Multi-factor authentication: it is difficult to find high-profile websites these days that allow you to get away with a simple password-based login. It’s a sobering thought to realize how fast your ‘secure’ password can be hacked using sophisticated techniques that go way beyond brute-force cracking.
So, multi-factor authentication has become the rage. When you authenticate yourself, you increase the security of your account by providing multiple ‘factors‘: something you know (a password or PIN code); but also something you have (a cryptographic identification device or a token); and something you are (which could be a biometric quality such as a fingerprint or a face-iD).
When requiring 2 of these factors, we talk of ‘two-factor authentication’, better known as ‘2FA’. Then, usually these will be the use of a password combined with the string of digits (a token) produced by an authenticator – whether that is a hardware device or a software implementation.
Popular are authenticator apps on smartphones. Google, Apple and Microsoft have their own authenticators which you can find in the respective stores for your smartphone. They are really easy to use and completely interchangeable – every authenticator will generate the exact same code for a website at the same moment in time.
The disadvantage of these authenticators becomes clear when you lose your smartphone… gone are the authentication codes you need to logon to your account! You’ll have to contact customer support to disable your 2FA so that you can access your data again, and then re-enable 2FA using an authenticator on your new phone.
That’s why Authy became so popular: this is an authenticator which stores your 2FA tokens securely in the company’s (Twilio) cloud storage. With Authy, you can authorize another device (smartphone or desktop) to generate the same 2FA codes for you. And as long as you remember the passphrase which encrypts your cloud-stored tokens, you do not need your original phone to authorize a new phone. Really convenient!
Unfortunately, Authy does not offer a way to export your tokens from their app. It’s total vendor lock-in as it happens so often. And this month, Authy’s Windows and Linux desktop applications stop working, leaving only Android and iOS as supported platforms for your authenticator. On top of that, there was a recent breach of Authy’s cloud storage, leaking 30+ million email addresses associated with Authy accounts. That facilitates phishing attacks of course, but also, when you try to recover your account after the loss of your phone, Authy would first ask for your phone number and then continue granting access to the related account. Security updates to Authy apps on all platforms are now preventing application initialization based on your phone number, but it speaks a clear message: if you cannot fully trust the company providing you with one of two authentication factors, it may be time to switch.
But, the lack of export capability… indeed.
I have been using Authy for a couple of years, precisely because of the convenience it offers in the rare case that you lose (access to) your phone. Now being really pissed about the vendor lock-in, I went to look for an acceptable alternative authenticator. And I found Ente Auth. It is an open source 2FA authenticator, with the option (not mandatory) to create an account at Ente and sync your local 2FA tokens to their cloud server. The end-to-end encryption used by Ente has been independently audited, and the app allows you to both import (from other authenticators that are not Authy) as well as export your tokens. Ente’s server offers a read-only version of the authenticator interface which means, after login you can find your 2FA codes in your browser as well.
Switching from Authy to Ente Auth was a slow and painful proces, where I had to disable and re-enable 2FA on many web sites, but now I am ready to use Ente Auth exclusively. I can only highly recommend this app.
What’s more: Ente has also open-sourced its backend server. Ente is first and foremost an open source and secure alternative to Google Photos or iCloud: a place to store your photos and videos. But the authentication backend has been built as a standalone functionality from the start, which allowed the company to build Ente Auth around that backend. By open-sourcing the backend, you can actually have complete control over cloud-storage of your 2FA tokens! An account on ente.io is then not needed, you simply instruct the authenticator app to connect to your own server address.
And as a bonnus, you also get a secure and self-hosted alternative to Google Photos.
If there’s an interest in a follow-up article explaining how to self-host the Ente Auth server backend, let me know in the comments section below.
Have fun! Eric
There is FreeOTP for android. Backup can be saved together with other passwords, there is no reason for something special.
That’s the beauty of open source. There are many choices and all are good. You simply pick the one that most closely matches your requirements.
In my case, one of the requirements is transparent synchronization between my phone and a remote storage to provide disaster recovery. With FreeOTP you still have to export your tokens and save them somewhere manually.
Running backups of MFA secrets really isn’t a task that I’d order someone to do, at least to lazy people like myself :). For android I can recommend https://github.com/beemdevelopment/Aegis which creates an encrypted backup automatically. Syncthing will take care of distributing it to my other devices (via wireguard if necessary) and they even offer a python script to decode the backup in case I need to generate QR-codes <3.
So, yeah, +1 for the many solutions OSS offers
Make sure to install FreeOTP+ as the original FreeOTP is not maintained anymore.
The “+” version also has more functionality.
Yeah, MFA is indeed a necessary evil. I’ve used Authy for a long time, but I’m happily moved away from it since Twilio bought it. I’m happy I did that as not much later they were hacked.
