[HN Gopher] Aegis v3.0 - a free, secure and open source 2FA app ...
___________________________________________________________________
Aegis v3.0 - a free, secure and open source 2FA app for Android
Author : microflash
Score : 175 points
Date : 2024-03-24 18:00 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| wofo wrote:
| Aegis should really be more well-known IMO. I installed it on an
| old phone that didn't have enough storage for Google
| Authenticator and was really pleased with the app. The fact that
| it's a community project is also a nice bonus.
| mrd3v0 wrote:
| > The fact that it's a community project is also a nice bonus.
|
| It is more than a bonus. This is the only kind of project you
| know that tomorrow, the day after or a year from now there
| wouldn't have profit incentives or a pending IPO to completely
| abuse your experience as a user and extract as much profit as
| possible.
| nicoco wrote:
| Great app that does the job! The kind I don't mind installing on
| my phone.
|
| I use it for nextcloud, github and my microsoft account (it was
| really buried in the settings but it is possible to avoid using
| MS auth something app).
| SushiHippie wrote:
| I really like it that more and more apps start using Material
| 3/You.
|
| Apples UI design was never my cup of tea, but I love the
| consistency of UI design in most iOS apps, compared to the wild
| UI inconsistencies on Android.
| mrd3v0 wrote:
| I'd take a more diverse UI experience on Android any day over a
| more polished yet heavily opinionated experience at iOS.
|
| That being said, I feel like the main complaint about Android
| apps design is the fact that a lot of apps are just horrible
| half-assed implementations of old Material UI slapped together
| on a drag and drop editor like the Android Studio widget
| system. Offering an incentive for people to build anything and
| make money off data collection and ads without the corporate
| tyranny of Apple results in just that. So apps that are on FOSS
| repositories such as F-Droid are usually much cleaner to use,
| despite their UI/UX being just as diverse.
| SushiHippie wrote:
| Agreed I've never owned an iPhone, so I'm kind of used to the
| android experience and don't mind that much, but I'm just
| happy that it gets more and more consistent, at least the
| apps I use.
|
| Though I only use FOSS apps so I can't speak for the
| playstore apps.
| ParetoOptimal wrote:
| Aegis is good and I enjoy using it.
|
| I hope others don't follow Microsoft Authenticators footsteps in
| creating their own Authenticator, saying others are insecure, and
| not allowing Authenticators like Aegis.
| noman-land wrote:
| Aegis is really great. So nice not to use proprietary
| authenticators. And it can do import and export.
|
| Does anyone know the history of this project? It seems legit but
| an authenticator is a pretty sensitive application so making sure
| this app is trustworthy is a little more important than for other
| apps.
| kristjank wrote:
| I used it until I switched to KeePassXC for all of my secret
| management means, but it's still a great app to fall back to, and
| allows for simple information exchange when moving to another
| app.
| RandomGuy456 wrote:
| Hi!
|
| I use both plus Syncthing to automatically backup my vault to
| the pc. Great combo!
| TrailMixRaisin wrote:
| I use this app and are very happy. For me the selling point was
| the possibility to backup my profile and therefore all the
| configured keys.
| sebastiennight wrote:
| Last year Google Authenticator started syncing secrets to the
| cloud[0] which means that those secrets can now be accessed in
| new ways outside of the user's control[1], which resulted in a
| huge breach at a startup called Retool[2].
|
| From then on I started moving my company's team and contractors
| (as well as family and friends) off of Google Auth and onto
| Aegis. The app is clean, easy to use, open source, has all the
| options we could dream off. (and its privacy policy isn't tens-
| of-pages-long like some other apps, where privacy seemed to be
| part of the marketing strategy but not the product itself)
|
| I've been a very happy user.
|
| [0]: https://news.ycombinator.com/item?id=35690398
|
| [1]: https://news.ycombinator.com/item?id=35708869
|
| [2]: https://news.ycombinator.com/item?id=37500895
| warkdarrior wrote:
| Syncing to the cloud is an opt-in setting in Google Auth.
| cmiles74 wrote:
| It was not in my case. I found out about this feature when I
| saw the green cloud icon and pressed it to find out what it
| meant. At that time I was made aware the my data was saved in
| my Google account.
| ckcheng wrote:
| That sounded scary, but after reading into the Retool breach
| (thanks for pointing it out), it doesn't sound like Google
| Authenticator is completely to blame.
