this post was submitted on 02 Jul 2024
26 points (90.6% liked)

Privacy

31799 readers
324 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Isn't the value of two factor auth that it requires a physical device (your phone or computer) with the auth key to authenticate you? Then why don't many two factor auth apps seem to support syncing? If it's fine to do so, are there any open source cross platform apps that sync keys?

top 19 comments
sorted by: hot top controversial new old
[–] lemmyvore@feddit.nl 21 points 4 months ago* (last edited 4 months ago) (1 children)

Many people have a warped understanding of what "two factor" means.

They conflate it with devices and they think it means that one of the factors (why one? which one? who knows) needs to be restricted to exactly one device.

What "two factor" really means is that you should have more than one required factor of authentication so that if one is compromised the attackers still can't get in.

Ideally the factors should be spread across the "something you know" / "something you own" / "something you are" categories to complicate the manner in which they can be compromised.

We can only reliably rememeber a limited amount of passwords, so like it or not we have to use some devices at least some of the time.

The trouble with "something you own" is that it can be lost or damaged or stolen, and if you only have one of it then you're fucked. So adding some redundancy is not a bad idea.

The larger issue is that everybody is stuck into extremely rigid and outdated mindsets that date back decades. "Two factors" don't have to be exactly two, and they don't have to include exactly one password, and so on. It should be fine if you wanted to secure your account with 3 passwords, and should be up to you if one of those password is a barcode tattooed on your taint so you need a mirror and to bend upside down to scan it.

Bottom line, use whatever you want and use your best judgment as to how secure is each factor. If you want to use something that syncs to multiple devices, go ahead. What you should consider is who has access to those devices and how it would affect you if they're lost or stolen.

[–] breadsmasher@lemmy.world 17 points 4 months ago (1 children)

barcode on your taint

please tell me more

[–] delirious_owl@discuss.online 5 points 4 months ago

This is my preferred storage location for my NFC chips.

It does tend to make the cashier nervous when I stand up on their register and tea bag their POS.

[–] nikaro@jlai.lu 17 points 4 months ago

You can use KeePassXC (with a dedicated vault or not), synced by another mean (Nextcloud, Syncthing, Git, etc.).

[–] user134450@feddit.org 13 points 4 months ago (1 children)

Bitwarden has a FOSS client app and FOSS server apps exist (though the default service is not FOSS).

Syncing 2FA keys brings the danger with it that you accidentally sync the key to the device that is used for the first factor thus making it not 2FA anymore.

[–] clmbmb@lemmy.dbzer0.com 8 points 4 months ago (1 children)

the default service is not FOSS

You mean server? If so, the server is also open source (https://github.com/bitwarden/server), but the default instance (bitwarden.com) is not totaly free - you have to have a payed subscription for some of the features. If you self-host, then you have all the features (free and/or premium) - and this can also be done with Vaultwarden which is a FOSS alternative to the official server.

[–] user134450@feddit.org 4 points 4 months ago

You mean server? If so, the server is also open source

That is what i meant. It is OSS but not FOSS because you need a key to start it.

[–] solrize@lemmy.world 8 points 4 months ago (2 children)

It's considered bad form to do what you're asking but most 2fa apps have a backup restore scheme now. Is that enough?

[–] solrize@lemmy.world 2 points 4 months ago

A physical token only authenticates itself as "something you have" if there's no way to extract the key from it. In practice non-hardcore deployments usually have a backup procedure but in principle, if you want multiple tokens, they should have separate keys. What you're asking in simplest form involves storing the key on a server where it can potentially spill in a server breach or the like. If the key protects something very valuable, that can be dangerous. If it's for your old Reddit account, you might decide to do it anyway.

[–] DonnerWolfBach@feddit.de 2 points 4 months ago

Why exactly is that? Because it's reduced security?

[–] umami_wasbi@lemmy.ml 8 points 4 months ago (1 children)

Aegis w/ auto backup + syncthing

[–] zfr@lemmy.today 1 points 4 months ago

wait if i do this how can i see the codes on my pc

[–] JustMarkov@lemmy.ml 5 points 4 months ago* (last edited 4 months ago) (2 children)
[–] umami_wasbi@lemmy.ml 3 points 4 months ago (1 children)

For a quick brief read, it uses its own server to perform the sync.

[–] JustMarkov@lemmy.ml 1 points 4 months ago
[–] trevor@lemmy.blahaj.zone 0 points 4 months ago

This is the correct answer.

[–] foxfell@lemmy.ml 4 points 4 months ago (1 children)

You can create TOTP for login records in bitwarden and sync it of course. But make sure you protect your wallet key with additional security methods.

[–] haui_lemmy@lemmy.giftedmc.com 3 points 4 months ago

Bitwarden is the way to go.

[–] DonnerWolfBach@feddit.de 2 points 4 months ago

There is the completely open source https://standardnotes.com/ which would support that via their syncing and the authenticator note type.

Unfortunately it does not look like their free plan allows you to use that note type. So could also host it yourself though (and pay for the premium token their or hack it out - it's foss). Have never done that myself though