Also I am trying to reduce the number of sites that I use Google Authenticator app with. If you ever swap phones it’s a hassle to access your account again.

Follow

@darnell Yes, Google Authenticator sucks, but 2FA is a standard so you don't have to use it even for a Google account.

I've been using andOTP for several years and I'm very happy both with the UI and the secure backup/restore features:
github.com/andOTP/andOTP#andot

· · Web · 3 · 0 · 2

@codewiz Thanks! If I ever buy an Android phone that will be blessing. Many sites now present me with the option of sending an SMS, using email or (the smart ones) realize I am using multiple mobile devices & will have me confirm via push notification on one of those (iPhone, iPad or Apple Watch).

However, there are a few that were a nightmare to navigate around, & I had to have tech support disable the Authenticator login after swapped phones.

@darnell @codewiz

Another option is to switch to a hardware 2FA device, that you can put on your keychain.
I find it both the easiest and most convenient to use and it is by far the most secure 2FA method.
(I use a YubiKey yubico.com)

@JonathanTreffler @darnell I use Yubikeys too, but not all websites support FIDO2.

And even those who do, often don't let you enroll multiple dongles (I have 3).

@codewiz

Yes, I think much more websites should have FIDO2 support.

But YubiKeys actually also have OTP support. You still need to open an app and copy them, so it works similarily to normal OTP apps, but the secrets are stored on the YubiKey, which could resolve the multiple device problem @darnell is facing.

@JonathanTreffler @codewiz Arrrggghhhh! Apparently they do not support iPad Pro as they lack NFC as well as a lightening port (I loathe lightening ports!). support.yubico.com/hc/en-us/ar

I am searching for a workaround.

@JonathanTreffler @codewiz I remember Google trying to sell these to me but at the time the places I needed them were beyond my control (other services that I use). My job also uses them but they only hand them to certain individuals.

@darnell @JonathanTreffler Yubikeys are quite expensive... I don't understand why nobody undercuts them by selling an equivalent product for $5.

@codewiz @JonathanTreffler Yes, they are expensive! But it might be worth the cost.

Right now I am relying on a mixture of 2FA over SMS/Push Notifications & Face ID for security.

I still think it’s crazy & hilarious that I can use Yubikeys for my iPhone 📱 & (theoretically) Apple Watch ⌚️ but not for my iPad Pro.

@codewiz
I hear andOTP is recently discontinued?
I switched to Aegis a few years back. Can bring a backup/export from andOTP.
Aegis is great, built by someone who clearly knows their stuff.

Heres an assessment from a someone whos into cryptography and does some security bug hunting
github.com/lynn-stephenson/ana @darnell

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!