2FA (Two Factor Authenticators) Apps

[Oshosondy]

I am creating this topic to be an interactive one, I will like all your suggestions, to write more, delete or modify this topic in accordance to your opinions about two factor authentication. All members replies withs valid and undisputed replies will be add up to this topic. And I have to say this, nice being with you people.

The main reason for the topic is to list all known 2FA apps, to know their pros and cons, I will list the ones I know but I will like you to do the remaining, I have researched online to choose the best using certain reasons:

1. Source code
Without no doubt, everybody prefers open source applications, I for one I am a big fan of open source codes, but I noticed some 2FA applications are close source. 2 heads are better than 1, if a source code is accessible to the community it is better than to be close source that is available to certain few people. I expected you to have known what open and close source codes are and why open source are the best. In this topic, I will recommend open source 2FA.

2. Cloud backup
Ignorance is a disease, that is why some people will do wrong and be confident until their wallets all gone by hackers, I will not blame peoples ignorance but if they lack knowledge and continue to do wrong, likely they will be scammed. Why would I backup 2FA on cloud storage, what if the cloud storage is hacked? Hackers are attracted to what belongs to multiple because if successfully hacked, they will have more cakes. Any 2FA with cloud backup is not recommended.

3. Safety
If we consider the two reasons above, we will prefer authentication apps with open source codes, also the authenticators that supports no synchronization to any cloud storage. I will not recommended google and Microsoft because I am not sure if they make use of cloud storage because they work the same way, I am using two android phones, I use the same gmail for the two phones, I downloaded an app on the two phones separately, the app asked for login details, when I was about to login on the other phone, it automatically pop-up my login details without login in before. So, because of this, I still always doubt google and microsoft authenticator apps.


You can choose your own authenticator app, but using the 3 reasons above, I will suggest you the safest ones.

2FA Authenticator             source code                Cloud backup              Recomendable           Device

Aegis                                   Open souce                       No                                    Yes                         Android

andOTP                              Open source                      No                                     Yes                        Android

Authy                                  Close source                     Yes                                    No                         Android

FreeOTP                             Open source                      Yes                                    No                         iOS

Google Authenticator          Not sure                          No                             Not yet sure                Android

Microsoft Authenticator     Not sure                        Not sure                     Not yet sure                Windows/Android

Tofu                                    Open source                     No                                      Yes                       iOS

Authenticator                    Open source                     No                                      Yes                       iOS




Questions:
What other criteria should I include?
Which one I mentioned you against? Let us discuss about it.
I will like other good and bad 2FA suggestions?
I am not sure of certain things about some authenticator apps above, please give answers

A mistake can make all our bitcoin gone at ones, hackers are not merciful, they steal all not part, we have to be careful and handles our devices smartly. Using 2FA does not mean your device is safe until all precautions are followed.
Make your suggestions, please.

Which one allows someone to encrypt his authentication code? And to avoid sync is better.

Most password managers (all of them?) with 2FA do that. They don't just ask you to end your passwords in plain text to their servers. While I don't recommend anyone to do that, it's a viable solution if you trust them with your encrypted data.

[guigui371]

Finding a common ground won't be easy.

For example you say that you dont recommend google 2Fa, however, some website will force you to use this one and no other solution.
Some will only accept Authy

Aegis : not available on iphone in my country
andOTP : not for iphones
FreeOTP : available for iphone, only has 2 review, editor is RedHat, if it is the RedHat that is in charge of the Linux distro, fine, if it is not then shady, unfortunately, with only 2 reviews i'm unsure, I would not install it as I am not 100% sure that it is legit.

And let's be real, if you are using a Android phone or an Iphone you have already given so much info to GAFA that using google 2Fa is the least of your issues.

Just back up the secret key into a safe medium and carry on. Google2FA is a safe and convenient solution.

PS : you can update your table, google 2FA doesnt have cloud backup

[Oshosondy]

FreeOTP : available for iphone, only has 2 review, editor is RedHat, if it is the RedHat that is in charge of the Linux distro, fine, if it is not then shady, unfortunately, with only 2 reviews i'm unsure, I would not install it as I am not 100% sure that it is legit.

