Hacker News new | ask | show | jobs
by djha-skin 908 days ago
You were not forced to do that because TOTP is manageable via password manager.

TOTP and yubikey are excellent technologies that way. They allow two-factor authentication without breaking privacy.

Everyone within the sound of my voice: get a password manager. It sounds like a hassle but it makes your life infinitely better. It allows you to keep your life private and more secure than it was while providing more convenience than you had before.

I recommend KeepassXC. Open source, audited, fully featured, and can be paired with one of several different kinds of syncing technologies depending on your risk appetite.
2 comments
eesmith 907 days ago
I think it's odd that PyPI doesn't list any desktop programs, like KeepassXC, at https://pypi.org/help/#twofa , only mobile ones. That makes it seem like 2FA is mobile-only.

I expect some people don't want to mix work accounts on their personal phone ("keep your life private"), and because smart phones are still not yet universal, even among developers.

link
Kwpolska 907 days ago
Many people seem to believe that keeping your 2FA keys in an un-backupable mobile app and away from your computer is safer than keeping it in your backupable and multi-device password manager.
link
eesmith 907 days ago
Unless you think PyPI is guided by that belief, that doesn't explain why they don't list desktop solutions.
link
woodruffw 907 days ago
PyPI doesn't list desktop solutions because I made that list back in 2019 and didn't think to list them. If you have some reputable desktop password managers that support TOTP that you'd like to see listed, you should open a PR for them!
link
eesmith 906 days ago
You are certainly far more qualified than I to know which desktop password managers are reputable.

I only installed KeepassXC two weeks ago to try it out because several people here on HN mentioned it, and because it was free software not connected to for-profit companies.

It is the only one I've tried, and I've only used it once, to see what it was like.

I think your historical comment omits something. When I made this complaint back in 2019 you replied at https://news.ycombinator.com/item?id=20058199 saying "I've forwarded this thread along to others working on PyPI as part of the OTF grant, and we'll be figuring out how best to explain using TOTP without being too mobile-centric."

That mobile-centric list hasn't changed, and I still don't have, nor want, a smart phone.

link
prox 907 days ago
So KeepassXC can do TOTP like authy? Cause I would love to switch from that app if I can.
link
Nullabillity 907 days ago
Yes!
link