|
| Retool points out the "attacker was able to navigate through
| multiple layers of security" [0], i.e.:
|
| 1. "through a SMS-based phishing attack" on "Several employees"
|
| 2. "one employee logged into the [SMS phishing] link", "logging
| into the fake portal"
|
| 3. "attacker called the [phished] employee" "and deepfaked our
| [IT team] employee's actual voice"
|
| 4. "the [phished] employee grew more and more suspicious, but
| unfortunately did provide the attacker one ... (MFA) code"
| (over the call)
|
| 5. "The additional OTP token shared over the call was critical,
| because it allowed the attacker to add their own personal
| device to the employee's Okta account, which allowed them to
| produce their own Okta MFA from that point forward."
|
| 6. "This enabled them to have an active GSuite session on that
| device." With "Google Authenticator synchronization feature
| that syncs MFA codes to the cloud", "if your Google account is
| compromised, so now are your MFA codes".
|
| By #5, I'm thinking GA sync is about as blameworthy as Okta for
| allowing a device to be added with just a single additional OTP
| token shared over a phone call?
|
| Here's a different perspective (tptacek) [1]:
|
| >> We use OTPs extensively at Retool: it's how we authenticate
| into [Google, Okta, internal VPN and Retool]
|
| > They should stop using OTPs. OTPs are obsolete. For the past
| decade, the industry has been migrating from OTPs to phishing-
| proof authenticators: U2F, then WebAuthn, and now Passkeys+.
| The entire motivation for these new 2FA schemes is that OTPs
| are susceptible to phishing, and it is practically impossible
| to prevent phishing attacks with real user populations
|
| > TOTP is dead. SMS is whatever "past dead" is. Whatever your
| system of record is for authentication (Okta, Google, what have
| you), it needs to require phishing-resistant authentication.
|
| > My only concern is the present tense in this post about OTPs,
| and the diagnosis of the problem this post reached. The problem
| here isn't software custody of secrets. It's authenticators
| that only authenticate one way, from the user to the service.
|
| [0] https://retool.com/blog/mfa-isnt-mfa
|
| [1] https://news.ycombinator.com/item?id=37503551
| teekert wrote:
| How do you make sure normies you support don't loose their TOTP
| private keys? Do you ask them to back them up?
|
| On iOS I use MS authenticator with backup in iCloud, I'm just
| too scared of losing the keys. I advise muggles to do the same.
| snibsnib wrote:
| It does support android cloud backups, but I usually have an
| encrypted export saved somewhere else.
| Elbrus wrote:
| > I started moving my company's team and contractors (as well
| as family and friends) ... onto Aegis
|
| An important question on this, if you don't mind:
|
| If the phone, where Aegis was installed, is dead/lost/stolen,
| which options are available to make sure that access to the
| accounts linked to that phone wouldn't be lost either?
| nzeid wrote:
| I happened upon this app recently when I was frantically
| searching for a Google replacement. Couldn't believe something
| this polished was lurking. I used another open source app several
| years ago but it got discontinued (FreeTOTP or something).
| yoavm wrote:
| I love Aegis but I can't help but think that it's sad we ended up
| in this place with regards to 2FA. When all these temporary codes
| started they were sent over SMS, which was insecure but at least
| all I needed to do was to pick up my phone. Nowadays I open Aegis
| and I have > 20 services there, and trying to look for my code
| between all the running numbers is a pain.
|
| It would have been so much more comfortable if we flipped this
| around a little - the website would present a QR code, you would
| open the phone and scan the code, the phone would make a request
| signed with your key to a URL, and the website would authenticate
| you because by making this signed request you proved that
| "something you have" part is done.
|
| It feels like when the 2FA thing started no one considered that
| sooner or later all services will require it, and the UX will be
| terrible.
| fcsp wrote:
| That's pretty close to webauthn, which works very nicely with
| yubikeys if the service supports it. 2fa? Please tap yubi
| button - done.
| khimaros wrote:
| you might enjoy Bitwarden (self hosted with vaultwarden) which
| copies the TOTP to clipboard after logging in to a site.
| yoavm wrote:
| I'm using Bitwarden, for passwords, but I always felt
| uncomfortable with the idea of having my 2FA on my laptop
| too. It feels a little silly - if Bitwarden has both my
| password and my 2FA code, it's enough to hack my Bitwarden
| and all this "multi-factor authentication" isn't very "multi"
| anymore...
| sunaookami wrote:
| You shouldn't lose any security when your vault itself is
| protected with 2FA.
