HN Reader

Ask HN: Who is hiring? (September 2025)

142 points by whoishiring 8h ago 121 comments

Ask HN: Who wants to be hired? (September 2025)

72 points by whoishiring 8h ago 157 comments

Ask HN: Best foundation model for CLM fine-tuning?

26 points by philomath868 4d ago 16 comments

Ask HN: Tools for Crossword Puzzle Generation?

2 points by ekorbia 2h ago 1 comments

Ask HN: The government of my country blocked VPN access. What should I use?

1316 points by rickybule 4d ago 722 comments

Change Tracker: Monitor+revert file edits from Claude/AI agents(in-memory VCS)

2 points by ankit95742 6h ago 0 comments

Ask HN: Do custom ROMs exist for electric cars, for example Teslas?

49 points by j1000 10h ago 40 comments

Ask HN: How do you fight YouTube addiction and procrastination? I'm struggling

138 points by angelochecked 1d ago 133 comments

Tell HN: Use "-f**k" to kill Google AI Overview

91 points by camillomiller 14h ago 86 comments

Ask HN: What to learn for math for modeling?

70 points by shivajikobardan 5d ago 28 comments

Ask HN: Why hasn't x86 caught up with Apple M series?

450 points by stephenheron 7d ago 620 comments

Tell HN: My advice after I applied to 450 positions before getting hired

125 points by usernamed7 2d ago 171 comments

Ask HN: Did Developers Undermine Their Own Profession?

8 points by rayanboulares 16h ago 16 comments

Ask HN: Which Open Source License to Choose for a Python Language Server

11 points by davidhalter 1d ago 12 comments

Ask HN: How much are you guys paying for AI coding tools monthly?

11 points by codeman001 11h ago 12 comments

Hacker News Alternativies

15 points by default_ 1d ago 7 comments

JDeploy 5.0: Deploy Java Desktop Apps to ARM64 Windows and Linux with One Click

3 points by shannah78 9h ago 0 comments

FUGC: Understand the GC in Fil-C

4 points by ricecat 9h ago 0 comments

Ask HN: How can I recover and run my old mobile game from the 2010s?

56 points by diasks2 7d ago 47 comments

Looking for Info on Aerosol Pathogen Detection

3 points by Arete314159 1d ago 0 comments

Ask HN: Anyone using their own custom text editor?

17 points by vasko 2d ago 7 comments

Ask HN: Any Android Engineers Here?

9 points by gooob 2d ago 1 comments

Ask HN: Best self-hosted wiki solution in 2025? Mediawiki or something else?

18 points by jMyles 3d ago 7 comments

Ask HN: What do you think about GFW?

7 points by JOHN-DAN 2d ago 4 comments

Ask HN: Should we stop worrying that AI will replace developer jobs?

10 points by _pdp_ 3d ago 20 comments

Ask HN: Best codebases to study to learn software design?

107 points by pixelworm 8d ago 92 comments

Ask HN: What options do I have for self-hosted end to end encrypted group chat?

18 points by wzamqo 3d ago 12 comments

Ask HN: What to Do with Old iPads?

30 points by owenmakes 6d ago 19 comments

Ask HN: What to do when you suspect your interview is with a state operative?

20 points by puppycodes 3d ago 8 comments

Ask HN: If burnout tells you that you are in the wrong job/career, why avoid it?

6 points by amichail 2d ago 7 comments

De-Googling TOTP Authenticator Codes

94 Two9A 126 9/1/2025, 9:52:03 AM imrannazar.com ↗

Comments (126)

Aachen · 13h ago
To be clear, the point of storing a secret token on your phone and then typing over some codes that prove you have access to the secret still, is to provide 2FA. If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

That can be fine if that's what you want, but if you wanted 2FA:

- FreeOTP: https://f-droid.org/packages/org.fedorahosted.freeotp

- someone forked that and called it FreeOTP+: https://f-droid.org/packages/org.liberty.android.freeotpplus

- FreeOTP again but from the dark side of the internet: https://play.google.com/store/apps/details?id=org.fedorahost...

- etc. It's a dead simple protocol so there'll be lots of options. Pick one that you trust

Edit: Even with the PGP option shown at the end of the article, the secret is still accessible to any malware whenever you access it. Unless PGP-based 2FA becomes super widespread, this won't be something malware looks for and so you'll be fine unless you are targeted by intelligence agencies, but still, it's not quite 2FA because it's not something you "have" but something you "know" (the PGP data's unlock password)

ori_b · 8h ago
If you log into accounts from your phone, that's also 1fa in the same way. And if you keep your phone in the same place as your laptop, so it can get stolen at the same time, that's also effectively 1fa.

