Re: OAUTH TOTP

[Greg Troxel <gdt%lexort.com@localhost>]

Staffan Thomen <staffan%shangtai.net@localhost> writes:

> It used to be that google authenticator didn't automatically back up
> your secrets, so you had to be very careful to copy them over when you
> got a new phone and if your old phone was unusable you were hosed.

> This has since been fixed, and it will back them up to the google
> cloud like any other app's private data.

As long as it's e2e so google can't read it, that's ok.


> I will leave any tinfoiling about backing up secrets to the cloud unsaid.

I think you're joking, but it's not fair to call it tinfoiling.  Putting
TOTP seeds in the cloud where the cloud provider can read them is like a
password manager with cloud storage that does not encrypt the passwords.
Except 2fa is supposed to be better than passwords.  So that's just not
a reasonable thing to do.  Arguably, a password manager should also be
encrypting the URLs, not just the passwords, as the set of places at
which you have accounts is also sensitive.  I suspect there's a problem
with that too.

> AndOTP is an opensource alternative, and I will second a vote for
> KeePassXC in general.

Yes, there are other open source TOTP apps, and yes you need to pay
attention to backups.

Also, my understanding is that bitwarden will store seeds and do TOTP, I
think if you have a paid cloud account or if you are selfhosting
(vaultwarden) -- but I haven't tried it yet.