Well yes, the most secure way would be a single source of OTPs, however I’m happy to compromise that slightly for convenience. Having 3-4 devices with access to the OTP database isn’t a huge increase in my attack surface. An attacker would still need to steal one of my devices, rather than one specific device. Those devices would also naturally be protected by additional factors.

I understand I would have to handle the syncing of the database for aegis, I was more curious if you knew of other clients that could use the same database format on other platforms.

I’m very aware it’s a bad idea to keep your OTPs in the same database as your passwords (and in fact already make use of keepass). I would probably not even sync the databases using the same mechanism

Bitwarden/vaultwarden does seem to be the front running option if there aren’t suitable clients for reading an Aegis database on other platforms, and I’ll just ignore the password manager aspects of it even if that means it’s a heavier solution than I’d have preferred.

Thanks for bearing with me on this

Okay I see what you’re saying but it’s still a downgrade from what I thought my security was, the fact authy broke that trust doesn’t mean I want to compromise what I was expecting to the level they ended up providing me

Sure, I guess the thing I’ve not made clear enough is that I accept the compromise of security by having an SMS backup in this scenario for the convenience it provides in restoration. Someone could compromise my SMS but they’d still need my password, and in Authy’s case, they would also then need to be able to sufficiently convince Twilio that I’m me before they allow access again. I understand that the last step is obviously not possible with a non-commercial solution.

Tbh you’ve kinda come up with the solution for me though, if I keep the database in it’s own cloud storage separate from everything else I could set up SMS 2FA and a unique memorable password to get a similar experience to what I have now, albeit without the extra verification when SMS is used.

Since you’ve been helpful already, one last question if you don’t mind: do you have good recommendations for iOS, Mac & Windows clients for aegis? The official repo seems to just be an android app, and I make use of authy across all 4 platforms currently

Perhaps attach the banana more securely so it’s not hanging

I mean “they don’t know how” doesn’t have to mean this is an exceptional case

They could just be ubiquitously incompetent and they don’t know how a lot of stuff happens

Do you have a second factor for your VPN? Or is it literally just a passphrase and you’re in? I also need a shared key to access mine, which puts new back at square one (I will not compromise on this)

I do really need what I’ve described because it’s literally a situation I’ve been in.

Do you carry your recovery codes with you at all times?

I guess I could do this, but it seems like a downgrade from my current situation

Well I thought this was kinda obvious what I meant, but I guess not.

Alright, drop the sass, if it was obvious your post wouldn’t be the length it is. Now chill, I genuinely appreciate your response

0, no go

1, also a no go, I can’t guarantee I’ll have an extra thing

2a. No 2fa, so this is a reduction in my current security

2b, this could be workable, I already self-host a number of services, but I want to be sure situational neglect (i.e. life is too busy for me to pay attention) cannot compromise this, therefore it’s gotta be a turnkey solution that I can configure to auto update, which is what I’m asking for in my comment. I need your specific solution for this, generalisms are useless here.

3: Not workable, I can’t rely on someone else being able to help in every possible scenario (and tbh I wouldn’t want to put that responsibility on someone)

4: This is a pretty good one tbh, though I guess if I’m going to pick holes, if the first stage is good enough as the gate, it diminishes the reason to have the second stage, so I’d wonder what you would suggest that could tick all the boxes for that first gate.

Edit: weird numbering formatting to combat lemmy formatting doing weird things

This is specifically a scenario where I’m starting from a single blank device because I’ve just been robbed on the other side of the planet.

Edit: for added weight, I’ve been in this exact scenario. I was able to get my ESIM reprovisioned to a new phone and recover everything within a day. I don’t want to replace authy with a solution that doesn’t cover that scenario

Oh, in that case it’s not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.

I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.

That’s potentially a solution then, as I guess in order to buy a new phone I would need to have not lost my wallet too at least, so I guess I could keep those items together for equivalent recovery possibility

Okay that may be a goer, I’ll look a bit more into it, thanks!

I agree it’s much worse than using a modern OTP app, but I need a way to access my OTP database when the only form of digital identity I have access to is my phone number.

Authy currently supports this scenario for me (with a load of checks, it doesn’t happen instantly), so I would require a like for like replacement

(reposted from another comment mentioning aegis)

Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?

I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?

This is a new one to me, but a quick look at their homepage doesn’t seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?

Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?

Does anyone have a suggested alternative for authy? (Please read the whole post before responding)

I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:

Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.

At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.

I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

Edit: added emphasis

Guillotunes

Draught Beer

probably a Pale/IPA of some sort

ideally a hazy with Citra, Simcoe, Mosaic and/or Amarillo hops

definitely something from Cloudwater, Sureshot, Verdant, Deya, Track or Lerwig if I happen to be somewhere with it on tap.

Though often for those breweries, I’d take a can over an alternative draught

I’ve always liked the distinction between needing your job to survive and being okay if it disappeared for at least a few months

If you have enough to mean you can take your time to look for a good job if you ever lost your current one without having to change your lifestyle, that’s the minimum bound of “enough” IMO. Anything else involves compromise, so therefore is not “enough” by definition.

I’d say the idealised “enough” is when you can do whatever you decide to do without having to worry if you can afford it.

Both of these depend on the kind of lifestyle people lead and how much more they would do if they didn’t have to think about money. For some people that idealised “enough” is unachievable, because they’ve decided what they want to do is make more money.

People that end up chasing money for the sake of having more money will often do so in spite of any moral compass. And FWIW I don’t think there are a high percentage people out there that make “enough” by either of my definitions and that opens up all the exploitation that forces people into shitty jobs and situations they wouldn’t otherwise do

I kinda hate that this is a question that needed to be asked

Everything clever someone does with a camera is now gonna be met with: “is this just AI?”

I guess it was “is this photoshopped?” before, but that still implied someone did something clever