I had similar issues a while ago so I tested a lot of solutions, but landed on Authy.
The only thing that bugs me a little is that it is not open source, but I feel that the company behind it is solid enough to be trusted as much as anything else (which depending on the size of your tinfoil hat may be nothing or a lot).
I use Authy. I have Authy on phone and multiple computers, including one set up on a VM and I keep a backup of the VM in multiple places as my worst case scenario. If everything else crashes, I can just download and spin up the VM to add new devices.
I used to use Authy and ended up moving to one called "Authenticator Pro" on Android which is open source and seems to working really nicely so far. Encrypted backups too.
@FlamingSpaceJunk said:
Holding passwords in Bitwarden and using it for 2FA isn't as secure as it sounds.
Care to expand? Having a password manager and 2FA in the same device is not secure either.
All of your eggs in one basket. Password manager gets hacked, and everything is there. Versus having to break into two systems, a password manager and a 2FA device. Bitwarden, 1password, LastPass, etc. are SaaS systems which are always on and available. Attackers have a open window to attack them, and on a long enough time line, everyone's survivability drops to zero. LastPass has had breaches in the past, for example.
Yes, a hardware token is better as it is separate from everything, but convenience. Hardware tokens are still pretty new, but they are catching up.
There is no truly secure system, and the goal is to make attackers lives as hard as possible. We make tradeoffs everyday, and its tough to find the balance between ease of use and security.
I'm late to the party but I highly recommend an open-source solution such as KeePassXC.
Bitwarden is recommended all over the web, but I'm not too fond of it. Yes it looks nice and has all the features you could possibly want from a password manager, but everything comes down to just one developer... There is just one guy doing front-end, back-end, mobile-apps, basically everything, so the under the bus factor is quite high if you ask me.
@Freek said:
I'm late to the party but I highly recommend an open-source solution such as KeePassXC.
Bitwarden is recommended all over the web, but I'm not too fond of it. Yes it looks nice and has all the features you could possibly want from a password manager, but everything comes down to just one developer... There is just one guy doing front-end, back-end, mobile-apps, basically everything, so the under the bus factor is quite high if you ask me.
He has been hiring other people recently. About 6 months or so IIRC
@Freek said:
I'm late to the party but I highly recommend an open-source solution such as KeePassXC.
Bitwarden is recommended all over the web, but I'm not too fond of it. Yes it looks nice and has all the features you could possibly want from a password manager, but everything comes down to just one developer... There is just one guy doing front-end, back-end, mobile-apps, basically everything, so the under the bus factor is quite high if you ask me.
He has been hiring other people recently. About 6 months or so IIRC
That is good to know. I do indeed see quite some (recent) commits from a second guy.
@Freek said: That is good to know. I do indeed see quite some (recent) commits from a second guy.
He also expanded on Reddit that he has a plan in case he dies or something of the sorts, so the servers won't get abandoned.
And as always, backup your data!
I use Bitwarden CLI (There's also PortWarden) to export my vault, then encrypt the csv/json file and upload/store it somewhere safe.
@Freek said:
I'm late to the party but I highly recommend an open-source solution such as KeePassXC.
I would also recommend this. You can store your passwords, ssh keys (build-in agent) and totp secrets. On android you can access it through Keepass2Android. The only thing which I'm missing is a build-in ssh-agent for android.
@Freek said: That is good to know. I do indeed see quite some (recent) commits from a second guy.
He also expanded on Reddit that he has a plan in case he dies or something of the sorts, so the servers won't get abandoned.
And as always, backup your data!
I use Bitwarden CLI (There's also PortWarden) to export my vault, then encrypt the csv/json file and upload/store it somewhere safe.
If I would choose Bitwarden, I would definitely self-host it. However, I see that file attachments are a premium feature that require a license, so I won't be switching over any time soon. File attachments are a must for me.
Comments
I've been using WatchGuard AuthPoint as a replacement for my Google Auth 2FA. Works great for me.
Cheap dedis are my drug, and I'm too far gone to turn back.
I had similar issues a while ago so I tested a lot of solutions, but landed on Authy.
The only thing that bugs me a little is that it is not open source, but I feel that the company behind it is solid enough to be trusted as much as anything else (which depending on the size of your tinfoil hat may be nothing or a lot).
If it's a google account be sure to save the recovery codes somewhere safe too
Too flat huh? Should have gone with one of these.
I use Authy. I have Authy on phone and multiple computers, including one set up on a VM and I keep a backup of the VM in multiple places as my worst case scenario. If everything else crashes, I can just download and spin up the VM to add new devices.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
>
hehe, it was a galaxy S2 with a massive battery extender on it, so not far off.
I hung my coat over a fence at one point next to a trench I was filling in, I am thinking I probably buried it
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
You just need to save 2fa token to a safe place first, then put it into GA or w/e.
I used to use Authy and ended up moving to one called "Authenticator Pro" on Android which is open source and seems to working really nicely so far. Encrypted backups too.
Android only though.
All of your eggs in one basket. Password manager gets hacked, and everything is there. Versus having to break into two systems, a password manager and a 2FA device. Bitwarden, 1password, LastPass, etc. are SaaS systems which are always on and available. Attackers have a open window to attack them, and on a long enough time line, everyone's survivability drops to zero. LastPass has had breaches in the past, for example.
Yes, a hardware token is better as it is separate from everything, but convenience. Hardware tokens are still pretty new, but they are catching up.
There is no truly secure system, and the goal is to make attackers lives as hard as possible. We make tradeoffs everyday, and its tough to find the balance between ease of use and security.
+1 for Authy, after it happened twice with google, I decided not to take risks anymore.
Readydedis, LLC - Managed Dedicated Servers | KVM SSD VPS | Hypervisor Control Panel
Authenticator roundup over at arstechnica. They like Authy as well:
https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/
I'm using DUO (https://duo.com) for most of my 2FA and they introduced DUO Restore, where you can reconnect your old accounts https://guide.duo.com/duo-restore
I haven't tried it myself, yet.
https://clients.mrvm.net
Didn't notice until now that my Google Authenticator was updated with the transfer accounts feature. Thought it wasn't released yet.
Now they just need a backup feature.
ExtraVM
Metal detector around the trench?
Ya Authy the best
No.
oathtool
is the best, Authy can be a close second thoughI'm late to the party but I highly recommend an open-source solution such as KeePassXC.
Bitwarden is recommended all over the web, but I'm not too fond of it. Yes it looks nice and has all the features you could possibly want from a password manager, but everything comes down to just one developer... There is just one guy doing front-end, back-end, mobile-apps, basically everything, so the under the bus factor is quite high if you ask me.
He has been hiring other people recently. About 6 months or so IIRC
That is good to know. I do indeed see quite some (recent) commits from a second guy.
He also expanded on Reddit that he has a plan in case he dies or something of the sorts, so the servers won't get abandoned.
And as always, backup your data!
I use Bitwarden CLI (There's also PortWarden) to export my vault, then encrypt the csv/json file and upload/store it somewhere safe.
I host my own BW instance, so I keep backups of that DB.
I would also recommend this. You can store your passwords, ssh keys (build-in agent) and totp secrets. On android you can access it through Keepass2Android. The only thing which I'm missing is a build-in ssh-agent for android.
That's good to know
If I would choose Bitwarden, I would definitely self-host it. However, I see that file attachments are a premium feature that require a license, so I won't be switching over any time soon. File attachments are a must for me.