| OJFord wrote:
| But then it's barely better than 2FA vault & 1FA app.
| ('Barely' because it's like a bit of depth, and breadth
| into a few specific attacks revolving around the app's
| poor handling of your password.)
| LinAGKar wrote:
| Some can do that in their own app, e.g. Steam Guard. Too bad
| that's not a standard. But the FIDO2/webauthn stuff may be
| similar.
| panick21_ wrote:
| I don't want that to be the standard. I don't want 20
| different apps for each bank and each provider.
| LinAGKar wrote:
| No, but a standard so that any app could implement that
| functionality and have it work with any service that
| supports it
| kmlx wrote:
| > the UX will be terrible.
|
| if you run safari and store all your passwords using icloud
| "passwords", safari will automatically prefill the 2fa code. i
| assume this is the case for other browsers as well?
| eipi10_hn wrote:
| > Nowadays I open Aegis and I have > 20 services there, and
| trying to look for my code between all the running numbers is a
| pain.
|
| I just click search and type 2-3 characters and most of the
| time I can see what I need right away. I'm using way over 20
| services with 2FA and that's really the least of my concern.
|
| And I actually don't use search that much since Aegis also has
| a feature of sorting by the usage so whatever I'm using
| regularly are already at the top for me.
| freedomben wrote:
| I agree this kind of sucks (I have about 40 tokens on there),
| but it's relatively well mitigated with the search
| functionality and typing the first few characters of the
| service. This works for all that I've tried except the root MFA
| token from AWS, and I could easily fix that by exporting and
| changing the name and re-importing if I wanted to.
|
| This has two things about it that make me actively not want it:
|
| 1. Does not work offline (requires an internet connection to
| work). The current design for TOTP is super flexible as they
| only require time syncronization, which doesn't require an
| internet connection.
|
| 2. It means I have to install an app for each service, which I
| absoulutely do _not_ want to do. I would prefer to only use
| native apps for things that actually need to be native. PWAs
| and web UIs are strongly preferred for me. A comprehensive and
| robust way to manage permissions would mitigate my dislike for
| native apps somewhat, but this is getting harder and harder
| (though praise be unto GrapheneOS for their efforts!)
|
| From an engineering perspective, it also feels like unnecesary
| bloat/complexity and coupling.
| yoavm wrote:
| I agree regarding the offline ability, though literally all
| the things I'm using 2FA for are online, as they are about
| logging-in to services.
|
| As for the 2nd point - I definitely don't think it has to be
| a separate app for each service. Why would it? Imagine an app
| that holds a private key, the website showing a QR code, you
| scan it with the app, the app sends the public key to the
| service using a URL provided in the QR code, and the service
| stores your public key. From now on, every time you want to
| login you're asked to scan a QR code, which makes the app
| send a signed request to the a URL encoded in it. The service
| gets the request and proceeds with the login. One app, all
| services.
| noman-land wrote:
| Couple things no one's mentioned yet. In Aegis you can add
| icons to token slots, and manually sort them (alphabetically).
| This, plus searching, helps a lot in finding tokens quickly.
| They have pre-existing icons for most of the common sites.
| OJFord wrote:
| I almost^ missed a train recently because I tried to book my
| ticket and for the first time ever (and actually not since
| either) Amex wanted to send me a verification code. They
| support only SMS & email, but you can't change it for the
| current one and it was set to SMS, and I don't have email on my
| phone anyway & was at the station. Anyway - SMS didn't arrive.
| Had the same thing recently with them from a bank, it's the
| network blocking them, suspected spam or whatever.
|
| There's plenty of other reasons not to use SMS 2FA, but it
| might suddenly not work one day right when you need it, and
| totally out of your control, is perhaps the most universally
| compelling?
| sunng wrote:
| I have being using andOTP for years but the development seems to
| halt, also it's no longer available from f-droid. The feature
| that backup with gpg encryption is broken.
|
| I hope it's possible to import my otps from andotp into aegis.
| Also the backup encryption with gpg (openkeychain) is welcomed.
| CorrectHorseBat wrote:
| Yes it's possible to import from andOTP
| jrm4 wrote:
| Since we're here: Anyone else dealing with the stupid thing where
| your organization won't let you have your generating token thing
| and instead force you into e.g. Duo?
|
| I have only one, and its frustrating. I know it's probably
| breakable with rooted Android or something but haven't had much
| time to look into it (or fight it)
| explosion-s wrote:
| Duo lets you use a physical security key, I then use bitwarden
| to store that as a passkey. Not quite a full replacement but
| good enough for me (you can also self host bitwarden [0])
|
| [0] Vaultwarden
| panick21_ wrote:
| I use one that has to be activated with the Yubikey over NFC.