PS : you can update your table, google 2FA doesnt have cloud backup

Thank you so much, I will update the table now, and about FreeOTP with what you said, it is not recomedable.

[nakamura12]

You can also add keepass as one of the authenticator app which is for pc. I remember that someone did create a guide on how to set up the authenticator on keepass. It is a plugin that is for keepass and you can also use it to store your password. I'm sure many of us here use password manager to save passwords and also use the authenticator plug in of keepass. This is for desktop if you are looking for authenticator app for desktop.

[Charles-Tim]

You can also add keepass as one of the authenticator app which is for pc. I remember that someone did create a guide on how to set up the authenticator on keepass. It is a plugin that is for keepass and you can also use it to store your password. I'm sure many of us here use password manager to save passwords and also use the authenticator plug in of keepass. This is for desktop if you are looking for authenticator app for desktop.

I will not recommend any autheticator with passward manager, the reason for the password manager is for ease of recovery in a way your login details and the app itself will be easily recovered. All sensitive information about the backup will be automatically synchronized online on a cloud. Anything online is not safe anymore, the authenticator backups suppose to be offline.

[mk4]

I can vouch for Aegis. I even created a quick thread about it last year: https://bitcointalk.org/index.php?topic=5192978

Before Aegis, I was using the typical Google Authenticator, and it was definitely a huge inconvenience when I planned on changing phones. I had to manually remove and reactivate 2FA on every single one of my important accounts because I didn't have a backup of the keys. With Aegis, the export backup feature was a lifesaver. I would even pay for that app to be honest.

[HCP]

There is an app called "Authenticator Plus" by Mufri: https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus

It's not open source as far as I know, but it provides support for backing up your data to cloud services or encrypted local backups. Also, sadly, it hasn't been updated since December 2018, so I can't really recommend it any more


I like Aegis.. although I occasionally have issues with it generating "invalid" OTPs I'm not sure if it is a 'time sync' issue... but if I look at the code in Aegis and the one in Authenticator Plus, quite often they're different and the one in Authenticator Plus works and the one in Aegis does not??!?

[Mpamaegbu]

2FA Authenticator             source code                Cloud backup              Recomendable           Device

Google Authenticator          Not sure                         No                                     No                        Android

OP, your review on the Google Authenticator as not to be trusted doesn't sit well with me. The simple reason being that I have been using the GA as my 2FA for three years now and I haven't had any issues with all the sites I have used it on. Periodically, I get texts of hackers trying to break into those accounts but without any success. So, I am asking "what is wrong with the GA?" If it has kept hackers off those accounts, it should be trusted. And I believe a lot of users with agree with me on this.

[joniboini]

I believe the reccomendable part needs more clarity. On what basis you judge this? As it looks inconsistent. Does it have be open source and no cloud backup available? What if the apps allows you to encrypt your key and then upload it to any cloud service that you choose?

[UserU]

EDIT: Just confirmed GA allows transfer between devices, but not support cloud backups.

[mk4]

EDIT: Just confirmed GA allows transfer between devices, but not support cloud backups.

It's not that Google Authenticator necessarily allows transfers between devices, it's just that 2FA keys have always been transferable. It's pretty much somewhat like your bitcoin wallet's private keys. You can use the private keys on every single device you have, and you just need to import it. Same thing with 2fa keys.

[Oshosondy]

OP, your review on the Google Authenticator as not to be trusted doesn't sit well with me. The simple reason being that I have been using the GA as my 2FA for three years now and I haven't had any issues with all the sites I have used it on. Periodically, I get texts of hackers trying to break into those accounts but without any success. So, I am asking "what is wrong with the GA?" If it has kept hackers off those accounts, it should be trusted. And I believe a lot of users with agree with me on this.

I will still change it, but I want people to comment more on google authenticator, also I will like to ask if microsoft authentication is good too?
I just think good do bypass privacy by if more people recommend it, I will change it.

[UserU]

EDIT: Just confirmed GA allows transfer between devices, but not support cloud backups.

It's not that Google Authenticator necessarily allows transfers between devices, it's just that 2FA keys have always been transferable. It's pretty much somewhat like your bitcoin wallet's private keys. You can use the private keys on every single device you have, and you just need to import it. Same thing with 2fa keys.

Yup, but I think I should have worded myself correctly.

Previously on GA, you had to manually disable 2FA on every linked account because there was no option to mass-transfer at all. Just the barebones; codes, add 2FA and some simple settings. You could imagine what would happen should someone lose the phone or reformat it.

Then thank the Heavens when GA finally got the transfer feature, albeit not via cloud.

[Oshosondy]

I believe the reccomendable part needs more clarity. On what basis you judge this? As it looks inconsistent. Does it have be open source and no cloud backup available?

Using cloud storage to backup is not a good way to go, these type of 2FA apps are not safe as using QR code and authenticator codes to backbackup is the best. It should be open source too.

What if the apps allows you to encrypt your key and then upload it to any cloud service that you choose?

Which one allows someone to encrypt his authentication code? And to avoid sync is better.

Previously on GA, you had to manually disable 2FA on every linked account because there was no option to mass-transfer at all. Just the barebones; codes, add 2FA and some simple settings. You could imagine what would happen should someone lose the phone or reformat it.

What if you backup your google 2FA?  The backup will do that automatically.

[TryNinja]

Which one allows someone to encrypt his authentication code? And to avoid sync is better.

Most password managers (all of them?) with 2FA do that. They don't just ask you to end your passwords in plain text to their servers. While I don't recommend anyone to do that, it's a viable solution if you trust them with your encrypted data.

What if you backup your google 2FA?  The backup will do that automatically.

AFAIK, all they did was add an option to show QR codes with your 2FA secret tokens. It's basically an "export" function so you can scan them with your other phone and get them without having to either save those codes somewhere (so you can use as backup to import in the new phone) or remove 2FA from all websites to enable it again in the new phone.

[Oshosondy]

AFAIK, all they did was add an option to show QR codes with your 2FA secret tokens. It's basically an "export" function so you can scan them with your other phone and get them without having to either save those codes somewhere (so you can use as backup to import in the new phone) or remove 2FA from all websites to enable it again in the new phone.

That was the part I want to clear, some people will not do the backup and will not have the ability to easy use the QR code or secret code to easily do the importing for ease. Thanks for making this clearer.

EDIT: Just confirmed GA allows transfer between devices, but not support cloud backups.

That was long edited. You can check guigui371 comment above, the first reply. But, thank you too.

[HCP]

t's basically an "export" function so you can scan them with your other phone and get them without having to either save those codes somewhere (so you can use as backup to import in the new phone) or remove 2FA from all websites to enable it again in the new phone.

Note that it only displays the QRCode... There is no functionality to save or store the generated QRCode(s)... and (on Android 10 at least), the Google Authenticator app actually prevents screenshots from being taken, so you can't try and save the QRCode that way either.

So, without a 2nd device handy to scan the QRCode off the screen, it's practically a useless feature as far as "backup" is concerned!

[Natalim]

Been using Authy for years already and I say it's very convenient using this APP, actually when I started using it, I didn't search for on its security or how secure it is since a friend of mind recommended it to me.

Per OP, "recommended-no".. I think can recommend this as it's easy to link the app in your PC and your cell phone, so if you don't have access to the other device, you'll never have to worry. (my opinion is not so technical but based on experience only).

[UserU]

EDIT: Just confirmed GA allows transfer between devices, but not support cloud backups.

That was long edited. You can check guigui371 comment above, the first reply. But, thank you too.

Yup, I edited my comment after seeing it. Was gonna switch over to Authy before the update but couldn't bear going through all the associated sites just to reset everything.

[nelson4lov]

Is being closed source the reason for not recommending an authenticator? When I first got in crypto, the first authenticator app I used was that of Google but I lost access to it without my backup code and phone. So I switched to Authy app and I have used it for years without problems. One major flaw is the setting for allowing multi devices which could be turned off to reduce security risks. For the records, not all closed sourced softwares are bad – we use different close sourced apps everyday.   And like you, I'm also a big fan of open source softwares. I even contribute actively to some.

Per OP, "recommended-no".. I think can recommend this as it's easy to link the app in your PC and your cell phone, so if you don't have access to the other device, you'll never have to worry. (my opinion is not so technical but based on experience only).

In my experience, Authy is a solid app and it does get the job done. I'm also interested to know why it wasn't recommended by OP.