GitHub – andOTP/andOTP: Open source two-factor authentication for Android
Posted by jpluimers on 2021/01/05
[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.
A few highlights:
- andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
- OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
- BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
- org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
- org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
- All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!
PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play
• Free and Open-Source
• Requires minimal permissions:
• Camera access for QR code scanning
• Storage access for import and export of the database
• Encrypted storage with two backends:
• Android KeyStore (can cause problems, please only use if you absolutely have to)
• Password / PIN
• Multiple backup options:
• Plain-text
• Password-protected
• OpenPGP-encrypted
• Sleek minimalistic Material Design with three different themes:
• Light
• Dark
• Black (for OLED screens)
• Great Usability
• Compatible with Google Authenticator
Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers
Check out @Jaykul’s Tweet: https://twitter.com/Jaykul/status/1091200778121957377
Instead of Google authenticator and Authy
Via https://twitter.com/martinfowler/status/1091097388201230339
Related :
- Check out @ca_heckler’s Tweet: https://twitter.com/ca_heckler/status/1091118505854930944
- Check out @Swizec’s Tweet: https://twitter.com/Swizec/status/1091097878146080769
- Check out @soilandreyes’s Tweet: https://twitter.com/soilandreyes/status/1091126871260127239
- Check out @Jerub’s Tweet: https://twitter.com/Jerub/status/1091100251719532544
- Check out @Jerub’s Tweet: https://twitter.com/Jerub/status/1091115522521886721
- https://twitter.com/IBBoard/status/1091101066282917888
Nope. It’s just a secret encoded in a QR code.
Here’s the docs on the format of the URI in the QR code: https://t.co/AJhT6PFAzx
The QR code delivers a simple, durable, shared secret.
Use U2F if you can. It is much safer, as it cannot be phished or copied.
Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.
Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?
- [WayBack] Martin Fowler on Twitter: “I like two factor authentication using Google Authenticator, and use it for several things. But I wish it was easier to transfer the keys onto a new phone”
- [WayBack] Swizec Teller på Twitter: “I wish it had OS-level integration like code texts do on iOS. “paste code from sms” is my fav mobile Safari feature… “
- [WayBack] Stian Soiland-Reyes #FBPE 🇪🇺🇬🇧🇳🇴🇲🇽 on Twitter: “That would make it no longer tied to your device; effectively reducing the second factor from “something (only) you have” to “something you once had”.”
- [WayBack] Stephen Thorne on Twitter: “You know how you use that QR code to load the crypto key for the TOPT token in the first place? If you (securely) store that image. You can use it in the future on your new phone. Also, please consider using U2F hardware tokens where possible. :)”
- [WayBack] Stephen Thorne sa Twitter: “Nope. It’s just a secret encoded in a QR code. Here’s the docs on the format of the URI in the QR code:
github.com/.../Key-Uri-FormatThe QR code delivers a simple, durable, shared secret. Use U2F if you can. It is much safer, as it cannot be phished or copied.”
- [WayBack] Stephen Thorne sa Twitter: “Nope. It’s just a secret encoded in a QR code. Here’s the docs on the format of the URI in the QR code:
- [WayBack] Michael Arndt on Twitter: “I wouldn’t want my keys on any of the mentioned platforms. Some direct device to device communication would be nice, maybe animated QR code, NFC. Something requiring unlocked device, proximity and no middleman.”
- [WayBack] IBBoard on Twitter: “Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario. Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?”
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment