Suggestion for Two Factor Authentication App

My webhost (Pair.com) has an option to enable Two Factor Authentication.

Authentication codes are generated by a TOTP compatible authentication app

If I don’t want to use Google’s Authenticator, are there other apps that the TidBITS brain trust would recommend?

Authy is very good, particularly if you want to sync between devices.

I use OTP Auth, which can also sync using iCloud. I don’t sync myself - I just set up all of my devices separately.

One other option is 1Password if you have a 1P subscription.

1 Like

Authy. You can set up multiple devices. The scheme to add a new device is to temporarily allow this to happen, authorize the new device from an old device, and then deauthorize the function. This is an important ability to have when you replace or upgrade an old device.

See the Wirecutter review for pointers and links to the appropriate Authy documents.

Apparently, both 1Password and iCloud Passwords now have the ability to work with 2-factor authentication for a site. This may be convenient, but I haven’t had a chance to try it.

1 Like

The nice thing is that Google isn’t using a proprietary algorithm for Authenticator. They are implementing the IETF TOTP algorithm. See also RFC 6328.

Software developers can use the open source OATH Toolkit to implement their own TOTP authentication system (client or server), and it has no problem fully interoperating with Google Authenticator. I’ve actually used it as a part of an IoT project at work and personally confirmed that an OATH-based TOTP server is completely compatible.

So if you don’t want to use Google’s tool, there are plenty of other options to choose from. As far as I know, they all implement the same standard algorithm. Some that a web search reveals include:

2 Likes

I use Authy, works across many & multiple platforms so you can just use the nearest device to you when you need to do a 2FA.

Built by Twilio for their customer base but released for all, it uses the same open source algorithm as Google’s authenticator.

f
1 Like

My recommendations, in this order:

  • Raivo OTP
  • OTP Auth
  • Tofu Authenticator

… as I wrote a few months ago.

4 Likes

1Password works very well. Setup once - then works across all my 5 Apple devices.

YES! And I use four. I always print-to-PDF the QR code (or copy the corresponding text key). Then, I can use multiple ToTP programs, to wit: Authy,* LastPass Authenticator, Google Authenticator, and BitWarden*† (haven’t needed to try the dozen or so others on the Mac app store). That way, if any of them becomes unsupported in the future, or there’s a new and better ToTP program, I can use it with continuity. Hey, I’m a belt-and-suspenders kind of guy! :grin:

If you want to do this after the fact, most sites will allow you to turn off ToTP, and then when you immediately turn it on again, you’ll go through the QR code set-up again.

Remember, though, storing the codes on your computer is a security risk; they’re the keys to your kingdom, and you may want to print the QR codes to paper, file it safely, then destroy the digital copies.
—————
* desktop version also available
† also a password manager

1 Like

FYI, Google Authenticator (don’t know about the others) has a feature where it can export its codes to other apps. It will generate a QR code for all the keys you wish to export. You can scan this with another app to import them.

I use it to sync instances of Authenticator on multiple devices. You should be able to use this to import them into other apps as well (of course, it has to be on another device if you want to aim its camera at the code).

See also: Get verification codes with Google Authenticator - Android - Google Account Help

2 Likes

I use OTP Auth. You can backup the file, password (and FaceID/TouchID) protect OTP Auth, sync on multiple Apple platforms via iCloud, and organize your 2FAs into folders. However, on a forum someone said that OTP Auth is vulnerable to man-in-the-middle attacks but I haven’t had time to investigate and not sure how that would work.

I use 1Password for my daily OTP. This thread made me realize I should have a backup. I have now Raivo as a secondary OTP storage. In the future, I will configure new sites with Raivo first since it is easy to export from it. That was not the case with 1Password. You have to know a bit about Perl to accomplish that. Thanks for your tip.

1 Like

In addition: if you use 2FA with your 1Password account, the separate OTP app is a good place to keep its TOTP. Obviously, you don’t want to keep it in 1Password. :grinning:

2 Likes

I have been thinking about enabling 2FA in 1Password, but am reluctant to take that step. I certainly think I should do it. Any thought about where to have a second store of that? I know some people advocate paper, but I have no safe place to store paper. I do not need it for any other things.

Definitely urge 2FA, given the importance of your password manager as the “keys to your kingdom.” As I said before, I’d use Raivo or a similarly good TOTP app for it; but, for physical storage (presumably of your TOTP “secret,” since the TOTP itself doesn’t stay the same, of course), if you don’t have a safe place to store paper, that obviously would be problematic. Same would be true for any printout of the “Emergency Kit” PDF that you get from 1Password in the onboarding.

1 Like

What are your thoughts on using Apple keychain as the secondary store for the "TOTP secret”?

I’m no security expert, but I’ve yet to hear anything bad about Apple Keychain other than the obvious vendor/platform lock-in — which, if you’re all-in on Apple devices anyway, shouldn’t be a problem.

1 Like