Tips for switching authenticator apps?

Thanks for the follow up!

I researched Duo a bit (I did not try it, though). It is now owned by Cisco, and much like Authy and Microsoft Authenticator, it lacks an export feature. While that may be good for corporate security, this again makes any future migration to any other authenticator difficult unless you make a secure note with all the 2FA seeds somewhere while initially adding them to Duo. Registration also requires a phone number and a ‘business’ email.

So, on iOS, good choices seem to be 2FAS and Ente Auth (which also has desktop apps), with Aegis also highly recommended for those on Android (there’s no iOS app).

Thanks again! Are 2FAS and Ente Auth cross platform or Apple only?

EDIT: I see 2FAS has ios and android apps, and Ente Auth has everything, even linux.

But Ente Auth has 47 app store ratings and Ente Auth has 25,000

A couple of notable differences:

• 2FAS syncs to iCloud and Google Cloud, depending on the platform. So, it is cross-platform to some extent, as it exists for both, but if you have an Android device, you will need to export on iOS and import the backup on Android. I’ve read that data on iCloud is not encrypted as Apple was not supporting apps doing that, but now the feature is apparently coming. 2FAS can export either an encrypted or unencrypted JSON with all the seeds (so, in the worst case, you can migrate by copying the text keys).

• Ente syncs via its cloud. I don’t know much about the company, but its main product seems to be a secure cloud for photos.

• 2FAS has browser extensions for Chromium browsers and Safari. It pairs with the mobile app to fill in codes on websites. You get the notification on the iPhone, pair the saved service for the domain (on first use), and the browser extension then fills in the code.

• Ente has web access.

• 2FAS will import from a number of authenticators but not from Ente’s format. Ente will import from 2FAS (and a number of others, including Bitwarden). So, if you’re experimenting with both, set up 2FAS first.

• 2FAS does not require an account.

• Ente used to require an account, but now it apparently works without one. However, you need one for sync. It supports a passkey to log in.

I suppose Bitwarden Authenticator (the separate app) will have sync implemented at some point later this year as per their roadmap so it will also become a feasible option for those wanting sync.

OTP Auth is a great app too, one-time purchase, works on iOS, iPadOS and macOS, sync via iCloud. Doesn’t get many updates throughout the year but the dev always updates the app in September/October to iron out any incompatibilities with new OSes.

oops…

I also tend to keep the passwords and 2FA tokens separate as it gives a sense of a bit of added security but that’s not necessarily the case in practice for a majority of users:

But there’s an incredibly specific (and unlikely) scenario in which storing your TOTP in a separate authenticator app may offer additional protection. If an attacker got ahold of your 1Password login information (and your 2FA secret if you’ve added that layer of protection to your 1Password account) but didn’t have control of your device, the separation between your passwords and TOTP could prove useful.

I hedged with may and could because this theoretical attacker who somehow gained access to your 1Password sign-in details would know your email address, Secret Key, and account password (at minimum). Anyone with the ability to gather that much sensitive intel is unlikely to see an authenticator as much of a challenge. And, to my knowledge, there’s no authenticator app or password manager on the market that can safeguard data on a compromised device.

I read that, but I don’t find it convincing that the extremely minor convenience of integrating 2FA into a password manager is worth accepting even a small reduction in security for something so critical.

Of course, having added the feature, 1Password has a vested interest in justifying it.

Wirecutter doesn’t mention Ente, but here’s what they say about 2FAS:

2FAS is one of the best-looking apps we tested, and we especially liked how clear its onboarding process was. It also offers backups, and it can sync codes between your phone and a browser extension. The app is open-source, and its website lists all of the primary developers. However, we couldn’t discern 2FAS’s business model, and we couldn’t find information about how the app secured user information. The app’s developers insist that all communications be handled over Discord, but we did not receive a response to questions submitted to 2FAS developers there.

It’s strange that they find the lack of a business model for an open-source app concerning. There are lots of open-source apps out there without a clear business model. They are asking for donations and have a page on who they are. It’s probably their side project (I’m just guessing here); I suppose maintaining a 2FA app does not require lots of work once feature-complete.

