snip*
Though I'm with TryNinja in this case, your reasoning is definitely understandable. In the end it just completely depends on your risk appetite. The security of picking local backups compared to a company-server backup might be a bit overkill, but some of us are really just that paranoid. Tongue

Good thing I like is that Aegis also supports F-Droid and it is OpenSoruce.
No need to have GooglePlay installed.
Some people are privacy fanatics Wink
I debated a bit if adding the F-Droid link was actually necessary or not. I knew there are going to be a few privacy-paranoid people here LOL. Cheers.
newbie
Activity: 45
Merit: 0
While I think that's a downside of it.
What is the downside? You have the option to export the database in a encrypted format or in plain text. Free choice is always better than a single choice for everyone, and the fact that they have support for encrypted backups is super B.
hero member
Activity: 2184
Merit: 891
Leading Crypto Sports Betting and Casino Platform
I have been using Authenci for a long time, since I entered this market! However, it has many inconveniences that make me uncomfortable. This article is really helpful to me. How can I transfer my data to this aegis platform?

Read this.
If you do a backup though, the exported .json file is not encrypted.
I downloaded the app on my old phone to have a play around with, and when I tried to export my database I was met with a pop-up containing a check box for "Keep the database encrypted". I assume you have to have first encrypted the database with a password before being offered this, so perhaps if you haven't added a password then your back ups will be in plain text.

While I think that's a downside of it.
full member
Activity: 317
Merit: 100
https://leasehold.io/
I have been using Authenci for a long time, since I entered this market! However, it has many inconveniences that make me uncomfortable. This article is really helpful to me. How can I transfer my data to this aegis platform?
sr. member
Activity: 1512
Merit: 292
www.cd3d.app
A very interesting alternative. It is a pity that there is no version for iOS.
I especially like the possibility of backup, because Google authenticator does not have such functionality, which is why everything has to be written down on paper and stored in the backyard buried in a small safe.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Thanks, but I prefer to use authy, which just let me install anywhere without any turn arounds.

We really need more competition in this 2ffa software market
The same could be said about Bitcoin wallets. "I prefer Blockchain.com because I can access my funds anywhere without any turn around". Yes, it's convenient, but your data is stored in a third-party server somewhere. That's why apps with a backup option exist. You export all your 2FA accounts or maybe even just write down your 2FA codes and you are done. You only trust yourself, can't lose access to your accounts and your backup can be a few flash drives.

I don't agree authy is like blockchain.com

If a hacker get access to my authy account he can't login in any account that I have.
He won't even know the logins (neither the passwords) to the websites which the 2fa is enabled.

On the other hand, if a hacker get access to a blockchain.com account, that's enough to get the funds.


In case of authy, The data stored in a third party server is just useless, while the bitcoin blockchain.com is not.

Maximum security is nice for things that need maximum security, such as money. But access to those accounts in exchanges, which shouldn't have any money in the first place, doesn't need maximum security. Actually, " oversecurity " is a problem imo.
legendary
Activity: 2758
Merit: 6830
Thanks, but I prefer to use authy, which just let me install anywhere without any turn arounds.

We really need more competition in this 2ffa software market
The same could be said about Bitcoin wallets. "I prefer Blockchain.com because I can access my funds anywhere without any turn around". Yes, it's convenient, but your data is stored in a third-party server somewhere. That's why apps with a backup option exist. You export all your 2FA accounts or maybe even just write down your 2FA codes and you are done. You only trust yourself, can't lose access to your accounts and your backup can be a few flash drives.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
The problem is that it is Android only. If it were desktop/Android at least it would be be nice (I like to have one device as backup)
You could always use an old phone stashed away somewhere, or even download an Android emulator on to your computer and install it on that.


Thanks, but I prefer to use authy, which just let me install anywhere without any turn arounds.

We really need more competition in this 2ffa software market
legendary
Activity: 2268
Merit: 18748
If you do a backup though, the exported .json file is not encrypted.
I downloaded the app on my old phone to have a play around with, and when I tried to export my database I was met with a pop-up containing a check box for "Keep the database encrypted". I assume you have to have first encrypted the database with a password before being offered this, so perhaps if you haven't added a password then your back ups will be in plain text.

I have to say it is a really nice app. Next time I'm changing phones I might make the switch.

The problem is that it is Android only. If it were desktop/Android at least it would be be nice (I like to have one device as backup)
You could always use an old phone stashed away somewhere, or even download an Android emulator on to your computer and install it on that.
legendary
Activity: 2212
Merit: 7064
Good thing I like is that Aegis also supports F-Droid and it is OpenSoruce.
No need to have GooglePlay installed.
Some people are privacy fanatics Wink
legendary
Activity: 2758
Merit: 6830
Disadvantages:
  • Currently Android only. If you're on iOS, probably lookup FreeOTP(also open source)
FreeOTP doesn't have a backup option, so I can't see any advantage of using it over Google Authenticator.

