Where do you store 2FA tokens? (Not hardware keys!)

Hi! What app do you use and can recommend for 2FA codes management?

I don’t have hardware keys (no desktop), Android OS.

Aegis works nice and is what I use

I use Aegis.

TOTP is stored locally on my phone via the app.

I then export a backup to my Proton Drive.

I also store the TOTP keys in my Bitwarden.

I like BitWarden and ente auth.

1 Like

Did the same, store the keys in Proton Drive. Then flashed GrapheneOS and could not access the accounts because I was logged our of Proton haha.
Luckily I had the recovery codes in Bitwarden :joy:

Is it secure to use password manager for this? I mean many eggs in one basket

I use bitwarden for the bulk of my TOTP and KeePassium for the more sensitive accounts.

After Raivo was sold I searched for a replacement and KeePassium (while it has way more features) works fantastic as a replacement as it invalidates your login and forces master password if you fail faceid or add a new biometric. It also has a convenient view for your entries and a button that displays and copies your TOTP to your clipboard at the same time right from the list view.

1 Like

IMO, it’s still plenty secure, but it shifts the burden for a bad actor to compromise your accounts from needing physical access to your phone to just knowing your Bitwarden account password. However, you could secure your Bitwarden account with a physical security key like a YubiKey and it’d essentially be just about as secure (in the sense of a bad actor needing physical access to something) but now with the added convenience of your 2FA keys being a part of Bitwarden’s autofill.

1 Like

I used Aegis for years, but recently switched to ente Auth, when they added close on copy feature. Sync and web ui add some convenience over storing backups. Aegis still looks better if you need nice UI.

1 Like

2FAS Auth (I’m on iOS)

Stored in 1Password.

For someone who has only one device, what benefit does 2FA offer? I guess 2FA would add protection if they set guessable passwords, but not if they set strong passwords stored in a password manager. I see irony in signing in with the device that also stores the 2FA tokens.

Its not device count that matters; its degree of security and 2FA offers great degree of security.

If you have access to old printers (like the old dot matrix Epsons), maybe you could print your secret key (or maybe just write it down on pen and paper?) and keep it safe/hidden so you could regenerate the 2FA token it. It will have its own risks and its up to your imagination to manage it.

If password will be ever breached TOTP will prevent bad actor to access your account

OP wrote that “Not hardware keys”

I think it is a little unsecure as not open source (IMHO)

I think its still better than not actually having a password manager. Its not like its LastPass :laughing: in which… maybe even LastPass is better than without password manager, but only and only if you never had any accounts in any of the crypto exchanges.

This is why a distinction is often made where it’s not called two-factor authentication but two-step login.

Someone can have your password, but they’re still missing a step (TOTP) which in many cases they won’t have (such as a password database breach).

Mine is in ageis. I agree to not put all your eggs in one basket