OT: I really want to use BitWarden since it’s open source but the UI is so janky compared to 1password. Is anyone else having the same experience? For example the Firefox extension popup is often sized wrong, the UI doesn’t appear immediately. Overall the experience feels a lot less polished.
I haven’t had these problems on macOS with latest FF. the Desktop and CLI is fine as well.
I mostly switched away from Authy manually like that too, but the open source TOTP app Aegis can import from the Android version of Authy, so I did that too as a backup for the rare accounts I didn’t bother rekeying manually.
(also some time ago there was some script for extracting keys from Authy’s Chrome App..)
I’m 2nd Aegis here. Great app for Android.
Nice tip about Aegis. I didn’t know that it can import from Authy.
And yep, I mentioned that script in my post. The method still works!
For anyone considering migrating to Bitwarden but wary of cloud-based solutions, you can selfhost with this brilliant project https://github.com/dani-garcia/bitwarden_rs All official tools work, since you can specify the Vault URL in the settings for both the desktop and mobile apps and browser addons. I’ve been using it (and migrated all my 2FA to it) for about 6 months now and it’s brilliant.
I love Authy for its syncing feature but it’s kind of slow and having sync issue. Where I deleted on mobile but still showing up on desktop.
So I have been develop my own desktop app for this. It used a local SQLite db, encrypt with aes gcm using your own pass pharase. Then you can sync this SQLite db on dropbox, google drive, ir icloud drive and immediately have it available on other desktop.
For mobile, you can enable desktop app to sync to my server, it sync encrypted data and I cannot access your code. When on mobile, it syncing data back from server, then you enter the same pass pharease to decrypt it client side.
In other words, your token is encrypted at rest and also encrypted in transit.
I don’t want to hijack this thread with my own project so don’t post a link here but if anyone want a fast, native, desktop app to manage your own 2FA code, ping me.
This makes me think again about whether I should explore some other options for my TOTP keys. I’m still using Google Authenticator on my primary mobile device. It’s starting to get a bit awkward at 17 keys now. I kind of like the simplicity - no backup or secret sharing means it’s really tough to get hacked. But it also means that if this device ever gets suddenly lost or broken, I’m going to have a lot of fun redoing auth on all of those sites. It’ll be enough of an adventure if I get a new device just registering new TOTP keys for all of them.
I’m starting to lean against registering keys for sites that aren’t really that important just because of this. Do I really need top-tier security for my accounts on Twitter, Reddit, Lobsters?
On the other hand, what’s the point of it all if it’s stored in yet another service that’s vulnerable to the usual types of hacking, phishing, etc.
This inspired me to try out Bitwarden!
I also still use GA. With WebAuthn becoming more widespread, TOTP is no longer needed and is actually less secure than it.
With WebAuthn, you have a dedicated key device which holds the secrets and does identify verification. The standard procedure is to buy two - one for every day use, one for backup.
This is why I bought Somus, but unfortunately, the Somus are not well supported by their creators.
I think it’s an exaggeration to say that TOTP is no longer needed. WebAuthn support is not widespread in my experience. I have TOTP enabled everywhere I can, and that amounts to 49 accounts right now. I also have my YubiKeys enabled everywhere I can, and that only amounts to 14 accounts (3 of which are Google). Twitter and AWS also only allow you to register a single U2F device.
I do hope that more services add support.
I still use Google Authenticator, although I did have the same exact thoughts.
Here are my takeaways: planning for an unavoidable loss of my phone is not logical. Even if it happens it might be a handful of times (if very unlucky) over decades, not a good reason to sweat over that.
I want to be in control of how I back up my secrets (most commonly QR codes and/or backup codes), using the common backup techniques is enough.
So for me the authenticator is still good for me.
Well it’s a point. I may be more thoughtful about sudden unavoidable phone loss because my old Nexus 5X abruptly decided to perma-brick itself one day out of nowhere. It was a bit of a struggle to reset some of the accounts it had TOTP keys for. Fortunately, I learned the freezer trick a day or so later - if you deep freeze the phone, it’ll boot and run for a minute or so. Long enough to get into a few TOTP-protected accounts and back up a few things before tossing the phone.
Most phones aren’t vulnerable to that. But it does make you think about how there’s a hundred ways for a phone to be lost or destroyed in a snap. I try to make it a practice to have backups for everything I routinely carry around. Not needed 99.9% of the time, sure. But in that other 0.1% of the time, you’re already having a pretty bad day. A few hours of preparation way ahead of time can sure make those days suck a lot less.