Aegis Authenticator, a decent alternative to Google Authenticator and Authy

[Deathwing]

The biggest problem with Google Authenticathor is that you will need to manually back up every account in another device, or save the keys offline (manually as well).

If you do not save your 2FA in one device, than save on another, for every website, you will be depending 100% on your device. If you lose the device, you will lose the access to your accounts (all of them).

this is not a problem, this is a mandatory action!
you should always have an backup, no matter what, for google 2fa or for your bitcoin wallet, trust me, i know! backup can save your life. do it regular.
and I think this is second best advise in the whole topic 

Just use Authy, it supports virtually everything. A very good interface for 2FA, extensions for PC, app for PC, Android, iOS even SMS 2FA if I am not mistaken (I receive SMS from them from time to time) also, it backs itself up automatically after you set it up so even if you lose your device, you can always recover it.

[mk4]

Apparently, due to the number of complaints on various social media sites about users losing access to their accounts due to lost/broken phones, a lot of people do not. They probably see it as a huge hassle. Those people are pretty much in the same category as people who don't like writing down their wallet's recovery phrase hence the reason why still a good number of people prefer leaving their coins and tokens on online wallets and on exchanges.

I think this is why my gox crash was so spectacular: many people were looking for a "trusted" custodial service, where you could store your bitcoins safety.... Without worrying about keys airgapped or whatever....

I think in a few years we will see banking offering that kind of services for BTC.

True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

[bitmover]

True. Hence why I see if ever Binance gets hacked, it will be a significantly BIGGER bubble that's going to be popped. People leave so much funds on Binance that it's almost guaranteed(in my opinion) for the cryptocurrency markets to crash a lot further assuming Binance gets hacked some time in the future. There are simply so much people putting their trust into Binance thinking that Binance is "unhackable" or some similarly unrealistic stuff.

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

[mk4]

It was already hacked.
https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin

However they paid for an insurance. This situation made their reputation even better and the exchange more secure, imo.

But even I have some funds on binance. I'll just remove them now lol

True. But there's a really really huge difference between a lot of Binance accounts being hacked through means user-targetted attacks like  social engineering the user's accounts through phishing links and such, compared to Binance's cold storage actually being hacked. Now THAT'S a big difference. Pretty much like what happened to MtGox and Bitfinex in the past, but multiplied a multiple times.

[ronaldo40]

Why not use Authy? If having your 2FA backups stored on a company's servers is fine with you, then by all means go with Authy. But if you prefer storing your 2FA backups yourself, through an encrypted flashdrive and such, then try out Aegis.

i just know about this that the company stored our 2FA backup and after this, i will definitely try Aegis Auth

[o_e_l_e_o]

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

It's too bad, but i could move it as soon as backup process is done.

See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

[Saint-loup]

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat, beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.

[asche]

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source

[mk4]

Don't spread FUD in the beginners section please, 2FA by SMS is not the safest method but it's not a "very insecure method"... SIM jacking is not a massive threat,

Oh it's definitely insecure and could be a massive threat. Though I'd say SMS auth is better than no auth at all, there's zero reason for a person to not use app 2fas.

beginners shouldn't need to understand and install dozens of app to use bitcoin. Using bitcoin should be an easy way of sending funds, not a new problem to manage.

Dozen apps? You use one authenticator app for literally almost all important accounts you have all over the web, not only crypto-related apps. Also, you're most likely not going to need 2fa if you're using a non-custodial wallet to start with. Unless you're keeping funds on exchanges(which of course you shouldn't do unless you're a daytrader).

Very good find!

I will try it asap.

I allowed myself to translate it into german. Hope that is ok. I obviously linked your thread as a source

Sure! Hope it could help.

[o_e_l_e_o]

Using bitcoin should be an easy way of sending funds, not a new problem to manage.

So we shouldn't be teaching newbies about best security practices because they are difficult? Just let them use insecure methods because they're easier? I don't think so.

