Security Technology and Internet

What to use for “TOTP” in 2023?

At the start of last week, we received great news regarding new improvements to a very popular security app, “Google Authenticator”. A feature it was lacking for a long time was finally implemented, “cloud backups”.

However, after a few days, the security community realized the new feature wasn’t as good as everybody was assuming. It lacks “end-to-end encryption”. In other words, when users back up their 2FA codes to the cloud, Google has complete access to these secrets.

Even ignoring the initial bugs (check this one and also this one), it is a big deal because any second factor should only be available to the “owner”. Having multiple entities with access to these codes, defeats the whole purpose of having a second factor (ignoring again any privacy shortcomings).

Summing up, if you use Google Authenticator, do not activate the cloud backups.

And this brings us to the topic of today’s post: “What app (or mechanism) should I use for 2FA?”

This question is broader than one might initially expect, since we have multiple methods at our disposal.

SMS codes should be on their way out, for multiple reasons, but specially because of the widespread SIM swapping vulnerabilities.

Push-based authenticators don’t seem to be a great alternative. They are not standardized, they tie the user to proprietary ecosystems, and they can’t be used everywhere.

In an ideal scenario, everyone would be using FIDO2 (“Webauthn”) mechanisms, with hardware keys or letting their device’s platform handle the secret material.

While support is growing, and we should definitely start using it where we can, the truth is, it is not yet widely accepted. This means we still need to use another form of 2FA, where FIDO2 isn’t supported yet.

That easy to use and widely accepted second factor is TOPT.

This still is the most independent and widely used form of 2FA we have nowadays. Basically, you install an authenticator app that provides you temporary codes to use in each service after providing the password. One of the most popular apps for TOPT is the “problematic” Google Authenticator.

What are the existing alternatives?

Many password managers (1Password, Bitwarden, etc.) also offer the possibility to generate these codes for you. However, I don’t like this approach because the different factors should be:

  • Something you know
  • Something you have
  • Something you are

In this case, the password manager already stores the first factor (the “something you know”), so having all eggs in the same basket doesn’t seem to be a good idea.

For this reason, from now on, I will focus on apps that allow me to store these codes in a separate device (the “something you have”).

My requirements for such an app are:

  • Data is encrypted at rest.
  • Access is secured by another form of authentication.
  • Has easy offline backups.
  • It is easy to restore a backup.
  • Secure display (tap before the code is displayed on the screen).
  • Open source.
  • Available for android.

There are dozens of them, but many don’t comply with all the points above, while others have privacy and security issues that I can’t overlook (just to give you a glimpse, check this).

In the past, I usually recommended “andOTP“. It checks all the boxes and is indeed a great app for this purpose. Unfortunately, it stopped being maintained a few months ago.

While it is still a solid app, I don’t feel comfortable recommending it anymore.

The bright side is that I went looking for a similar app and I found “Aegis“, that happens to have great reviews, fulfills all the above requirements and is still maintained. I guess this is the one I will be recommending when I’m asked “what to use for 2FA nowadays”.

By Gonçalo Valério

Software developer and owner of this blog. More in the "about" page.