Bitcoin Forum

I just wonder if the local backup is also encrypted.

Thanks for the heads up, I was actually looking for alternative.

Just downloaded it and easily imported all my files. Btw, the fingerprint unlock feature is cool!

It might be a cool feature but is not the most secure option a long pin is better than any fingerprint unlocking system. If you are looking for the most secure authentication app then you should be looking at your own habits and secure it via a secure pin instead of using a finger print to access the codes.

The finger print unlock is just an option that you can turn on via the settings. If you want to be more secure without minding the hassle, you can stick with the password unlock; which also can be much more secure than a pin lock(assuming you don't use a dictionary word as your password).

Disadvantages:

• Currently Android only. If you're on iOS, probably lookup FreeOTP(also open source)

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

Disadvantages:

• Currently Android only. If you're on iOS, probably lookup FreeOTP(also open source)

If you do a backup though, the exported .json file is not encrypted.

The problem is that it is Android only. If it were desktop/Android at least it would be be nice (I like to have one device as backup)

You could always use an old phone stashed away somewhere, or even download an Android emulator on to your computer and install it on that.

Thanks, but I prefer to use authy, which just let me install anywhere without any turn arounds.

We really need more competition in this 2ffa software market

The same could be said about Bitcoin wallets. "I prefer Blockchain.com because I can access my funds anywhere without any turn around". Yes, it's convenient, but your data is stored in a third-party server somewhere. That's why apps with a backup option exist. You export all your 2FA accounts or maybe even just write down your 2FA codes and you are done. You only trust yourself, can't lose access to your accounts and your backup can be a few flash drives.

I have been using Authenci for a long time, since I entered this market! However, it has many inconveniences that make me uncomfortable. This article is really helpful to me. How can I transfer my data to this aegis platform?

I downloaded the app on my old phone to have a play around with, and when I tried to export my database I was met with a pop-up containing a check box for "Keep the database encrypted". I assume you have to have first encrypted the database with a password before being offered this, so perhaps if you haven't added a password then your back ups will be in plain text.

While I think that's a downside of it.

I downloaded the app on my old phone to have a play around with, and when I tried to export my database I was met with a pop-up containing a check box for "Keep the database encrypted". I assume you have to have first encrypted the database with a password before being offered this, so perhaps if you haven't added a password then your back ups will be in plain text.

I don't agree authy is like blockchain.com

*snip*

Good thing I like is that Aegis also supports F-Droid and it is OpenSoruce.
No need to have GooglePlay installed.
Some people are privacy fanatics ;)

the question remains if other platforms and services do not use this and stick to google authenticator and authy, what choice do we have as end users?

All my authentications were lost and I had a lot of trouble.

(correct me If I'm wrong, though I'm very sure of this.)

As far as I know, the platform/service doesn't even know what 2 factor authenticator app you're using. So this shouldn't really be a problem to be honest. You could probably even use a 2FA app you develop yourself(if you know how to, of course).

(correct me If I'm wrong, though I'm very sure of this.)

also it is important that google is working on every exchange

anyone who have good skill in programming may add some bad code to it, compile and you can download this bad app

it is working, right? so let it be working further

I would like for someone to confirm or deny this please.

See my first paragraph in this post and my previous post. Every 2FA app will work on every site.

Every 2FA works everywhere. The site has no idea if you are scanning the QR code with Google, Authy, andOTP, Aegis, or any other app. Hell, you could be writing down the shared secret and calculating your code by hand if there wasn't a time limit. The website doesn't know. All it cares about is the code you return.

Open source doesn't mean anyone can edit it and push changes to the app stores. It means anyone can view the code and suggest changes. Changes still have to be agreed upon by the developers, and the community will see these changes before it goes live. Compare that with Google Authenticator which could have any code added to and everyone would be none the wiser. Just because it is released by Google doesn't automatically make it more trustworthy; in fact, I would trust it less. Google Authenticator also hasn't been updated in over 2 years. Not great.

It works, sure, but it is the bare minimum. There is no way to export or back up your database. You can't encrypt or password protect access to it. Not to mention everything owned or developed by Google is spyware. It is a poor choice.

strange, but yobit, for example, is not working with any authenticator. but google

i thought that every Authenticator should have own algo inside it

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right?

I agree that we do not know what's inside google auth, but it is used very wide,so if there was a security breach I think it would be known already.

but it is possible to copy the code, modify it, then create fishing site and distribute some bad app, right? it would be eliminated, yes, but some people can suffer.

The algorithm is the same. The website provides a shared secret key, which you scan in the form of a QR code when you set it up for the first time. The authenticator uses that key, along with the current time, to generate a code. The website does the same thing to see if the code matches.

that is a heavy argument, I must admit. Well I see, that I learned something new today and I'll give it a try, thank you guys for this info
it is interesting to find something new and useful

The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

Do people not write down the codes?

Do people not write down the codes? Every website you activate 2FA on should provide an alphanumeric code alongside the QR code which you can copy down. If they don't provide a code, good 2FA apps will turn the QR code in to an alphanumeric one after you scan it.

I have a strong dislike of backing anything up on cloud servers or non airgapped machines, even if encrypted. I have my 2FA database (encrypted) backed up on an airgapped device, but I also have all my codes written down on paper and stored much like my mnemonic phrases (albeit separately).

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think in a few years we will see banking offering that kind of services for BTC.

I would like banks to offer 2FA for fiat for a start. As it stands I could (I don't, but I could) log in to my online banking using just a password of 7 letters and 1 number, and access my banking app on my phone with either finger print or facial recognition. I've set them both up to require both a much better password as well as a PIN to access, and disabled all biometrics, but it is worrying that they even offer this, since I bet the majority of the average population are more than happy to protect their life savings with facial recognition or something equally insecure. Proper 2FA to both access as well as make any transfers or withdrawals would be nice.

I do agree with you though, and I'm sure when bitcoin goes mainstream and we start seeing JPMorgan, HSBC, ICBC bitcoin accounts, the vast majority of people will be more than happy to ignore the entire point of bitcoin and let the banks hold their coins for them.

The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic  8)

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.

True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

It's too bad, but i could move it as soon as backup process is done.

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat,

beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source :)

Using bitcoin should be an easy way of sending funds, not a new problem to manage.

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

See my reply here (https://bitcointalk.org/index.php?topic=5192978.msg52769499#msg52769499). As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

<...>

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device).

If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

<…> Yes, but the multi-device feature is turned on by default right? <…>

snip~

Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t).

I hope the application features contained in this application are more complete than those of Google

It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.

Yep! Hence The Google auth app was widely recommended before when there's not that much good alternatives. As with a rooted phone + Titanium backup, that's what I did in the past too. It's nice to have in-app password encryption though; just a small extra layer of security.

If you're going to switch over and you have a rooted phone, switching over is going to be A LOT easier. Aegis has an "import from app" feature if you have a rooted phone. It can grab the backup codes off Google auth. I suggest trying it out.

now it is not that easy to root mobile phone.
3- 6 years ago I rooted every phone I own. now, I do not even bother to do so. I guess I'm getting old, brothers!  ;D

by the way, installed Authy and made backup of codes, the app seems nice and easy to use.

Found this from a similar new thread but I decided to comment here instead, Is this authenticator has a search feature? I have been using google authenticator for a long time I got so many websites with authentication so It will be convenient if it has a search feature to find it directly and lessen time to scroll. Anyways I will install this later thanks for sharing.

You meant to say searching the websites you would like to find the authentication code? If that so, they have that feature. Go to Settings > Enable "Search in account names" this will include the account name in the search results you are looking.

Google authenticator is very risky if you don't save the backup keys. But I always save mine at a notepad on Desktop..

I don't think saving backup codes in notepad is a good idea lol

I don't think saving backup codes in notepad is a good idea lol

Notepad + and Zip it with a password, Already made a copy on Flahshdrive and sdcard incase something bad happen to my Desktop. That is what I do, How about a suggestion? Do you have one it might help than just laughing without a good suggestion? How about you where do you save yours?

Even better than all that would be to not use Google Authenticator at all, and switch to an open source app with encrypted back ups built in, such as Aegis.

Here is the official Google Authenticator codebase (at least the open source part): https://github.com/google/google-authenticator-android/
This is the part of the code that handles secret entry. Notice how MIN_KEY_BYTES has a value of only 10 i.e. 80 bits: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/EnterKeyActivity.java#L121-L126
And this is the part of the code that hashes the secret into a 6-digit code: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/PasscodeGenerator.java#L152-L163

Clearly these code snippets indicate that while Google Authenticator supports more bits, it foolishly sets the minimum to 80 bits despite strict requirements (https://tools.ietf.org/html/rfc4226#section-4) by RFC 4226 (yes OTP is an RFC standard) to use at least 128 bits and recommends 160 bits, double the amount that Authenticator-aware web services use. Remember that web services are the ones creating these very small keys, not Authenticator.

So while OTP authentication provides strong security if used properly, Authenticator tokens fall very short of the minimum security requirements, so they were never secure to use in the first place. Again though, Authenticator supports more than 80 bits, it's just the web services don't make more bits.

It's worth noting that other TOTP authentication software works with the same sites as Google Authenticator, but are only as secure as the length of the secret key that the web service gives it.

Do you still recommend Aegis?

Do you still recommend Aegis?

Do you still recommend Aegis?

As @o_e_l_e_o said, Aegis is great 2FA software. But if you're still looking for option, you could check andOTP (https://github.com/andOTP/andOTP (https://github.com/andOTP/andOTP)) which is slightly more popular option and have few different feature (such as encrypt with PIN).

Actually it's good point, although Aegis will spawn QWERTY virtual keyboard rather than numeric virtual keyboard. Should've mentioned there's backup option using OpenPGP instead ::).