Follow

Given the news about Twitter eliminating SMS-based 2FA for free accounts, it's time to take a look at TOTP generator apps.

It is very surprising to me that so many infosec people are still recommending Google Authenticator and Authy. I would avoid both:

Google is not a company you should trust when it comes to user data privacy. Google Authenticator also does not have an easy way to do encrypted backups for 2FA secrets, unlike the options I will list later in the thread.

1/x

Authy used to be a good alternative TOTP app (I used it), but after this occurred, I immediately looked for another alternative:

techcrunch.com/2022/08/26/twil

So, what should you look for in a 2FA app? I would recommend something that is open-source, and has an encrypted backup / export system which is invaluable in the event you ever lose your device where the app is installed.

Scroll to the lower portion of this page to see apps that offer exactly those things:

privacytools.io/secure-passwor

2/x

I am currently using Aegis on Android, and I think it is far superior to Authy from a usability standpoint, in addition to it being open-source and having an easy to use backup system.

I have set up my iOS friends with Ravio OTP, and it has been working well for them. It auto-syncs to all of your iOS devices through iCloud, and you can even send codes directly from the app to a Mac desktop.

3/x

Physical MFA keys like Yubikey and OnlyKey are even more secure (because you're holding the thing and there's no way a code could be intercepted), at the cost of slightly less convenience than a smartphone app since you need to carry another thing with you. But this is a minor issue. If you do go this way, you really should get two keys so you always have a backup in case one gets lost.

4/x

And while we're talking, I hope everyone is using an audited and open-source password manager and generating unique, long, and random complex passwords for each of your accounts. Don't use a password vault but only exists in your web browser or operating system. Use one on the privacytools page linked above. I recommend Bitwarden, but that page has a couple good options for people who don't want an online vault for their passwords.

5/END

@voltronic

Thank you for always sharing such specifically helpful information, Voltronic.

You put a lot of time and care into explaining things for people and sharing knowledge it took a long while to curate.

You have always done this, and I am grateful.

🙏 💛

@voltronic wow didn't know that about Twitter I mean, what the actual hell

so many attacks are now open for business

gonna check out Aegis 👍 seen you mention it on a few posts

I stopped using Authy also when all my devices were stole and the customer service was diabolical

had to start from scratch and still can't access a lot of accounts cause of that

@voltronic for iOS and macOS, I’ll toss in OTP Auth as a great app. I’ve moved my LP TOTP codes completely to it now since it supports exporting and editing secrets, plus syncs over iCloud and encrypts backups. macOS also includes a Safari extension for those wanting it.

@port_rhombus @voltronic Just picked up a Yubikey and honestly I love it and am finding it more and more convenient as I get accustomed. I put it on my keychain so I’m rarely without it. Agree on the 2nd key though. That’s critical.

@fathermal @voltronic I’ve picked up a few Solo Keys (v1 and v2) to keep on hand and they’ve worked well. And you can usually get them in package deals.

@voltronic when my editor began untangling our lives from google, the company flooded our emails with highly nasty sex spam.
dont be evil is byebye

@voltronic Thanks Twitter. I didn’t think I’d totally quit you, but now you want everyone that doesn’t pay you to be hackable? Way to push us off the platform. It’s making no sense why they want to annihilate their investment. But, clearly a successful business was not the goal.

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.