Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Comments on Synchronize OTP across multiple devices

Parent

Synchronize OTP across multiple devices

+4
−0

A lot of sites these days use OTP. I'm not very familiar with this, but you normally install an app like Google Authenticator on your phone. The app serves an OTP code on demand which you enter along with your user/pass into the website's login form.

For something like this, I really dislike using software from proprietary vendors. Ideally it should be something as open as possible.

Also, with many of these apps, it seems like your phone is the single point of failure. Maybe some people consider their phone very precious, but for me this is a concern - I might lose my phone, I might reinstall the OS, I don't really want to create a situation where losing access to my phone means also means losing access to my bank account.

Is there an OTP solution I can use, where my "account" can be synchronized across devices (Android, Linux PC) so that for example when a website asks me for the OTP code, I have the option of generating that from my phone as well as my computer?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

Post
+4
−0

You at least have a couple options for open-source alternatives, though cross-platform, open-source, and dedicated authenticators is a very, very small pool of options. This list is therefore mixed with some other alternatives:

  1. Aegis; android-only, and doesn't quite support sync. However, it does let you export significantly more easily for backup and multi-device use, so you can store it in whatever other places you feel comfortable with.

    This only addresses backups and not losing access to your accounts, however. You can also in theory export it to a dedicated desktop authenticator, though as per option 2 and 3, you may have other alternatives that don't require 2+ different authenticators and manual synchronisation.

  2. Bitwarden; cross-platform and cross-browser, but there are some caveats.

    First, you either need premium (10 dollars per year; quite affordable really), or you need to self-host it. You can either self-host the official version, or this unofficial version designed to be easier and lighter to self-host.

    Second, this is more of a controversial option. Not because of Bitwarden itself, but because it's also a password manager. If you use it as both an authenticator and a password manager, the argument goes that keeping passwords and 2FA together weakens the security benefit of 2FA; if someone breaches the password manager with your authenticator, the attacker gets your passwords and your 2FA codes in one go.

    Arguments in favour include that you may already have 2FA and passwords together on your phone, so if someone steals your phone, they get both, and that the benefit of having a secure syncing backup outweighs the risks. The arguments boil down to the reality of the real-world vs. the theoretical steps for max security, and what level of risk you're willing to accept. As that post outlines, there's also a trick you can take if you plan to store passwords alongside 2FA secrets. If you're willing to accept this tradeoff (which I personally am, FWIW), Bitwarden is an option, and it does sync your 2FA tokens. It also lets you export your entire vault if you want an extra backup.

    This post from the Bitwarden forums is also a good read on the topic.

  3. Ente Auth; cross-platform and dedicated authenticator. The only thing I'm not clear on here is precisely how the sync works, i.e. whether or not the 2FA secrets are also stored in the cloud for backup, or if you need at least one device to operate. The E2EE branding makes it hard to tell if it's P2P mediated by a central server, or if a copy is stored in an encrypted form on a server that only the end-devices can decrypt. I've only heard this one mentioned in passing, so I haven't tried it myself.

    Not sure if it makes a practical difference, but something to keep in mind if you plan to look into it.

It's also worth noting that Aegis is capable of importing from google authenticator. Ente Auth is supposed to be able to as well, but if anything is flaky, Aegis is pretty reliable with specifically the import. If you're considering Bitwarden, you will need to use Aegis or some other way to extract secret keys from the Google Auth-specific QR codes. Aegis also lets you export the secrets directly, so you can copy them out manually into whatever else you end up using.

When I migrated away from Google Authenticator, it was incredibly tedious to export stuff out of it. IIRC, the export format differs from the TOTP standard, so you need special support to import it.

Regardless of what you end up using, Aegis can at least be one step in letting you properly move away from Google Authenticator without having to manually set up every single 2FA thing from scratch if the thing you switch to doesn't let you import directly.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

TOTP in password managers (7 comments)
TOTP in password managers
matthewsnyder‭ wrote 3 months ago

In my case, there is actually very little benefit from TOTP. I mostly use it because the service providers force me to, so I want to make the security-convenience trade off all the way to the convenience side. In that case, it's actually good if the password manager can be the OTP provider. Except that I'd rather not use Bitwarden.

It seems like most other managers accept TOTP - all they need to know is the secret key and algorithm parameters (which has, time step, code length). If the manager requires manual entry instead of a QR code, it turns out it is quite easy to pull those parameters from the QR code manually, as described in Michael's answer.

Michael‭ wrote 3 months ago

Several programs using KeePass's database format support TOTP. I'm not sure if TOTP is formally a part of the spec, but there are multiple programs across several platforms who can all use the underlying KDBX file.

I don't have first-hand knowledge of other open-source password managers besides that and BitWarden (e.g. pass, etc.). I've also used non-free ones that also support TOTP, but it did not surprise me that Zoe knew of other options.

Zoe‭ wrote 3 months ago · edited 3 months ago

There's also KeePassXC (the difference between it and KeePass is complicated - I completely forgot about both), and the new-ish Proton Pass. I did take a quick look at Proton Pass, but I'm not entirely clear on whether it's fully open-source or not. The clients appear to be, but I can't tell if the server bits are or not, so it did not make the list.

I've primarily used Bitwarden myself, because syncing was a bit annoying with KeePass when I looked into it. This was before I discovered Syncthing though, and before I had any meaningful self-hosting capacity. Probably easier with a bit more technical investment

Zoe‭ wrote 3 months ago

Actually, because KeePass supports file-based sync, KeePass + Syncthing might be a better option if Bitwarden is off the table. It might even have a dedicated plugin for Syncthing, but I have not checked

Michael‭ wrote 3 months ago

At the risk of derailing the thread: Zoe are you suggesting that you have now used SyncThing successfully for something (password or otherwise)? I started to set it up at one point and abandoned it, though I can't remember why.

More on topic: I've used KeePass, KeePassX, and KeeWeb (briefly); MacPass (much longer); and KeePassXC (still on it). I have some accounts' TOTP in a separate KDBX, and separately in a dedicated TOTP phone app.

Zoe‭ wrote 3 months ago · edited 3 months ago

are you suggesting that you have now used SyncThing successfully for something (password or otherwise)?

I have, yes. I use it for syncing my Obsidian vault, because I want to be able to access it on all my devices, and be able to access it offline, which I wouldn't be able to if I just connected to my NAS. I also used it to sync my orgmode files, but I recently switched fully to CalDAV, so that's no longer necessary.

I don't use it for a whole lot though, because most of my needs are either covered by various cloud services, or far more commonly by leaving the files on my NAS when I don't need continuous access, or of course by self-hosted services. Syncthing basically fits the gap for needing continuous and potentially offline access to the files, and needing an easy way to sync with my other devices that also need continuous access.

matthewsnyder‭ wrote 3 months ago

Well, there are lots of file synchronization programs. Syncthing is only one of them. It seems straightforward that any of those can sync passwords if the database is a file.