Downloading and using a single authenticator app is hardly challenging. I stand by my original point: Of the commonly offered 2FA methods - SMS, email, app, hardware keys - SMS is by far the least secure. Just as we shouldn't be encouraging anyone to leave their coins on an exchange because it's "easier", we shouldn't be encouraging anyone to use SMS 2FA, and those who are should be encouraged to upgrade to an authenticator app.

[Deathwing]

even SMS 2FA if I am not mistaken (I receive SMS from them from time to time)

SMS is a very insecure method of 2FA, and if you have an app which is using it, I would suggest either disabling it (if you can) or changing app altogether. It is relatively easy (certainly easier than most other forms of phishing or hacking) for an attack to learn enough about you through social media or similar to phone your mobile company and convince them they are you, and to move your number to a new SIM. Once they do so, they can use that to reset passwords or in this case use 2FA for whatever you have linked.

It's too bad, but i could move it as soon as backup process is done.

See my reply here. As long as you encrypt the app with a password before you back up, it seems the backup will be similarly encrypted with the same password.

Authy, by default, does not actually enable the 2FA. When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

[mk4]

When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

[DdmrDdmr]

<...>

According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device). If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

see: https://support.authy.com/hc/en-us/articles/360012427914-Is-the-Authy-App-Susceptible-to-a-SIM-Swap-

[Deathwing]

When you lose your device that has Authy installed, you can use SMS to recover it and/or as a temporary 2FA method. Otherwise, you just use the app.

This is precisely one of the reasons why some people aren't comfortable with using Authy. As far as I know(correct me if I'm wrong), if someone managed to do a sim swap hence gaining access to your mobile number, the hacker could then gain access to your Authy 2FA codes. Right?

Authy has an extra protection feature when you swap devices or sim card, to prevent this exact issue.

[mk4]

According to Authy, you need to disable the multi-device feature one you have installed authy in your device/s, to prevent more devices from being added (i.e. a swim-swapped device).

Yes, but the multi-device feature is turned on by default right? Chances are that the casual Authy user doesn't know the potential problems that could be had with that feature being turned on.

If however your associated email is also compromised, then there is a window of vulnerability past 24 hours of attempting to recover the account through email.

While that's great, I don't think it's enough to be honest. If an email gets compromised, it could also take a lot of effort to recover the email. Jeebus I remember the last time I tried to recover my old gmail account.

[o_e_l_e_o]

Email should never factor in to your 2FA set up, either as 2FA itself (click a link on the email we send you, for example), or as a back up to your 2FA app or codes.

The whole point of 2FA is to be two separate, independent factors. If you are using your email as a login, then chances are you can reset your password via email. If you can also access/transfer/reset your second factor via the same email, then you no longer have two factors, you have one. If someone who gains access to your email can break both your factors, then that's not 2FA.

[DdmrDdmr]

<…> Yes, but the multi-device feature is turned on by default right? <…>

Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t). On my regular devices, I’ve switched it off, since I wasn’t aware of this feature’s behaviour until today. Switching it off on once device syncs the setting with all the synchronized devices (i.e switching multi device off on one does it on the others).

[Renampun]

snip~

I just found out there is an authenticator app besides Google's 2FA Authenticator
this application is a must-try. I hope the application features contained in this application are more complete than those of Google

[mk4]

Yes, your right. I’ve just installed it on a new device with a new set of credentials, and the multi device feature is on by default (which it shouldn’t).

It definitely shouldn't be on by default. It's just convenient to have that feature, but in exchange for security risks. Definitely not worth it in my opinion.

I hope the application features contained in this application are more complete than those of Google

It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

[asche]

It is. Google's 2FA basically has little to no features besides the 2FA functionality itself.

If I'm not mistaken the Google Auth app is nice in the way it doesn't store your data on servers, right?

So if you are rooted and able to back up the APK + data with Titanium Backup it is doing a fairly good job. It is what I have been doing anyway. Obviously Aegis offers more functionalities, so if this app is going to stick around, there is a pretty high chance I am going to switch over.