As for securing user information, the app doesn’t know anything about you, and it does not require a user account. It does not have your data (compared to Authy) as it syncs via iCloud (and Google on Android), and the only potential issue seems to be that the data there is not encrypted (which is supposedly coming). It can be used on a single device with syncing turned off and no account whatsoever. Google Authenticator also does not provide E2E encryption. I suppose the issue here is potentially if your iCloud is hacked, or if Apple is hacked (in which case we’d have bigger issues as these are only TOTP codes, and worthless without a password).

As a side note, I don’t get all the fascination with Duo, which is recommended elsewhere as well, and requires a business e-mail, a phone number, and your name to register for an online account, without which the app does not work. I’ve not set it up but this seems more aimed at corporate users.

The question about the 2FAS business model is asked now and then on that Discord server, but the developers hardly ever give a transparant answer. I think they once said that one of them is funding everything so far and that they hope to make money in the future by introducing a paid password manager.

Regarding Duo Free:

I have set it up due to all the recommendations. Yes, it is aimed at corporate users, but it works fine when used in the free mode.

Would I recommend it? It depends.

There is only a single one-time password I have stored in Duo: the 2FA code to access my 1Password account. I am totally fine to have one code sitting in Duo Free. I am not sure if it is a good idea to depend on the free mode with a lot of codes because it for sure is a hassle to “migrate” TOTPs from one ecosystem to another - and Free is intended as the entrance to the paid options. You never know if Cisco will kill the free option. Cloud stuff has costs attached to it and somebody has to pay in the long run… I do not care with just one code though. It’s a matter of a minute revoking that code.

All other TOTP codes sit in 1Password. In order to connect a new device, a new browser or what not to 1Password, the 2FA code stored in Duo or one of my Yubikeys is necessary. I am thinking about going Yubikey-only for 2FA accessing my 1Password account. I have no issues storing TOTPs in 1Password (in order to access my 1Password data, somebody would need my Yubikey/Duo free, my master password, my email address and my secret key - that will not happen any time soon). I would not have issues storing them in the iCloud keychain (or the new Password MacOS app frontend when it materializes), either. But I get why somebody could have a different opinion. Each to their own.

Asking about the business model is legitimate, though a bit unusual for an open-source project.

However, all the reviews, including the Wirecutter article quoted above, omit that Twilio’s Authy was breached and has leaked customer information at least three times over the past several years (and they continue to recommend it or at least include it as one of the viable options). They also continue to recommend Google Authenticator (from a company with a sub-par privacy record), which does not encrypt keys E2E, and Duo by Cisco, which requires a phone number and an email to register (so collecting much more user data than needed for a 2FA app). Authy and Duo also lock user data with no means of export.

What times other than the very recent one was Authy breached? Iirc, Twilio had an issue before that but it wasn’t related to Authy.

In 2022, although with a small subset of accounts, but to the extent that hackers could have generated TOTP codes:

With good reason though:

Raivo Authenticator has been acquired by Mobime

(People migrating from Raivo being afraid that the same might happen to 2FAS, because of the lack of a business model)

I get that, but there are several other feasible options now to move to. Bitwarden Authenticator will also get the sync feature (as per their roadmap).

Not only I find it very inconvenient to have separate passwords and OTPs, but I would add that using separate password and 2FA apps doubles your attack surface.

Edit: to add that, anyway, your point is absolutely right. It’s just that one has to find the balance between day to day operations and security.

I wouldn’t say that having passwords and TOTPs in separate apps doubles your attack surface as it is highly unlikely both services will get hacked simultaneously; moreover, one is entirely useless without the other (at least for 2FA-enabled accounts).

However, this is more of a theoretical discussion unless you are the target of a state actor with unlimited resources. The weakest point probably remains the device itself if stolen and broken into.

It doesn’t double your attack surface because each app holds different data; it’s not two routes to the same data. Storing all of your passwords in two password managers at the same time would double your attack surface.