Hacker News new | past | comments | ask | show | jobs | submit login

Authenticator Apps?



The annoying part is most of them are very hard to move over to a new phone or backup


Do any of them work on desktops? I keep around a spare iPad to run my authentication apps, but I'd rather have it installed on my computer instead.


Authy does but has some issues showing same site names as on PC so not perfect


1Password has built-in TOTP support, though it's a little overkill if you only use it for that purpose.


On Windows there's WinAuth: https://github.com/winauth/winauth

It doesn't seem to be updated anymore, but it works well.


Then use other ones :)

I currently use Aegis and Bitwarden. AndOTP also allows you to export tokens.


Google Authenticator now has an export and import feature where it bundles all your accounts into a QR code to scan on your new phone.

Might not be ideal for backup however


TOTP is only better than SMS against SIM swapping, a rare threat. They are identical against phishing, an enormously more common problem. For a typical user the delta in security when transitioning from SMS to TOTP is minimal.


... or trivial number porting attacks like the one described in this exact article.

Depends on your threat model, but unlike SIM swapping this may not be out of the reach of even a mildly technical angry ex.


And a mildly technical angry ex is a lot less likely than phishing. These are valuable topics but people go way way way too far and say that SMS is horrible and should be basically banned while TOTP is fabulous and a completely viable alternative, which is just fantasy.


My protection against phishing is my password manager. If the site is fake, it won't find the password for it.


The difficulty there is evaluating which ones are reliable, secure, and easy to use. I'd welcome recommendations.


I personally use andOTP [0] which I'm a fan of. I've been thinking of switching to aegis [1] for nothing more than a UI change.

[0]https://github.com/andOTP/andOTP

[1]https://github.com/beemdevelopment/Aegis


I never had any issues with andOTP. It worked even when some websites specifically asked for a different app.


The integrated TOTP in 1Password is pretty good, it can grab the QR code off the screen and everything.

https://support.1password.com/one-time-passwords/


Just be careful with these solutions, I use the one in Bitwarden for a few things and while great for convenience, there's a significant security tradeoff when you go ahead and load all your TOTP tokens into memory on the same machine you keep the passwords on. Turns your 2 factor authentication into single factor pretty fast against even a decent piece of malware, let alone a dedicated attacker.


Microsoft Authenticator is good, and there’s a reasonable chance they already use it at work.


Google Authenticator seems fine?


Google Authenticator ?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: