[artdigital]

Little question on that topic

Maybe it’s that all this stuff is still new but whenever something offers PassKey support I now add 3:

- one on android

- one on iOS

- one in 1Password

Even more fun when it’s mixed with yubikeys, add primary key and secondary key to that list

I now have a spreadsheet to write down which website has which keys added to keep track. Hopefully something like 1Password will handle that soon, but I don’t want to risk losing access to my iCloud or Google and getting locked out. Even more confusing when browsers like chrome offer to save a passkey into the browser which is synced only within that browser (I think, exception being Safari)

How are you all handling that?

[hsbauauvhabzb]

Google Authenticator decided to nuke all my existing MFA tokens during a recent update/refresh of their app.

I can tell you to sort your redundancy now, it’s much easier than later.

I can also tell you to avoid google tooling, they seem completely disinterested in support and more interested in market share.

Google can go to hell for the time / account access I lost, fuck them.

[Nathan2055]

I stopped trusting Google Authenticator several years ago when I realized it had no syncing, backup, or even device transfer functionality whatsoever. A quick test made me realize that if anything happened to my device, I would just lose all of my 2FA keys with no way to recover them. I also then realized that if anything happened to the app (which apparently has a couple of times throughout its existence), I’d have the same problem.

I migrated to Authy because it at least has syncing and backup functionality. Sure, it’s less secure, and I should probably self-host somehow for the best security/stability assurances, but Authy seems to work pretty well for what I need it for.

[password4321]

Google Authenticator has supported manual device transfer for some time via QR code.

You can decode these application-specific QR codes for backup or transfer purposes using a third-party tool: https://github.com/scito/extract_otp_secrets

[davchana]

As long as one keeps the original string and or qr code safe (in a separate password database), TOTP can be put in multiple devices, is backed up & will not get locked out of accounts. But also, at the same time, none of the MFA setup flows on any website tells user to keep "this" string safe. Once that string is gone, there is no way to recover it.

I have a printed sheet with all those strings and their account names in my own memorized encoded form (like rot13). Plus my main phone, my backup phone, my tablet, all of them have same app & codes (all devices have fingerprint & pattern locks).

[szasamasa]

it is now can be synced and backed up in your google account which you can tie to your real identity with your phone number and telecom company where you can have a contract... in addition, you can have a 10$ android phone that barely moves (or your old phone) sync to your google account, get the authenticator codes, battery 77%, phone has pin, and shut it down and put in in your drawer/fireproof safe... is it better to back your secrets up on paper? why do you have to see your secrets?

[isaacremuant]

> can also tell you to avoid google tooling, they seem completely disinterested in support and more interested in market share

It's been the case for ages. They show absolute disregard for the unique users. All they care about is their pseudo monopolized aggregates.

[szasamasa]

then use microsoft authenticator or bitwarden

[isaacremuant]

Why are you under the impression that I'm not?

You may need to pay more attention to what you read, the context and the users before writing.

[szasamasa]

I was under no impression whatsoever. I said if you hate google you have alternatives. Google bashing is lame. I am sure if you have a 10 dollar phone logged in to your google account at home, offline, you never lose your 2fa codes. But hey, arent they just a long key you can import anywhere via QR-code? If you do not trust or you are one of those mysterious people who lose access to the Google account (illegal activities?) then make a copy. All I said was it is irritating this google bashing.

[djbusby]

Is it possible to DIY these things? Or a FOSS app on my phone?

[projektfu]

F-Droid has a number of apps.

KeePassDX (also on F-Droid) also supports TOTP, as does KeePass 2.0 on desktop, if you're comfortable keeping it with your password manager.

PyOTP contains plenty of information about how to implement an authenticator app.

https://pyauth.github.io/pyotp/

[mort96]

I would avoid anything KeePass, simply because it seems like an absolute mess of forks. How do you know which KeePass* to use? How do you know the one you pick won't be superceeded by another fork in 2 weeks? Why does the world need KeePass, KeePassX, KeePassXC, KeePassDX and KeePass 2?

[projektfu]

The original, KeePass 2, is quite good. The prior version is only for the old database format. The nice thing about it is you can automate sync in many ways, and it has plug-ins that do lots. Every other tool uses KeePass 2 databases.

I used KeePassXC but it didn't sync like I wanted using syncthing. Other synch stories probably work better, like Dropbox.

Kee is the browser extension I use and it's pretty good. They also have a sync service you can buy, but it's free to use with KeePass 2. I liked it better than the extension that's compatible with KeePassXC.

KeePassDX is pretty great. It's working well with my setup, especially using Brave as I avoid Chrome. Incidentally, I think recent Chrome updates have complicated things for password managers on Android but alternative browsers work great. I use it with a longer timeout to lock the database than the default.

I think KeePassX is superceded by KeePassXC.

So, if you ignore most of the other forks, you don't need much analysis paralysis, and everything works well.

