Given the news about Twitter eliminating SMS-based 2FA for free accounts, it's time to take a look at TOTP generator apps.
It is very surprising to me that so many infosec people are still recommending Google Authenticator and Authy. I would avoid both:
Google is not a company you should trust when it comes to user data privacy. Google Authenticator also does not have an easy way to do encrypted backups for 2FA secrets, unlike the options I will list later in the thread.
1/x
Authy used to be a good alternative TOTP app (I used it), but after this occurred, I immediately looked for another alternative:
https://techcrunch.com/2022/08/26/twilio-breach-authy/
So, what should you look for in a 2FA app? I would recommend something that is open-source, and has an encrypted backup / export system which is invaluable in the event you ever lose your device where the app is installed.
Scroll to the lower portion of this page to see apps that offer exactly those things:
https://www.privacytools.io/secure-password-manager
2/x
Physical MFA keys like Yubikey and OnlyKey are even more secure (because you're holding the thing and there's no way a code could be intercepted), at the cost of slightly less convenience than a smartphone app since you need to carry another thing with you. But this is a minor issue. If you do go this way, you really should get two keys so you always have a backup in case one gets lost.
4/x
And while we're talking, I hope everyone is using an audited and open-source password manager and generating unique, long, and random complex passwords for each of your accounts. Don't use a password vault but only exists in your web browser or operating system. Use one on the privacytools page linked above. I recommend Bitwarden, but that page has a couple good options for people who don't want an online vault for their passwords.
5/END
Thank you for always sharing such specifically helpful information, Voltronic.
You put a lot of time and care into explaining things for people and sharing knowledge it took a long while to curate.
You have always done this, and I am grateful.
🙏 💛
@voltronic wow didn't know that about Twitter I mean, what the actual hell
so many attacks are now open for business
gonna check out Aegis 👍 seen you mention it on a few posts
I stopped using Authy also when all my devices were stole and the customer service was diabolical
had to start from scratch and still can't access a lot of accounts cause of that
@voltronic for iOS and macOS, I’ll toss in OTP Auth as a great app. I’ve moved my LP TOTP codes completely to it now since it supports exporting and editing secrets, plus syncs over iCloud and encrypts backups. macOS also includes a Safari extension for those wanting it.
@port_rhombus @voltronic Just picked up a Yubikey and honestly I love it and am finding it more and more convenient as I get accustomed. I put it on my keychain so I’m rarely without it. Agree on the 2nd key though. That’s critical.
@fathermal @voltronic I’ve picked up a few Solo Keys (v1 and v2) to keep on hand and they’ve worked well. And you can usually get them in package deals.
I am currently using Aegis on Android, and I think it is far superior to Authy from a usability standpoint, in addition to it being open-source and having an easy to use backup system.
I have set up my iOS friends with Ravio OTP, and it has been working well for them. It auto-syncs to all of your iOS devices through iCloud, and you can even send codes directly from the app to a Mac desktop.
3/x