The threats that TOTP protects against are ones that don't involve losing your device. For example, if somebody breaches a password database or phishes your password, TOTP codes prevent them from using the leaked credentials.

Phishing/bulk password dumps are more common issues than device theft.

bkettle · 6h ago
It depends on the phone, but for many phones the security story remains very good even when lost, unless someone knows your passcode. So it’s still “something you know” protecting the password and the TOTP code, but it’s different things that you know and strict rate-limiting on the phone side that wouldn’t be possible on an internet-exposed authentication system makes it extremely difficult to guess the phone passcode.
dngray · 6h ago
> If you log into accounts from your phone, that's also 1fa in the same way.

Not quite, there's a lot more sandboxing on phones than what might go on with desktop.

johnisgood · 6h ago
Not on my desktop. It is much more sandboxed than any smartphones.
ori_b · 6h ago
That sandboxing doesn't help if your phone gets stolen.
tim333 · 1h ago
iphones are pretty secure against theft unless they get your pin or some such. I have two friends who forgot their own pins and the data was unretrievable in spite of their best efforts.
philipwhiuk · 6h ago
Or rather, the people interested in phone/device theft aren't expecting and aren't after your TOTP keys.
lokar · 8h ago
If you have a Mac, what about using keychain? It has a cli/api and is protected by the Secure Enclave (so 2nd factor to unlock that)
Marsymars · 6h ago
> Secure Enclave (so 2nd factor to unlock that)

How so?

lokar · 6h ago
You need the fingerprint sensor to unlock it
styanax · 12h ago
I would recommend Aegis Authenticator [1] - available in the Play store or F-Droid. It's been featured on HN now and again. One thing it can do is import the data of all the other OTP apps, and create backup files (the seeds) which you can do whatever you want with.

[1] https://github.com/beemdevelopment/Aegis

com2kid · 7h ago
Keepass now supports 2fa tokens, just use that. Plenty of open source clients on different platforms and you can sync the encrypted database file using whatever mechanism you like, drop box, one drive, etc.
zeta0134 · 12h ago
I use this, but recently ran into an issue: I only have one Android device. It's great to be able to back up my secrets, but frustrating to need to spin up an emulator on my computer to run an Android app just to use the backups, if my primary device is offline for whatever reason. Is there a way to use the vault directly?
styanax · 12h ago
Very interesting question, I have no experience here. What I do instead is scan my QR codes into two apps on different devices when I make them (I do not make them very frequently so it's not a chore). Because I'm sort of pessimistic after a lifetime working in tech - everything that uses electricity breaks and fails. I build redundancy into all my (things) and just expect one of them to fail. Goes for email providers, hard drives and OTP codes - if I could have a backup washing machine, I would. :)
BuildTheRobots · 3h ago
> What I do instead is scan my QR codes into two apps on different devices when I make them

Amazingly, I'd never even considered this as a possibility. Thank you for the paradigm shift.

magarnicle · 37m ago
I do that too, but you don't really need to with Aegis as it has import/export.

Aegis also works very well on Android Go dumb-ish phones.

xethos · 12h ago
Aegis authenticator backups can be imported into Gnome Authenticator. I'm using it, I know it works, but I don't recall the format GA requires
Freak_NL · 8h ago
I just copy the OTP-URL from Aegis and place it into pass (passwordstore.org, with the pass-otp extension) on my desktop computer. That pass instance is backed up along with everything else which matters.
Aachen · 12h ago
If you move the secret tokens onto the same device (like in that emulator that presumably runs where your password manager also runs), we're again back to the oathtool solution that is described in the OP, that doesn't have the same security benefits as the original intent of supplying you with a 2FA token. Not saying you shouldn't do this, just something to be aware of when you use the export mechanism in this way
s2l · 12h ago
1. Aegis has a setting for creating secure backup on every change. 2. Autosync that backup directory via syncthing to your PC. 3. Run a compatible desktop software (e.g. linux has authenticator) to import aegis backup files manually.

Since totp addition is not a frequent activity, the last manual import step was not a hassle to do whenever needed.

littlecosmic · 13h ago
The risk factor is mainly that someone got the password from a web application hack not that they logged into your computer and accessed your password manager. In the web app scenario it is still a second factor.
Aachen · 12h ago
If you use a password manager, or another mechanism that makes each password unique and unguessable, the password and the "2FA" seed token are both the same type of secret string, and both are stored on the same disk. There is no added benefit to 2FA if you store the 2FA secret next to the password when both are generated securely

But I'm not saying you should care about this. Everyone can make their own risk assessment, especially if you know about common attacks like the data breaches that you mention

tremon · 12h ago
the password and the "2FA" seed token are both the same type of secret string

This is a category error. The 2FA seed token may be a string of bytes just like the password, but the seed is never communicated outside your device. That makes them different types of secrets: a capture of the transmitted login codes will not compromise the 2FA seed. Even if you auto-generate the password in the same way, it's the actual valuable secret that needs to leave your device -- by design.

