What are you all using for a 2FA token manager?

BonkTheAnnoyed@lemmy.blahaj.zone · 29 days ago

What are you all using for a 2FA token manager?

Curious Canid@lemmy.ca · 28 days ago

I’ve been using Aegis for several years now without any problems. It replaced the Google Authenticator seamlessly.

vrighter@discuss.tchncs.de · 28 days ago

keepassxc and a yubikey. And syncthing to keep all devices in sync

W4nd3r3r@lemmy.ml · 28 days ago

FreeOTP+

zingo@sh.itjust.works · 28 days ago

Aegis.

I like the auto backup feature (encrypted) . Then the backup is synced to computer via Syncthing.

Set and forget setup.

asudox@lemmy.asudox.dev · 28 days ago

I use Aegis on my phone.

deathbird@mander.xyz · 29 days ago

I like Aegis.

pipe01@programming.dev · 29 days ago

I use Aegis, it works well

cmnybo@discuss.tchncs.de · 29 days ago

I’ve been using KeePassXC. I use Syncthing to keep the database synchronized between computers.

Synestine@sh.itjust.works · 29 days ago

Same here. If it’s TOTP based 2fa, you can keep them in entries and use them from there.

Lucy :3@feddit.org · edit-2 29 days ago

Tbh, if you’re using the same DB for PWs, you’ve successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth

hikaru755@lemmy.world · 29 days ago

More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn’t compromise full access to your password database, which is still a lot better than using just passwords without a second factor.

example@reddthat.com · 28 days ago

that’s like calling strong randomly generated passwords 1.5FA.

with proper MFA, even if you steal my password (database), you won’t be able to steal my account, as you’re missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.

password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they’re not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn’t paying enough attention, as it’s not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.

Unlearned9545@lemmy.world · 28 days ago

Bitwarden

ikidd@lemmy.world · 28 days ago

Yah, I can’t see a point to have another app/extension when Bitwarden has it built in, and it’s a great password manager.

ripcord@lemmy.world · 28 days ago

Wait, it does? Including in the mobile app? I don’t see it.

ikidd@lemmy.world · 28 days ago

Right under Password in the edit screen of an item: Authenticator Key. You put in the auth key the target site provides you when you enable TOTP and it will start generating timed tokens. Usually you’ll also get a one-time pad of backup keys, I usually toss those in the Notes of the edit screen there as well in case something goes wrong.