I faced the same pain as you, but my solution was to move everything (password management and MFA tokenization) to KeePass. By using KeePass XC on computers (Linux and Windows alike) and KeePass DX on Android, I managed to privately (i.e. not using cloud services) sync the same database across devices using Syncthing, backup it on private NAS and solve the problem of securely store and use passwords and auth tokens anywhere. I’ve been using it for two, three years now with absolute confidence and convenience.
Worth saying that KeePass database scheme, KeePass XC and KeePass DX are all FLOSS, as well as Syncthing. No vendors lock-in at all for the whole stack.
I use keepassxc on Slackware and keepassdx on Android and its database is stored on my own private cloud (provided by Nextcloud). Works really well and I integrate it with the Chromium plugin to make it automatically fill user/password entry fields on web sites.
But I have not used it to provide 2FA tokens.
You have all set then. Give it a try for 2FA. You might be amazed…
If your password and second factor token come from the same piece of software, is it really 2FA?
Debatable, yes. Just like the whole 2FA concept. Anyway, one can always have separate DB just for 2FA and unlock it using a keyfile or hardware key (both supported by KeePass).
“If your password and second factor token come from the same piece of software, is it really 2FA?”
“one can always have separate DB just for 2FA and unlock it using a keyfile or hardware key (both supported by KeePass).”
You can also have KeePass (or derivative) on one device for the username and password, and on another device for 2FA. Same software, yes, but not the same installation of the software, and separate databases on separate devices. So, yes, really 2FA.
I manually back up my separate KeePass DBs. If you lose or break a device, it’s easy to recover on your new device by importing the backup DB.
But back to the topic Eric wrote about. Manually backing up KeePass DBs periodically has worked for me, because I don’t add many new 2nd factors (sometimes none) between backups. If I had to recover from a slightly out of date backup, I would have to reset 2FA on at most a few websites. That would still be a nuisance. Syncing, either how Eric describes here or how others have done it, would be more convenient while being as secure. Thanks for the ideas everyone!
Exactly this.
I’m using KeePass{DX,XC} on Android and Slackware, with databases synced with Syncthing.
Both support 2FA token, so there’s no need for another app.
I’ve setup a backup strategy in Syncthing, so if the database is deleted on the phone by accident, it’s still kept on the PC.
I do this with Keycloak (realm with totp and oauth used with all the services that support openid authentication ) and Vaultwarden for central passwords and token storage , both self-hosted. Vaultwarden can be used with the browser extensions and desktop apps of Bitwarden, of which it is an open-source clone. Anyway it will be interesting to see how this Ente works and if it has interesting features.
Not all sites deserve the same security levels: I am happy doing 2FA for accessing my bank account, but if some forum where I post every so often wants to force me to use 2FA (which, being more secure, it necessarily is more convoluted and inconvenient) I will just stop using that forum.
I’d say that every website with a login should offer 2FA authentication, even recommend it at account creation time, but not mandate it.
Let the user decide the value of their data and the protection required.
I would definitely be interested in info on how to setup a Slackware based server for authentication backup and backup of photos from an Android device.
Same here, definitely interested!
I’ve been using 2FA for years…it stops my mom from trying to log into various accounts of mine, for one. (Same reason I’ve been using random words for security answers, as well.) It’s good to have options that aren’t the commercial/Google/iOS ones.
“Popular are authenticator apps on smartphones.”
Master Yoda, is that you??
🙂
Hi Eric 🙂
There “Was” a way to import from Twillio Authy to Ente, with the caveat that you not allow Authy to update during the whole EOL thing, but that ship has probably sailed entirely by now. I can dig up the GitHub repo if anyone is interested but yah, I feel much better now that I’m aware that you too had (presumably, begrudgingly) adopted Authy as your GoTo cross-platform Authenticator – even though it’s the furthest thing from FOSS.
My reasoning was the same – you drop your phone in a toilet and you’re screwed, so MFA doesn’t make much sense if you can’t have multiple devices from which to recover, the horror stories of people using Google Authenticator and getting locked out of mission critical resources abounds.
I started using Ente before it was cross-platform, with only the promise that they were diligently working on a desktop release; indeed, a quick look at the repo did in fact indicate they were.
Ente is the ONLY Autheniticator that is truly cross-platform, supporting Android, Linux, and Windows. I think even FreeBSD IIRC.
Twillio is vendor lock-in by design and if that’s not bad enough, the breech you alerted us all to reeks with a stench not unlike the LastPass escapades, lolz.
There is some Authenticator capabilities in KeepassXC, but notwithstanding my preference to separate those two types of authentication systems I don’t believe that KeepassDX offers such features.
Kindest regards,
Bradley
?
.
The two loopholes whereby you could export keys from Twillio Authy was purposefully killed by Twillio, that very day on I wrote the article.
Eric,
I would totally be interested in more info on setting and and transferring 2FA data from my Authy account. Like you I have been using the service for several years and was not aware of this recent development. At work I am forced to us the MS Authenticator as we only use MS products. For my personal use I pretty much only us Slackware unless there is something I must do for work, then I have to reboot into Windows10/11.
Keysmith works well for 2FA.