I don't know if a website database breach compromises both keys. Is the 2FA seed a pre-shared key, or is the algorithm asymmetric? I seriously hope it's the latter, but I don't know for sure.

8cvor6j844qw_d6 · 12h ago
Symmetric as another poster mentioned. With some margin for connection delays (e.g., server checks 3 codes (1 forward and 1 backward) for a total of 90 seconds) [1].

I'll be interested in a asymmetric variant although I'll probably use a popular library and call it a day if I have to get involved in 2FA.

[1]: https://auth0.com/blog/the-working-principles-of-2fa-2-facto...

bkettle · 5h ago
Do we have the crypto to build an asymmetric variant? The way that I’d immediately think to do it is have the authenticator create a signature over the current time (chunked into 30-second windows) and the service verify that signature, but obviously those signature texts are way too long to manually enter as a one-time code. (Symmetric) TOTP solves this length problem by just truncating the output of a hash function, which both the authenticator and the service can produce because they have a shared secret. But in the signature case the service would need the entire signature to validate it; any truncation would make it useless.

It’s been a while since I did any crypto. But it feels like the shortness of the one-time-code probably makes it impossible to do asymmetrically. If this is indeed the case there is probably an elegant proof or some better way of thinking about why it’s impossible. I would be interested in reading that.

justincormack · 12h ago
It is symmetric.
freehorse · 12h ago
If the threat model includes info-stealers, then having the TOTPs on the same device as the passwords is a risk.

If the threat model does not include info-stealers (and instead includes only phishing and in general getting passwords/codes intercepted, getting a website with bad security compromised etc) then having the TOTPs in the same device does not really increase risk.

Imo in the first case, one should probably not have the passwords on the phone either. Use a phone for the OTPs and computer for the passwords for example. But that is very impractical and carries increased risk of (temporarily) not being able to access stuff in certain situations. It could be a good thing depending on what one wants to guard themselves against. If your goal is to have better security than most people, using a good password manager that is not a browser and 2FAs is as many services as possible already carries you very far. If you due to work etc you have increased risk of being targeted, prob more is needed.

Aachen · 12h ago
> [...] then having the TOTPs in the same device does not really increase risk.

... and having TOTPs at all does not decrease any risk, either. There's no benefit to the situation where you store 2 good secrets in 1 place as compared to storing 1 good secret in 1 place.

jorvi · 8h ago
> There is no added benefit to 2FA if you store the 2FA secret next to the password when both are generated securely

Over this entire thread you keep repeating this, and you're so confidently wrong.

If a hacker (or shoulder peeper) gets my password to a site without a TOTP, they can login. 1FA. If I also use a TOTP adjacently, the hacker can't login and the shoulder peeper has a window of 30 seconds.

Its 2FA. Storing critical TOTPs in your password manager is bad practice and thus bad 2FA, but its still 2FA.

_Algernon_ · 12h ago
Even if pw and 2fa secret are stored together you get better protection against phishing because you never enter the full 2fa secret into a website.
Aachen · 11h ago
Thanks for providing a concrete example where this is indeed the case! You're right, and I'm aware of this, but the scenario is quite constrained. This matters when:

1. The attacker either captures the OTPs on the real website, or on a phishing page. They do not have access to either the website's store of 2FA tokens, nor your password vault.

and

2a. Having you enter one or two OTPs on the login page is not enough. The phishing page can claim "wrong OTP, you can try again in 30 seconds" to get at least two codes. The attacker can open a login session and go to down immediately when you enter it, but if there is a protocol where there's a delay of e.g. 24 hours, they would need to phish you again after 24 hours and that's unusual for them to bother with (beyond opportunistically) as far as I know

or

2b. The attack isn't automated and the attacker is also not laying in wait for someone to fall for the phishing (like when having sent 10 phishing emails and waiting for one employee to bite such that they can get into an organisation). In that case, the OTP almost certainly has expired and can't be used anymore

While #1 is common, #2 is rare as far as I'm aware. Once you're into an account, you usually can navigate to e.g. a transaction page within a few seconds and then enter the same OTP¹ again (because the time window hasn't expired yet) or ask the user for a new one a few seconds later as described

A great protection against this would be a device that displays what it is that you're authorising, such as these old bank card readers that show on a little screen like "login" or "transaction of 1337€ to NL00RABO0123456789", but these go well beyond the standard 2FA seeds that you can store in a vault

Either way, you're right, there is this benefit of having 2FA even if you store them together. If this is within one's threat model, but theft of your vault is not as big a concern, it's a valid solution

¹Yes, OTP can never be the "same" by definition. But this works in 9 out of 10 customer sites that we see (security consultancy firm; thoughts are my own yada yada)

smw · 8h ago
Better idea, use something that is able to authenticate the server and disallows fishing, like yubikeys or passkeys! Much less challenging to secure than showing something on the screen.
AstralStorm · 8h ago
It also provides enhanced security against session hijacking attacks.

Most sites require 2FA for changing the password, but do not require the password for changing itself.

littlecosmic · 12h ago
yes, fair points. Thanks for clarifying.
nerdsniper · 7h ago
> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

This is trivially true, but also misses some nuance. Not all "1FA" is created equal. A leaked password can be used by any bad actor remotely who has never met you.

Also your computer could itself have a password and disk encryption, so someone who stole it would still need 2 factors: something you have (your physical laptop) + something you know (laptop password).

Regardless, TOTP is not phishing resistant, so I do tend to prefer passkeys but I understand they're problematic in terms of losing access to the devices/clouds with passkeys stored and then what do you do? (Sometimes services have an out-of-band process to prove identity and reset passkeys, but not all do)

nicoburns · 8h ago
> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA... that can be fine if that's what you want.

A lot of the time that is what I want. 2FA is pretty overkill for low-importance accounts if you're using a long random password anyway. But some services make it mandatory.

Marsymars · 6h ago
I quite like TOTP for this reason - it's much less annoying to autofill TOTP than to retrieve a one-time code from SMS or email.
sceptic123 · 9h ago
That's not 1FA, it's just not using a separate device as the second factor. There is definitely a decrease in security having the 2FA provider on the same device as the password manager, but it doesn't negate the majority of benefits of 2FA.
prism56 · 8h ago
Yeah isn't the threat vector your password being leaked/cracked. You're still safe here.

The argument can me made that logging into something on your phone isn't 2FA either then...

nicce · 12h ago
It is not necessarily 1FA even if just use the laptop.

One password could be leaked and if the password alone gives the access, that is 1FA.

If the combination of two tokens forces the each login require access to that laptop and you need some password to unlock the password vault, this adds 2FA layers to services which are not the password manager.

Aachen · 12h ago
The password vault can't be copied? (In unlocked state I mean, same as how they could get the password)

Either your laptop is compromised or the server. In either case, if they get access to the password, they also get access to the 2FA secret if that resides in this vault together with the password. Just a password alone is safer than 2FA alone because that at least gets hashed and isn't stored in plain text on the server side

nicce · 11h ago
I am not sure if we can change the definition of 2FA based on that.

What if compromising the laptop requires brute forcing something? Then laptop was protected by something the adversary did not know. If we expand this argument, there isn't secure 2FA in place. Maybe laptop compromise leads into situation they can compromise your phone over the same network and the argument is the same.

I would say that there is some additional factor if instead of just guessing or reusing leaked the password, they also need to compromise my laptop and likely get the privilege escalation before they can read the plaintext vault content. You are not allowed to guess anything in that process or that makes 2FA definition valid.

2FA in practice is just about increasing the entropy and protecting against guessing. Passwords can be leaked so we added additional entropy with seedable TOTP suffix. Every additional factor is just an additional entropy that adversary needs to guess and cannot directly obtain.

So for 2FA to be truly valid, we should not use password managers at all and maybe we should be also immune to xkcd comic 538.

sjs382 · 5h ago
What you describe in the first paragraph isn't 1FA. There's still two factors—its just on one device.

You're conflating "factors" and devices.

dngray · 6h ago
I'd probably use Aegis on android https://github.com/beemdevelopment/Aegis?tab=readme-ov-file#... it's a bit more modern.
fulafel · 12h ago
> If you use oathtool on your laptop, and the password is stored there as well, you're back to 1FA

In estabilished terminology you don't need multiple independent devices. For example email "magic link" is a common second factor.

Aachen · 11h ago
Because it requires access to the email system, that's a separate system even if it's being forwarded so long as you have a valid login to the email server

But, yes, the exact boundary is definitely debatable. It's clearly less secure than a separate token generator that you keep on your body at all times; clearly more secure than no second confirmation at all

aragilar · 11h ago
But if you log into your phone with the password and TOTP, is that also not 1FA?
Aachen · 11h ago
If both are on your phone, then yes. I should qualify, though, that "people [including me] generally consider mobile OSes safer because the permission model and process isolation is on a whole other level" (quoting myself from https://news.ycombinator.com/item?id=45091618)
unethical_ban · 8h ago
I happily store all my passwords and OTP in the same vault. Is it slightly riskier than having them separate? Yes. Would having all my passwords stored as a horcrux be safer too? Yes.