In that case, I would go with Authenticator.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science

Disadvantages:
  • Currently Android only. If you're on iOS, probably lookup FreeOTP(also open source)

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

Interesting. Nice find really
The problem is that it is Android only. If it were desktop/Android at least it would be be nice (I like to have one device as backup
legendary
Activity: 1232
Merit: 1080
The finger print unlock is just an option that you can turn on via the settings. If you want to be more secure without minding the hassle, you can stick with the password unlock; which also can be much more secure than a pin lock(assuming you don't use a dictionary word as your password).
I would agree with that I was just making the example of a pin lock because thats viewed as insecure by a lot of people and I wanted to compare another insecure option with another semi insecure option. A password with a mixture of characters and special character while being 10+ characters would be the better option of the two.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Thanks for the heads up, I was actually looking for alternative.

Just downloaded it and easily imported all my files. Btw, the fingerprint unlock feature is cool!
It might be a cool feature but is not the most secure option a long pin is better than any fingerprint unlocking system. If you are looking for the most secure authentication app then you should be looking at your own habits and secure it via a secure pin instead of using a finger print to access the codes.

The finger print unlock is just an option that you can turn on via the settings. If you want to be more secure without minding the hassle, you can stick with the password unlock; which also can be much more secure than a pin lock(assuming you don't use a dictionary word as your password).
legendary
Activity: 1232
Merit: 1080
Thanks for the heads up, I was actually looking for alternative.

Just downloaded it and easily imported all my files. Btw, the fingerprint unlock feature is cool!
It might be a cool feature but is not the most secure option a long pin is better than any fingerprint unlocking system. If you are looking for the most secure authentication app then you should be looking at your own habits and secure it via a secure pin instead of using a finger print to access the codes.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
I just wonder if the local backup is also encrypted.

The app's local storage itself can be encrypted with a password via the settings. If you do a backup though, the exported .json file is not encrypted. In fact, you can open the backup file and you can view the 2FA keys there, hence it's not a great idea to leave the backup unencrypted on your phone/computer's storage. It'd definitely be a good idea to VeraCrypt-ify the backup.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖

Yeap! That works too. I personally just prefer Aegis over andOTP because I've done web design in the past hence I'm quite picky in terms of UI and UX design. Material design and such. It all boils down to personal preference though.

EDIT: Also by the way, if you have a rooted android phone, you can import your 2FA codes from Authy, FreeOTP, Google Authenticator, etc, to Aegis.



Screenshot from their PlayStore page
sr. member
Activity: 2254
Merit: 258
I might replace my old Google Authenticator for this one, it's open sourced and password protected, what can you more, I am not comfortable using Google's version because of lack of security and not being open sourced, this is Google of course they own it and they can have an access on it, something that I'm afraid could happen in the future.
legendary
Activity: 2268
Merit: 18748
Nice find.

I've been using andOTP for as long as I can remember, and it does everything that Aegis seems to do. You can compare the "Features" list from their readme.md files and see they are very similar:

https://github.com/beemdevelopment/Aegis
https://github.com/andOTP/andOTP

Unfortunately andOTP has recently been removed from the Google Play Store for not using Google's in-app payment system (https://github.com/andOTP/andOTP/issues/396). You can still download the .apk from their github, but for users who don't want to do that, Aegis looks like a good alternative. I'm not sure it offers anything different enough for me to go through the hassle of making the switch, though.
hero member
Activity: 2184
Merit: 891
Leading Crypto Sports Betting and Casino Platform
Thanks for the heads up, I was actually looking for alternative.

Just downloaded it and easily imported all my files. Btw, the fingerprint unlock feature is cool!
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖

Disclaimer: I am in no way affiliated with Aegis Authenticator, and I have no monetary incentive in sharing it. I just found this a week ago on Reddit and after using it for a week with having no bad experience(so far), I just decided to share this here for the daytraders who needs to leave funds on exchanges on the daily.

Advantages over Google Auth:
  • Slick, modern UI
  • Open source
  • Local backup feature(.json file)
  • AES-256 Encryption, password lock

Disadvantages:
  • Currently Android only. If you're on iOS, probably lookup FreeOTP(also open source)

Website: https://beem.dev/
GitHub repo: https://github.com/beemdevelopment/Aegis
Google PlayStore: http://play.google.com/store/apps/details?id=com.beemdevelopment.aegis
F-Droid: https://f-droid.org/en/packages/com.beemdevelopment.aegis

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.
Jump to: