2FA added

[robelneo]

(...) Am I the only one any help will be appreciated.

I'm sorry for the month-late response...

I think that what likely happened there is that you mistyped your OTP and then got spooked by the badly-worded error message. That error message has now been improved.

Yes, I did, I mistyped it  sorry too for not updating my post, I'm now using it and glad that we have this, and thank you for adding this feature here on Bitcointalk.

[RickDeckard]

Considering that I was away a couple of months, seeing this update to the forum security really made my eyes gauge with excitement. Thank you theymos for finding the time to analyze and adapt to the code of the forum the magnificent piece of code that PowerGlove made (props as well to you PowerGlove, you rock \o/). If anyone is lost in the sea of 2FA applications, my recommendation boils down to two excellent, free and open-source apps: ente Authenticator[1] and Aegis Authenticator[2] (both available in F-Droid).
[1]https://github.com/ente-io/auth/
[2]https://github.com/beemdevelopment/Aegis

Small update to my previous entry: Aegis has now reached v3.0 (~8 hours ago)[1] with a couple of neat features which deserves our attention:

Material 3 (and Material You)
Automatic assignment of icons to entries
Ability to select all entries in one go
Support for importing 2FAS schema v4 backups
Sort entries based on the last time they were used
Some clarifications related to importing and backup permission errors
Preparations for the ability to assign a single entry to multiple groups
Performance improvements when scrolling through an entry list with lots of icons
A new look for the third-party licenses list

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.
[1]https://github.com/beemdevelopment/Aegis/releases/tag/v3.0
[2]https://security.googleblog.com/2023/04/google-authenticator-now-supports.html

[joker_josue]

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

[RickDeckard]

For whoever still using Google Authenticator, do note that your secrets are in the cloud[2] which means that you are no longer in control of the data and a malicious entity may be able to access them.

One question: Is it easy to migrate from one service to another?

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

Aegis supports importing your 2FA codes, so you don't need to add them individually into the application (or, worse, remove them first and add them on Aegis). If you use Google Authenticator you can try any of the methods explained here[1]. Aegis also supports backing up the file so that you can keep it in a safe place in the event that you loose your phone (for example).
[1]https://www.theverge.com/21410260/google-authenticator-2fa-how-to-phone-security-iphone-android

[Cricktor]

One question: Is it easy to migrate from one service to another?

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

Therefore I developed the habit to make a physical backup on paper of the 2FA shared secret when I setup a new 2FA account. If I can get only a QR code for 2FA setup, I scan it with a designated privacy friendly QR code scan app that I have on my phone which allows me to decode the QR 2FA setup code and doesn't share this with any other app or cloud storage.

I don't make a digital photo of the 2FA setup QR code because usually pictures are uploaded to some cloud. If the QR code is displayed on a computer, printing it safely is another option. I make some effort to not leave any digital traces of 2FA setup codes on online digital devices.

Backup and migration is far from user friendly if you're concerned of security, unfortunately.

Or will it be necessary to do a new registration/configuration for each service that uses 2FA?

If you can't migrate a 2FA account or have no physical backup, that's unfortunately the only option to go for setup on a new device or 2FA app. I'd rather go the route to temporarily disable 2FA if that is possible and re-enable it for setup newly. But you have to be careful not to loose access and having to perform some painful recovery with service desk hell.

[RickDeckard]

As far as I experienced it, migration from one app to another is rarely possible. Either the source 2FA app can show the secret in plain text or as QR code or export a backup file in which you can easily find the shared secrets of your 2FA accounts. But digital backup files are risky if you don't know how secure your device is which you usually can't know for certain depending on what internet shit you've already done with your device.

This is the case with Google Authenticator. The application only provides the scanning of a QR code as the way to import the details into another device. The most probable scenario is that a user wants to import the codes into another application using the same smartphone, so they are forced to take a picture of the QR code (ideally with a non internet connected device such as a digital camera) and then scan that picture with their smartphone.

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

[joker_josue]

Isn't Google smart enough to know this is a cumbersome process and that they should provide a better way to export their users codes (such as an encrypted backup)? They are. Would they do it? No because this process makes it difficult for users to leave the application and acts more as a way to deter people from leaving the service.

It is true that perhaps they create these difficulties, so that the person does not easily leave their services.
But we also have to be realistic, that if it were easy to obtain this information, security levels would lower, making it even easier for criminals to obtain this data.