For iOS, it's hard to find FLOS solutions but there are paid apps that are supposed to work well to integrate with KeePass 2 databases.

[wkat4242]

Google authenticator, yes. I use andOTP which is great. I think it's no longer being updated but there's many alternatives too.

For passkeys I haven't seen a full open source implementation that actually works. Some parties like bitwarden promise it but aren't finished afaik.

[5e92cb50239222b]

JFYI, Aegis is a decent and maintained FOSS replacement for AndOTP and can import backups from the latter (in case it ever stops working).

[wkat4242]

Oh yeah that's the one I was thinking of.

However it lacks the ability to GPG export using OpenKeyChain which is why I went back to AndOTP.

[5e92cb50239222b]

https://lwn.net/Articles/925870

[DropInIn]

Ah is that why I couldn't log in to so many important things for which google sso was effectively forced on me?

[password4321]

I was upset Google Authenticator auto-updated somehow even though I specifically try to prevent that.

[glandium]

Recently, I thought it had been forcefully uninstalled somehow and that I had lost everything (well, I have a backup plan, but still...). Turns out, it changed name AND logo... so I "just" couldn't find it at its usual location, and had a hard time finding it entirely.

[szasamasa]

search in apps with name: authenticator

[hsbauauvhabzb]

This feels a bit like user blaming. Imagine someone getting to the office and getting annoyed at you because they changed their name, didn’t tell you, and you used the wrong name. You could have looked them up in the corporate directory, but you don’t know what their new name is and their previous name is no longer listed.

Communication was poor, mobile OS’s should probably account for this (if for nothing else to prevent major functionality pivots / spam ware) etc. parents displeasure and me losing all my mfa tokes feels like a total rug pull by google, a pattern they are known for (sure, fool me twice, shame on me - but I never expected their mfa Token app to delete all my tokens).

[szasamasa]

user blaming has oftentimes some truth in it :)

i can really not imagine those fuckups you always write about with google

somewhat irritating... is it true, is it not, are you google hater bot, are you not? :D

the 2fa codes are backed up in google account now, no way you lose them

before, it is basic to have them on 2 different devices at least...

i dont understand how it is possible to lose them

[glandium]

Fun fact: the name of the app did not include "authenticator" before the rename. Because guess what, my Android phone is not in English. So the name was the localized version of "Google Authenticator" (I think it was Google認証). Now it's "Authenticator". No "Google", and not localized, and, obviously, not at the same place while sorted with everything else. And not the same icon.

[szasamasa]

you are then right sorry I could not imagine such a fuckup :)

[aseipp]

In the next version of iOS you'll be able to use a third party app to handle the Passkey flow, like how a 3rd party app can handle the password flow today. So you'll be able to remove your passkey from iCloud and use the one inside 1Password instead.

Also, I think the browser thing with Chrome is a matter of extension support; in Edge with 1Password Beta Extension, 1Password definitely takes over Passkey flows instead of using the (absolutely insanely confusing) Windows Hello UX. Just like it takes over password saving (there's an option in settings that shows password sync settings are controlled by the 1Pass extension.) So you may just need to use the Beta extension in your Chrome for now, and I think 1Password will take over from there.

Basically we're moving towards a setup where you trust your password manager to hold onto your passkeys and then the OS will allow that integration. I don't know what the status of these features are on Android.

[artdigital]

Ah that’s good to hear! I use the 1Password beta on Chromium browsers, but obviously that’s a bit awkward when some stuff is saved in Safari, some in 1Password and some elsewhere

It’s a bit of a mess right now and even me as an IT person, I sometimes think I have a PassKey saved for something just for it to not work, either because I used the wrong device or because I didn’t actually save one and forgot.

Or once I had accepted the prompt to store the PassKey in Arc (or some other Chromium browser) which then didn’t work in another browser when I tried to login

[toomuchtodo]

If I get locked out, I expect the ability to reset my passkeys (stored in iCloud primarily) with an email, just like I would with a password reset. Passkeys are cryptographic primitives replacing password strings, not replacing identity. There is a difference.

The Home Depot mobile app does something similar already. Passkeys/biometrics for a persisting an iOS session, and to re-up a session, you get emailed a six digit code to your email. Why have the password?

If email as identity as insufficient for your use case, ask the user for a government credential using Stripe Identity or ID.me, or doing a token amount charge on a financial account the user has access to (offloading the identity proofing to their bank) to bring their account back up to a higher assurance level (“IAL”) during an access reset.

I recommend recovery contacts if you’re in the Apple ecosystem. Tangentially, setup legacy contacts as well.

https://support.apple.com/en-us/HT212513

https://support.apple.com/en-us/HT212515

https://support.apple.com/en-us/HT212360

(customer and corp IAM is a component of my work at a FinTech)

[lxgr]

For this reason, I don’t really use WebAuthN as my (only) second factor – yet.

We’ll soon be able to sync these across platforms using password managers, though. Android already has an API available for them to integrate, I believe; iOS will follow in autumn.