Not on iOS but I like my yubikeys. Depending on your requirements (if you have less than 32 TOTP accounts per yubikey), they can handle your TOTP directly instead of just using them to unlock Bitwarden.
For security I don’t like to keep my TOTP keys in my password manager, even if it is strongly protected. With a yubikey I can ensure that both access to the key AND a physical touch is necessary to generate any codes. So even if I leave it plugged in on a remotely compromised PC I’m mostly protected, because a touch is required.
yeah, when sites support it, that’s definitely the best option, but many sites only barely do totp lol so I have to have to put the totp codes somewhere, and the yubikey handles it in a pretty nifty way
I use Bitwarden for everything, including my totp codes. I should probably use a separate app solely for Bitwarden’s totp code, but the danger of losing it all gives me such a rush!
I am undecided btw 2FAS and Ente. 2FAS has an excellent UI, but there is no desktop app. Ente requires an account, but it’s not a problem considering that everything is E2EE and it’s a company with good reputation.
It’s actually pretty good security-wise, the main issue is that it completely locks you into the Apple ecosystem, while other 2FA apps and password managers are all cross-platform.
Good security-wise, maybe. But who protects you from Apple? They have access to everything they so conveniently sync for you for free. That is neither secure nor private. The same goes for Google. People don’t understand how much of your stuff they have access to.
I’ve been using 1Password for years and love it. It’s multi-device support was one of the reasons I started using it, and now have a family subscription to share some things with my wife.
I rely on TOTP a lot for my IT job. With 1Password it’s easy to display them on my Apple Watch so I don’t need to keep opening the app on my phone or laptop.
So I’m not on iOS but… the websites I need to use for various work things all require that you use a specific authenticator. But they all choose a different random one. It drives me insane. I have 4 different apps. Google Authenticator, Authy, Duo Mobile, and Onelogin Protect. I pray I change jobs before I get a new phone.
I realize there are exceptions to this, and you might fall into that category, but…
Most of the time when websites say they require a particular app, they actually don’t. Like if a website says to use Google Authenticator, you can actually use any TOTP app. There is even a workaround for using Steam’s TOTP without their app.
Don’t be scared to just try importing the QR or text based code into another app when you are signing up for a service. A functioning website won’t let you progress to the next screen without having the proper code in your app.
They make it hard to export your seeds if you want to move to the other platform or new device + closed source.
On Android Aegis is the great alternative.
On iOS Raivo OTP used to be the main recommendation, but they just got bought by relatively unknown company, which is sketcy in on itself.
I have been using ProtonMail and Drive already so it was an easy decision to switch to Proton Pass when it came out. It’s an all-in-one password manager which let’s you store 2FA as well and also let’s you make email aliases. It’s synced everywhere, on Firefox on my linux desktop to my android phone to my iPad.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacyguides@lemmy.one
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
We prefer posting about open-source software whenever possible.
No soliciting engagement: Don’t ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don’t repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.
I’ll be using BitWarden as my 2FA app. I use KeePass as my password manager so it would still be two different services/apps.
I was planning on using Tofu but it has no FaceID which is mandatory IMO.
Not on iOS but I like my yubikeys. Depending on your requirements (if you have less than 32 TOTP accounts per yubikey), they can handle your TOTP directly instead of just using them to unlock Bitwarden.
For security I don’t like to keep my TOTP keys in my password manager, even if it is strongly protected. With a yubikey I can ensure that both access to the key AND a physical touch is necessary to generate any codes. So even if I leave it plugged in on a remotely compromised PC I’m mostly protected, because a touch is required.
I guess why not use the yubikey for webauth instead of totp?
yeah, when sites support it, that’s definitely the best option, but many sites only barely do totp lol so I have to have to put the totp codes somewhere, and the yubikey handles it in a pretty nifty way
Gotcha. And I guess what backup method do you use? (Like a second YubiKey, recovery codes somewhere safe, a 2fa app discretely hidden)
mostly recovery codes. I have multiple yubikeys but that’s mostly for work
I’m currently enjoying ProtonPass’ built-in 2FA. You gotta be on a paid plan, however, but it’s worth it imo.
Where are you keeping the 2FA code for your proton account? (Supposing you have it set up)
I keep that one in my iCloud keychain just out of convenience
I use Bitwarden for everything, including my totp codes. I should probably use a separate app solely for Bitwarden’s totp code, but the danger of losing it all gives me such a rush!
You can write down your Bitwarden 2FA recovery codes and keep multiple copies of them in safe and private places
What happened to Raivo?
They got bought out by Mobime.
I am undecided btw 2FAS and Ente. 2FAS has an excellent UI, but there is no desktop app. Ente requires an account, but it’s not a problem considering that everything is E2EE and it’s a company with good reputation.
deleted by creator
Recommending iCloud keychain in a privacy forum??
It’s actually pretty good security-wise, the main issue is that it completely locks you into the Apple ecosystem, while other 2FA apps and password managers are all cross-platform.
Good security-wise, maybe. But who protects you from Apple? They have access to everything they so conveniently sync for you for free. That is neither secure nor private. The same goes for Google. People don’t understand how much of your stuff they have access to.
I’m currently in the process of switching to 2fas. It seemed the best available alternative for me.
The built in password manager and keychain can handle OTP since a few versions back.
I’ve been using 1Password for years and love it. It’s multi-device support was one of the reasons I started using it, and now have a family subscription to share some things with my wife.
I rely on TOTP a lot for my IT job. With 1Password it’s easy to display them on my Apple Watch so I don’t need to keep opening the app on my phone or laptop.
So I’m not on iOS but… the websites I need to use for various work things all require that you use a specific authenticator. But they all choose a different random one. It drives me insane. I have 4 different apps. Google Authenticator, Authy, Duo Mobile, and Onelogin Protect. I pray I change jobs before I get a new phone.
I realize there are exceptions to this, and you might fall into that category, but…
Most of the time when websites say they require a particular app, they actually don’t. Like if a website says to use Google Authenticator, you can actually use any TOTP app. There is even a workaround for using Steam’s TOTP without their app.
Don’t be scared to just try importing the QR or text based code into another app when you are signing up for a service. A functioning website won’t let you progress to the next screen without having the proper code in your app.
Oh that’s interesting. I know for my work, it says to use Google Authenticator, but I am still able to sign up with any app of my choice.
I‘m using Google Authenticator, but so far nobody else here seems to, am I doing it wrong??
They make it hard to export your seeds if you want to move to the other platform or new device + closed source.
On Android Aegis is the great alternative. On iOS Raivo OTP used to be the main recommendation, but they just got bought by relatively unknown company, which is sketcy in on itself.
Considering googles track record with privacy I would hesitate to use it
I was going to ask the same question since I’m in the same boat.
Apple Keychain OTP
I have been using ProtonMail and Drive already so it was an easy decision to switch to Proton Pass when it came out. It’s an all-in-one password manager which let’s you store 2FA as well and also let’s you make email aliases. It’s synced everywhere, on Firefox on my linux desktop to my android phone to my iPad.
I’m using the microsoft Authenticator, is it bad?