Hi! Since Authy is shortly removing their desktop app, I need to find another auth service with a Windows desktop app.
The main reason is I work online all day, and really don’t want to pick up the phone each time, as I have to auth-in to stuff regularly. I set up a nice Autohotkey script with Authy desktop which worked amazingly well for ages.
What are the current options for Windows desktop auth-ing?
Since there is no mandatory sandboxing on Windows (and Linux) and no hardware keystone is utilized, which properly protects your TOTP seeds, I would be cautious with using a TOTP app there.
TOTP is not great anyway because it’s not fishing resistant (e.g. evilginx-style attacks). Would recommend to use FIDO2 security keys as a phishing resistant second factor wherever possible. Depending on your protection needs, passkeys can also be fine as a single factor and fishing resistant, but a separate Fido2 2FA would be more secure.
If you nevertheless want to use a TOTP app on Windows, there are password managers with TOTP functionality like Bitwarden. Storing your passwords alongside your TOTP seeds wouldn’t make a difference in this use case anyway.
Perhaps ente Auth added as a PWA with Brave would be sufficient?
The Bitwarden subreddit recently/repeatedly mentioned a tool to extract the TOTP secrets from the Authy’s data file(s). If this is possible, maybe you would be open to putting the secrets into Keepass/derivatives which generate TOTP codes.
A drawback is, when you add a new entry, you have to add to both the mobile app (probably by camera) and the PC app (manually, or via a URL string). OTH, how often do you add? If not, this may be fine.
Thanks, that’s a very valid concern! Are there any decent mitigations for that? I’ve tried KeePass, which from a usability standpoint is super convenient on the PC. I have the kdbx file on an encrypted drive, with a very short timeout for the database, so Keepass always asks for master password every time it’s used.
So if anyone steals my laptop, they’d at least have to get through drive encryption first, then crack the kdbx master password, by which time I’ll have changed those credentials anyway.
Main concern would be malware on the PC itself, but I assume that also applies to mobile?
Commenting on Android, not iOS. An unrooted Android is a much more restrictive / permission-oriented than Windows. For 2FA app like 2FAS, a malware cannot exfiltrate the data file. A malware, with accessibility access (a permission you rarely should ever grant), can watch your screen, but 2FAS doesn’t show the TOTP secret unless explicitly told to, which you most likely don’t have a need to anyway. So, your 2FA secrets on an Android is pretty safe, except perhaps in the case you got phished for your cloud credentials and 2FA backup password, then they can get everything.
On Windows, a malware can do more things. They can exfiltrate the kdbx file for cracking. They can dump memory when the kdbx file is open/unlocked. The can exfiltrate the file and keylogs your keyboard. Your PC is technically less safe to keep secrets regarding a malware than an Android, be it passwords or TOTP secrets. You are probably less likely to get phished (for file and password), though.
For kdbx file, I personally prefer using pass + keyfile (on a separate USB). You may get better protection (but perhaps just marginal, you decide) in some cases. Using a keyfile means your kdbx file will be strongly encrypted even with a weaker password (which maybe desirable for convenience). A malware that manages to exfiltrate just your kdbx file most certainly won’t be able to crack the file. You will be exposed when the file is open, and when you have your kdbx+keyfile available for exfiltration (and keylogging if your “easy” password is still uncrackable).
OTH, some people think keeping malware off your system is definitely doable. If you feel confident with this, maybe you don’t have to worry so much. Trying to still have some protections despite having a malware on the system seems like a bottomless rabbit hole.
Proton Pass or Bitwarden app if you hardware keys to secure them.
Use sandboxing and application control. But it won’t come close to Android/iOS security.
Yeah, that’s easy to mitigate. Avoiding malware or attacks on a desktop OS is more difficult.
On Android and iOS apps can’t access other app’s data. They would need a sandbox escape, which is pretty unlikely and usually only seen in state-level attacks.
Standard Notes supports 2FA if you’re on their paid plan. So its not free and I’m not technical enough to know the absolute security of using it on windows but its worked for me with two notes.
Usually you can configure Lockdown Mode on a per-app basis in Settings.
Oh, I was not aware of that and have since switched to Graphene so not something I’m tracking too much anymore. I’ll look into that for future use though.
Ente Auth has a beta on Desktop (Windows, Linux and Mac)