Do I still get the security of TOTP as a rotating component of my password to prevent breakins from stolen credentials? Yes.

gear54rus · 13h ago
> you're back to 1FA

Which might be exactly what I need if another dumb website wants me add 2fa where I don't want to.

Considering just making a publicly accessible webpage for those codes at this point lol.

oulipo2 · 8h ago
1Password works well too (Canadian company I think)
ezst · 12h ago
Some time ago I realised how vulnerable I was keeping all my TOTPs in Authenticator __only__, in the event of losing/breaking my device (and no, there is no way I would sync them to Google cloud). This taught me few things:

- there isn't much to Authenticator and TOTPs in general, it's just a secret, which can be shared across multiple TOTP managers and devices. I had solved the "single point of failure" concern

- that opened a new need for "safe TOTP replication with offline access", and that's how I ended-up running my own vaultwarden instance and using the bitwarden clients across devices.

I'm glad I did, and I can't recommend it more. IIRC, this¹ helped tremendously along the way.

¹: https://github.com/scito/extract_otp_secrets

AstralStorm · 8h ago
And this is why Aegis has a working encrypted offline backup.
NaomiLehman · 5h ago
Yubikeys support Google and other TOTPs too
mid-kid · 7h ago
I've been storing OTP secrets using `pass`[0] with `pass-otp`[1]. This does the whole symmetric encryption for me using `gpg`, decodes the URL for me to pass it into oathtool, and allows me to share the codes with my phone using Android Password Store[2]. This is all deceptively simple to set up, assuming you have a git server you trust to synchronize the codes with, or some kind of other method using maybe tailscale or syncthing? As long as you don't need the codes on Windows, where the QtPass app is unmaintained and can't generate OTP codes on Windows, you're mostly good.

Oh and I use `zbarimg` to decode the QR, as I've integrated it with my screenshot script and it can decode more than just QR codes.

[0]: https://www.passwordstore.org/

[1]: https://github.com/tadfisher/pass-otp

[2]: https://f-droid.org/packages/app.passwordstore.agrahn/

geoka9 · 3h ago
> This does the whole symmetric encryption for me using `gpg`

gpg actually uses a public/secret key pair with pass which has a pretty cool effect that you don't need to enter your passphrase when adding an entry to the store, because it uses the public key to encrypt.

tigrezno · 13h ago
For years I've managed all my TOTP codes with KeepassXC. Not a single problem, great software.
blackbear_ · 13h ago
Just consider that storing TOTP codes in the password manager negates the advantage of two factors authentication, namely the added security of needing a second device. This would keep your logins safe even if somebody managed to breach your KeePassXC database.
StrLght · 12h ago
> negates the advantage of two factors authentication

Like with all things it depends on your threat model.

If your threat model includes risk of leaking all data from your password manager – then yeah, it worsens your security.

Otherwise it still covers all other risks:

1. it makes bruteforce basically impossible

2. it makes phishing harder (assuming that your password manager supports autofill and that it checks domains correctly)

3. it lowers the risks if a single password leaks

Aachen · 12h ago
All of this is true without 2FA, just storing securely generated passwords in the manager.

Whether it negates the benefits of 2FA (i.e. whether it's 1FA) doesn't depend on the threat model. The threat model is what makes an individual decide whether 2FA is worth it

brnt · 12h ago
No? Without TOTP in Keepass, an attacker still only requires a password (which may be brute forced or otherwise obtained from badly secured websites). If you have TOTP, they _also_ need a copy of your keepass-file, the password and any other factor to _it_, or have access to your machine during a session or so.
Aachen · 12h ago
Think about how the attacker gets there:

- "an attacker still only requires a password (which may be brute forced" Brute force? Then it wasn't generated securely. Use Keepass' built-in generator or another one that is meant to generate passwords with. You could make the same argument for the 2FA seed: that can also be generated insecurely or set manually by hand

- "or otherwise obtained from badly secured websites" The attackers can obtain the 2FA seed in the same way. Furthermore, the 2FA seed is stored plaintext in the website's database whereas the password is typically stored in hashed form (which is unbruteforceable if you generated it securely)

- "they _also_ need a copy of your keepass-file, the [main] password" The attacker either got the website's password from this same file (so they evidently have that file and the main password to unlock it), or if you imagine a scenario where the site got hacked and the stupid site stored your password in plain text, then they have access to the site (and the 2FA seed) anyway because they hacked it. So long as you don't re-use passwords (don't need 2FA for that, just a password manager), a site's breach has no impact beyond this one site that was hacked outside of your control

- "and any other factor to _it_" Do you mean the key file here? Or what other factor? Either way, again: if they need that to open the vault then they can't get at the passwords either, so what benefit does {2FA when stored inside the password vault} have?

