Just another nerd.
Aegis Authenticator is “a free, secure and open source 2FA app for Android. It aims to provide a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups. Aegis supports HOTP and TOTP, making it compatible with thousands of services.”
The developers have a Github repository for the project.
I’ve been doing a bit of a personal security audit lately, and updating/resetting passwords and adding 2FA wherever I can. One of the things I was pleasantly surprised to see is that DokuWiki made it fairly straightforward to add 2FA to my wiki.
The work to enable this was done by plugin developer Michael Wilmes, and involved installing a number of plugins that Wilmes developed.
I was only interested in the Google Authenticator plugin module. After installing it, it worked like a charm. My login page now looks like this, and will not let me login without the 2FA code:
In the YouTube video below, Joshua Reynolds presents at the IEEE Symposium on Security and Privacy about a couple of usability studies he and others conducted testing the usability of configuring and using Yubico’s Yubikey two-factor authentication security keys.
The full usability study can be found on the IEEE website. From the study’s abstract,
Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.
I have Yubico’s FIDO key enabled on all the accounts I have that utilize it. I have two primary laptops I use most days, and I bought Yubikey 4 Nano keys for both of those.
But I ran into a bit of a problem when I decided to add a Chromebook as a secure, ultraportable device. I ended up buying an ASUS Chromebook that only had USB-C ports.
Fortunately, Yubikcorecently released a USB-C version of the Yubikey 4 Nano. It’s a bit expensive at $60, but it has a very low profile on the Chromebook and works without any issues.
Yubikey 4C Nano
Two Factor Auth (2FA) is a website that lists popular websites and indicates whether or not they support two factor authentication. If they do not, the site provides easy links to click to encourage companies on Twitter or Facebook to add two factor authentication.
On September 22, 2017, Nintendo released two-factor authentication for Nintendo accounts. The system uses Google’s 2FA system (so it would also work with the LastPass authenticator, which is what I generally use).
So at this point, my Nintendo account is more secure than my bank account. My bank doesn’t offer any form of routine 2FA, despite me constantly harassing them about adding it.
And really, even 2FA isn’t good enough when it comes to banking. There’s no reason banks and credit unions shouldn’t offer their customers the option of using U2F.