Main Menu

Tip jar

If you like CaB and wish to support it, you can use PayPal or KoFi. Thank you, and I hope you continue to enjoy the site - Neil.

Buy Me a Coffee at ko-fi.com

Support CaB

Recent

User

Welcome to Cook'd and Bomb'd. Please login or sign up.

April 27, 2024, 10:34:17 PM

Login with username, password and session length

Authentication apps

Started by Old Thrashbarg, September 30, 2023, 01:04:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Old Thrashbarg

September 30, 2023, 01:04:20 PM
Quote from: Sebastian Cobb on September 30, 2023, 11:33:38 AMI also have another piece of advice that's probably more helpful than the above: migrate away from Google Authenticator onto Authy, it works across devices.

Interesting. Not heard of Authy before. How does it synchronise? Presumably an account needed for tokens to be stored remotely or something along those lines?

I've always just used Google Authenticator because it was the first I tried, did the job well and it's never given me a reason to look for anything else.

Sebastian Cobb

#1
September 30, 2023, 02:35:16 PM
It works a bit like a password manager so the app puts your token seeds (the codes or qr code you initially scan) in a vault, encrypted with a master password you input to decrypt on other devices.

It generates the same codes Google Authenticator would and I think it can work with other token schemes too.

Google Authenticator is fine if you only want things on one device, but I like the portability.

There's a slight security trade off, as if someone got into your laptop they might be able to use a saved password and the code but I don't think that's the main thing 2fa is meant to guard against (I think it's to stop a stolen password being used without going near your devices). And at that point they'd already have access to a lot of logged in sessions anyway, I rely on passwords and device encryption to keep people out.

Old Thrashbarg

#2
September 30, 2023, 04:12:18 PM
And how does the vault get stored and accessed? Same sort of thing as a password manager again, with it just being a file you store locally?

Like you, not too bothered about the security aspect once the device itself has been compromised. But I think I'd find it useful/convenient to be able to generate codes from the device I mostly use them on (my laptop), rather than having to reach for my phone.

Sebastian Cobb

#3
September 30, 2023, 04:47:03 PM
The vault is on their servers, but you need to supply the master password to decrypt it when you login on a new device.

I have it installed on my work laptop and my phone. I do have 2fa on some personal things but don't need to supply them frequently enough that I've been arsed to install it on my home laptop, but good to know I can if I lost or broke my phone.

Old Thrashbarg

#4
September 30, 2023, 06:39:13 PM
Ah, it was online storage of the vault I wanted to avoid. Not sure that would pass muster with the security audits we're required to have.

steveh

#5
October 02, 2023, 12:56:07 PM
Google Authenticator will now let you synchronise services across devices if you enable it. However, unlike Authy (and some others?) it doesn't use end-to-end encryption or a master password despite lots of security people pointing out the danger in this. This was an issue in a recent security breach.

https://arstechnica.com/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/
Print
Go Up Pages1
User actions