I don't know of a scenario where an attacker can get the website's password from the vault, but not the website's 2FA seed, when you store both inside that same (encrypted) file

brnt · 11h ago
1. TOTP (the only 2F we could be discussing) is derived in a specific way by e.g. Keepass, which has been audited. There is an RFC for this. I don't see the vuln here. 2. But this info is transferred just once, so the method relies on either intercepted both (pw and TOTP seed) that one time. Far less likely than intercepting just the pw every time you login. With a compromised or insecure server: all bets were off already. 3. Even if you have safe service-dependent passwords, as one should, 2F renders it useless in certain scenario's, if all they have is the password. 4. Yes, factors to the keyfile. It does not have to be just a password.

While it seems a reasonable assumption that 2F seed and password are stored alongside eachother, the vuln does not need to expose both. We don't know. But we do know more factors means more opportunity for 1 factor to be accidentally safe.

hypeatei · 7h ago
It doesn't negate the advantage of 2FA. There are so many scenarios that don't involve your entire password manager database being leaked in plaintext. In that case, you likely have much more to worry about considering the attacker has a bunch of places to pivot from (account recovery flows, recovery email accounts, etc..)
wolvesechoes · 13h ago
You are allowed to have two separate databases, with different passwords. You can even store them on different devices!
speedgoose · 13h ago
It’s still one device.
quchen · 12h ago
The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against. Shoulder surfing and device theft are not something I worry about in my home setup, for example.
speedgoose · 9h ago
Yes it depends on your treat model. But being defeated by one simple keylogger isn’t a risk I’m willing to take even at home.
AstralStorm · 8h ago
And yes, 2FA single use codes will protect against a simple keylogger.

But if its on the same device, it will not protect you against a password database harvester.

Aachen · 12h ago
> The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against.

It doesn't matter if you store your 2FA seed on a billboard or as a tattoo where the sun doesn't shine: 2FA means two factors. The definition doesn't change when your home setup's threat model doesn't call for 2FA and you thus decide to store two secrets in the same place (making a compromise of one necessarily a compromise of the other, thus 1FA)

wolvesechoes · 12h ago
> making a compromise of one necessarily a compromise of the other, thus 1FA

The only necessity is logical necessity, and it doesn't apply there.

Aachen · 11h ago
You're saying you can store two pieces of information in one file, without a compromise of one implying a compromise of the other? Do elaborate
wolvesechoes · 11h ago
GP stated:

> The second factor does not have to be a second device.

Now, you are talking about two pieces of information in single file.

brookst · 6h ago
This is so wrong. You’re conflating where things are with what they are. Two factors does not mean two devices.
alanfranz · 12h ago
If you login from your phone, it’s still one device. Should we have different totps for different devices?

Something that you have can be your own pc.

Aachen · 12h ago
You're onto something even banks don't seem to understand! The industry standard for doing financial transactions calls for 2FA but then they make a mobile app that can self-approve transactions. Yes, using only one mobile device is 1FA, just like using one desktop only, but people generally consider mobile OSes safer because the permission model and process isolation is on a whole other level
broken-kebab · 12h ago
There's a grain of truth in your statement, but no matter how hard it's to accept for all of us nerds here, in real life words are defined by usage. If industry calls it 2FA, users call it 2FA, then it's 2FA.
Aachen · 12h ago
They can call the sky green but unless the wavelength changed, I don't see the benefit of taking over that terminology, no matter if you're a user or a nerd or both. That's the real-life situation: sky isn't green, idk why anyone would need to "accept" that or not when it factually isn't the case
broken-kebab · 9h ago
Your choice of example is somewhat self-defeating: blue-green is probably the best illustration of terms with big semantic overlap even in languages which care to have separate words for these colors (there are those which has one word for both). Generally, meaning of words defined by informal convention of majority. You are free to disagree with it, but it only means you will speak your own dialect always in need to explain yourself to everybody who's not you.
wolvesechoes · 12h ago
If you store two databases on two devices it makes them suddenly one device? What kind of security sorcery is this?
progbits · 13h ago
I can recommend the Aegis app for Android. Works great and has encrypted backups.
0x49d1 · 13h ago
Or Ente Auth: https://ente.io/auth. Opensource, encrypted, can be used on any OS, has sync/backup. The problem with using same password manager for OTP is that you kind of loose 2nd factor: 1 app compromised - passwords and OTP are compromised too. My approach is to use password manager's OTP generator for non critical services and dedicated app for the critical ones..
styanax · 12h ago
Replied to another comment with the same recommendation before seeing this, here's the URL for those interested:

https://github.com/beemdevelopment/Aegis

graynk · 9h ago
I also store them in KeePass, except I have a separate DB for codes that exists only on my phone. I use Keepassium on iPhone, on Android I believe Keepass2Android is pretty good.
WhyNotHugo · 3h ago
I’ve been using a Yubikey for TOTP codes for years.