| Pretty slick.
| freedomben wrote:
| I adore Aegis, and view it as one of the most important apps on
| my phone.
|
| If you use Aegis on Android and use a Gnome-based Linux distro, I
| highly recommend complementing with Gnome
| Authenticator[1][2][3][4]. flatpak install
| flathub com.belmoussaoui.Authenticator
|
| Gnome Authenticator is still a little early and buggy (mainly
| performance issues when you have lots of tokens), but it can
| import and export Aegis format (and a few others). It's been
| downright luxurious having my seeds on my phone and my laptop and
| desktop.
|
| [1] https://gitlab.gnome.org/World/Authenticator
|
| [2] https://flathub.org/apps/com.belmoussaoui.Authenticator
|
| [3] I think (I hope) that Gnome Authenticator will be distributed
| as part of Gnome at some point in the future, but it isn't yet
|
| [4] It's also super easy to build and run from source using Gnome
| Builder[5]. Just open Builder and clone the source from gitlab,
| and click the "Build" button and it will do its thing
|
| [5] https://wiki.gnome.org/Newcomers/BuildProject
| Narushia wrote:
| I'm currently a happy user of 2FAS[1], any idea how Aegis
| compares to it? A quick search suggests that Aegis doesn't
| support multiple devices and is not available on desktop.
|
| [1]: https://2fas.com/
| brandensilva wrote:
| Let's hope they add a desktop app. I'm on that screen more than
| my phone. I'm not one to care about having my phone on me all
| the time.
| lern_too_spel wrote:
| Just use Bitwarden. The UI is clunkier, but the UX is better.
| After it fills in the username and password, it puts the OTP in
| the clipboard, so you can just paste and go without opening an
| app and manually copying it into the login form.
| tremarley wrote:
| Using a password manager as your authenticator seems very risky
| to me.
|
| You should use separate services.
|
| If your password manager is breached, at least the infiltrator
| cannot pass 2FA.
| lern_too_spel wrote:
| It is no different from Passkeys in that regard, yet we're
| fine with that. If you want extra security, you would have
| your password manager and your OTP generator on different
| devices, but only a small fraction of people do that. Storing
| your OTP generator secrets and your passwords in the same app
| provides a reasonable trade-off between security and
| convenience for most people.
| belthesar wrote:
| I'm hard opposed to storing my second factor codes alongside my
| first factors. Part of the reason why I use 2FA is because if
| my password store is compromised, the accounts in it that are
| compromised do not contain all of the credentials necessary to
| log into the accounts protected by 2FA. I also do not store my
| emergency removal codes in the same secret store as my
| passwords for this reason.
| tremarley wrote:
| Are there any good 2FA applications for Desktop?
|
| Using the phone to authenticate every login seems very
| inefficient.
|
| Some of us do not like using the phone.
| mhitza wrote:
| I use Bitwarden for passwords and 2FA (browser plugin, Android
| app for mobile). Definitely not recommended by anyone security
| focused, but these 2fa are forced onto me by different
| platforms and not something I chose/care.
|
| There should be desktop authenticator software. If I can have
| one on Linux I'm sure all the other desktop OSs have at least
| 1.
| Zizizizz wrote:
| https://github.com/tadfisher/pass-otp
| jonotime wrote:
| I use keepass on phone and desktop
| occam65 wrote:
| I've been using Aegis for a number of years, and have found
| nothing I don't like about it. It's a perfectly functional app,
| and I'm looking forward to trying out the new update!
| korm wrote:
| Here's a utility to convert exported Aegis JSON to a Keepass 2 or
| KeepassXC database if anyone's interested
| https://github.com/GeKorm/atk (binaries in the releases page)
| jonotime wrote:
| This looks very nice. Had I not just moved all my 2FA to keepass,
| I would give it a go. My setup: mac desktop, linux desktops,
| android with syncthing to tie it all together.
| cosmojg wrote:
| Bitwarden and KeePassXC also provide free, secure, and open-
| source 2FA in addition to password management. I keep my TOTP
| secret keys separate from my passwords simply by storing them in
| separate vaults. I don't know why anyone would use anything else
| (although I'd love for someone to comment and tell me).
___________________________________________________________________
(page generated 2024-03-24 23:00 UTC)