When it’s plugged into my laptop, I use a fuzzy-search UI to pick the right credential, tap the Yubikey, and it writes the TOTP code into the focused text field.

There are iPhone and Android apps to generate codes. On iPhone, it works with nfc.

The same device also works for webauthn and for gpg. It has no network capabilities.

promiseofbeans · 13h ago
Ente auth is a great free option with sync and apps for every platform. https://ente.io/auth/

They also have a good Google Photos alternative, which is how they make money.

tripdout · 5h ago
> The tool outputs the current date and time, so you can double-check that your code won't expire (at :00 seconds) before you get a chance to type it in

A lot of TOTP verifiers often check within ±1 time interval, so you can often just use the first code you see, no need e.g. to wait for it to roll over.

butz · 7h ago
The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.
mid-kid · 4h ago
At work we use OneLogin, set to require the app. However, it stores a regular TOTP code in the app, it's just encrypted with the android keystore. I had to hook the base64 decoding function on my rooted phone to extract it, and put it in my password manager instead. I've been unable to figure out how to decrypt keystore-encrypted secrets in any other way.
wahlis · 7h ago
I believe Aegis has you sorted with Steam as well
mdaniel · 2h ago
https://github.com/beemdevelopment/Aegis/blob/v3.4.1/app/src...

> // NOTE: this assumes that a global root shell has already been obtained by the caller

:-/

My recollection when I last tried this stunt is that it's a boatload of nonsense to try and exfiltrate the Steam credential material, and I wasn't able to find any supporting docs in the Aegis nor on their site about any alternative they have to "root your phone and sniff the keys out of the sibling app"

FinnKuhn · 6h ago
Couldn't Steam break this any second though?
butz · 2h ago
Or one could run into some edge case, e.g. when Steam asks for different code when trying to change Steam password - https://github.com/beemdevelopment/Aegis/issues/1613 .
cookiengineer · 13h ago
I actually built a tool that can do this from camera photos or screenshots. You know, for pentesting purposes :)

https://github.com/cookiengineer/forensics-tools

theshrike79 · 11h ago
I'm just boring and use 1Password for this along with my passwords.
eek2121 · 13h ago
I wish there was a way to export my codes from Microsoft authenticator on iOS. If anyone knows of a way to do this, please feel free to reply. I would like to move to an open source solution.
mrweasel · 12h ago
Learned that the hard way, never ever add ANYTHING to the Microsoft Authenticator app if you can avoid it. It is impossible to migrate to something else.

I had a client where I got a new phone and forgot about the Microsoft Authenticator. Three months later I had to go on site with the client to reset my Authenticator as signups could only be done from their network.

Aachen · 12h ago
Keep in mind that perfect is the enemy of good! You don't have to switch all at once. Start adding new tokens to a better manager and see if/when you get around to migrating the ones that are currently locked into Microsoft. That way, the task will get smaller rather than larger over time :)
riedel · 13h ago
I also have the same problem, however, I think Microsoft started to use some proprietary protocol wit some challenge / response scheme.
Aachen · 12h ago
Yes, Microsoft tries to get you to use their proprietary mechanism by default. You need to click on the "use a different method" link when doing the setup to get a code that is compatible with e.g. Google Authenticator, FreeOTP, and all the other ones
riedel · 12h ago
The last time I tried to that for an external MS Teams instance, the option to use another method was gone. Could have been a compliance thing of the 'owner' of the instance, however, I actually tried multiple times to circumvent installing their app, but failed.
unethical_ban · 8h ago
It's a setting of the app owner. I ran into the same thing. Though I admit a push based 2FA is more resistant to phishing.
henriks · 7h ago
I've been storing TOTP codes in on my Yubikeys for many years now, it works pretty decently. They have an app for it (https://www.yubico.com/products/yubico-authenticator) which has gotten better over the years. For redundancy I've stored keys on two devices.
8cvor6j844qw_d6 · 12h ago
This reminds me of Steve Gibson storing his 2FA seeds by printing them out [1].

> "Steve: So in my drawer I have all of my QR codes printed."

> "Steve: They're in a safe place. And if it ever comes to the point where I need to set up a new authenticator, not a problem. I just scan the QR codes once again, and we're back in business. So the other thing to look for is an authenticator that will allow you to do that because it is nice to have hard copy backup."

---

I'm not sure what TOTP app he's using currently, since this was said 2 years ago [1].

> "Steve: OTP space Auth, and the logo is a simple gray padlock. Very modest logo. And it does all of this correctly."

[1]: https://www.grc.com/sn/sn-921.htm

whartung · 7h ago
This is actually an interesting idea.

I have my e.g. GitHub recovery codes printed out. I have to assume that the recovery codes are more flexible, but rescanning the original QR code would be better UX in case of loss simply because GitHub is not involved, they're nevertheless wiser.

But the recovery codes are process agnostic. I imagine they work whether you're using TOTP or any other 2FA mechanic. If GitHub deigns to discontinue support for TOTP, then the printer QR code won't be much help.

In the end, however, I have a piece of paper (or other visual artifact) with security information to manage.

I will keep the persistent QR code concept in my bonnet for potential consideration in the future.

fersarr · 13h ago
+1. I stopped using google authenticator when they randomly wiped the app for me and lost all the codes.
chaz6 · 10h ago
I have said time and time again, keep a copy of the QR code (or the text encoded within) before adding it to an authenticator app. You may find out too late that you cannot recover the keys. You can do this by simply taking a photo or screenshot of the QR code and storing it in a safe place.

Even better, avoid any MFA mechanism that relies on short codes with low entropy. Instead you could use U2F which uses a hardware token in which the key material is designed to be extremely difficult to extract, and requires physical access to the device to even attempt.

plumeria · 6h ago
This is the nice thing about keeping it in Keepass XC. The seed is saved as an attribute in the database, you can easily add it to another app if needed.
freehorse · 12h ago
What is the reasoning that google makes it so complicated to export the TOTPs? Is it just to make it harder to migrate to other authenticators (which does not make much sense because other authenticators just build their tool to import this anyway) or is it just a bad case of "security through obscurity"? I cannot imagine any minimally dedicated attacker that has already put the effort to get the export qr code not being able to actually read it, but it just makes it harder for "common" people to actually get their codes. I remember I had to go through what the article describes to access my TOTPs and migrate to another authenticator.
radu_floricica · 13h ago
I get the feeling. Got a pretty bad experience with google when I migrated phones, and it messed up the data for a pretty important app (no damage, because I'm paranoid and have backups). I keep an offline phone with synced Authenticator because of this.
tedk-42 · 12h ago
Most people don't really know how these TOTP codes work but yeah for the longest time I've just put the plain text secret in a place where I can wrap it with my own golang utility

https://github.com/edify42/otp-codegen

Way easier to open a terminal on my computer and pipe to `pbcopy` and paste it onto the screen.

zimpenfish · 11h ago
I did the same for a work code that I have to use multiple times a day - compiled up a standalone binary (with hardcoded TOTP code) using the `otp` crate.

(One nice thing it does is wait for the next number if the expiry is within 5s before outputting the code.)

eminemence · 13h ago
Liked the 'Written by human not by AI' bagde
jqpabc123 · 9h ago
If it has a "Google" label, it's not in your best interests and best avoided. This is just another in a long list of examples and confirmations of this fact.

The solution to most 2FA/TOTP issues (including the one described here) is Stratum. It offers a full array of import and exports features (with or without strong encryption) including the ability to import directly from Google's user-hostile abandon ware.

https://stratumauth.com/

akssri · 12h ago
If you use Emacs on GNU-Linux, you can have it run oathtool and copy the code to the clipboard which you can straightaway middle-click-paste.

https://gist.github.com/akssri/92a3b240c89212815a66e86c60eab...

daneel_w · 13h ago
Go for Aegis if you're on Android, 2FA Authenticator (2FAS) or Authenticator (by Matt Rubin) if you're on iOS.
bramhaag · 13h ago
+1 for Aegis. Encrypted backups, easy to import/export multiple formats, and very customizable.
44za12 · 13h ago
Shameless plug.

I’ve been using a cli tool i had created for over 2 years now, it just works. I had more ideas but never got to incorporate those.

https://github.com/44za12/horcrux

tedk-42 · 12h ago
6 years for me if we're counting :)

https://github.com/edify42/otp-codegen

44za12 · 10h ago
Love the minimalism.
BallsInIt · 9h ago
At least Google lets you export the keys. Authy removed that ability and now Twilio is forever on my shit-list.
anonymousiam · 11h ago
I've been waiting for this for years. I'll put this in a VM for some isolation, and I'll have more security and more convenience.
Arch-TK · 13h ago
I'd be more curious to know what the traffic data google maps alternative is.
frizlab · 12h ago
He’s asking for one, he does not have one.

I use (Apple) Maps, personally.

catlikesshrimp · 7h ago
I love the post. I know this is not the topic: There is a google-auth replacement which has appropiate qr scanning and doesn't require any connection permission, in f-droid. I don't know why freeOTP is more popular since it asks for full network permission.

https://fxedel.gitlab.io/fdroid-website/en/packages/org.shad...

andOTP.