The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Authy’ Category

September 2024 – Agust Tell HN: Twilio quietly removes Authy iOS app from Mac App Store, stops updates | Hacker News

Posted by jpluimers on 2025/05/05

Installing the Authy iOS app on a Apple Silicon Mac (M1/M2/M3/…) used to be the way to keep using Authy in the Mac Desktop, as early this year Authy announced their desktop applications would shut down by August (links further below).

I missed the September 2024 post [Wayback/Archive] Tell HN: Twilio quietly removes Authy iOS app from Mac App Store, stops updates | Hacker News, which basically means that if you had it installed on a Mac, it will keep being installed but never updated.

This was done silently by Authy owner Twilio making new installs are possible, never updating old installs any more thereby effectively decreasing your security.

Anyway: if you want to try side-loading, this is the iOS app link: [Wayback/Archive] Twilio Authy on the App Store.

Sideloadly (links further below)  might work, but in reality it likely is better to have your MFA running on a separate device.

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Power User, Security, TOTP (Timebase One Time Pads) | Leave a Comment »

VoIP: passing on a phone number from one Fritz!Box to another Fritz!Box

Posted by jpluimers on 2024/03/11

Most Fritz!Box VoIP configurations have a phone number configured to only work on telephony devices (i.e. handsets) on the same Fritz!Box.

But it is possible to define a telephony device that itself is another VoIP end-point.

This way you can hook a second (or more) Fritz!Box up to the phone number(s) of the first Fritz!Box.

I am using this for two reasons:

Below is how to get this going, assuming the first Fritz!Box is a 7490 running firmware 7.29 and the second is a a 7360 with firmware 6.33 (other versions and firmware versions vary slightly).

But first the related post: Many links about free modem/router choice and their configurations for the Dutch KPN internet/VoIP provider where I figured out that just using a 7360 won’t cut it any more.

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, DECT, Fritz!, Fritz!Box, Hardware, ISDN, Network-and-equipment, Power User, PSTN, Security, Telephony, VoIP | Leave a Comment »

thuddevort on Twitter: “You can disable the extra confirmation under System > FRITZ!Box Users > Additional Confirmation”

Posted by jpluimers on 2024/02/16

My ISP did auto-update the Fritz!Box, but did not send release-notes, so I was not aware this feature had been added eons ago:

[Wayback/Archive] thuddevort on Twitter: “@jpluimers @wijnands @b0rk @xs4all You can disable the extra confirmation under System > FRITZ!Box Users > Additional Confirmation”.

I know a second factor is better for security, but doing that on both sites at the same time when setting up LAN2LAN VPN is tough (Fritz!Box names this either “LAN-LAN coupling” or “VPN Connections between the FRITZ!Box and Other Networks”.

A better feature at the same configuration page is instead of disabling, enabling to confirm using apps like Google Authenticator and Authy:

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Fritz!, Fritz!Box, Hardware, Network-and-equipment, Power User, Security | Leave a Comment »

How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Posted by jpluimers on 2023/09/18

For my link archive: [Wayback/Archive] How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Should work with Authy too.

Via: [Archive] Matthijs ter Woord (@mterwoord) | Twitter

–jeroen

Posted in 2FA/MFA, Authentication, Authy, Power User, Security | Leave a Comment »

Mysk 🇨🇦🇩🇪 on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

Posted by jpluimers on 2023/05/10

Do not use the Google 2FA Authenticator to to sync secrets across devices.

The why is explained in the (long) tweet by [Wayback/Archive] Mysk on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

For similar reasons, you might not want to use Authy by Twilio to sync between devices either, though that is less insecure as it enforces you to use a backup-password in order to sync these through the cloud: in the past that backup-password had few security restrictions so it was easy to use a relatively insecure password.

Related (most in Dutch):

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Google, GoogleAuthenticator, Power User, Security | Tagged: , , , , | Leave a Comment »

2fa.directory: public list of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

Posted by jpluimers on 2022/05/09

List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

[Wayback/Archive.is] twofactorauth at 2fa.directory with GitHub sources at [Wayback/Archive.is] 2factorauth/twofactorauth: List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software..

Via: [Archive.is] Jilles🏳️‍🌈 on Twitter: “Ik gebruik custom e-mail accounts + 1Password/keepass en MFA; Yubikey, Authy, Authenticator. Geef geen eerlijk antwoord op googlebare security questions. En nog steeds ligt alles op straat. Tip: https://t2fa.directory … “

–jeroen

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Power User, Security | Leave a Comment »

GitHub – andOTP/andOTP: Open source two-factor authentication for Android

Posted by jpluimers on 2021/01/05

[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.

A few highlights:

  • andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
  • OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
  • BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
    • org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
    • org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
  • All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!

PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play

•  Free and Open-Source
•  Requires minimal permissions:
•  Camera access for QR code scanning
•  Storage access for import and export of the database
•  Encrypted storage with two backends:
•  Android KeyStore (can cause problems, please only use if you absolutely have to)
•  Password / PIN
•  Multiple backup options:
•  Plain-text
•  Password-protected
•  OpenPGP-encrypted
•  Sleek minimalistic Material Design with three different themes:
•  Light
•  Dark
•  Black (for OLED screens)
•  Great Usability
•  Compatible with Google Authenticator

Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers

Check out @Jaykul’s Tweet: https://twitter.com/Jaykul/status/1091200778121957377

Instead of Google authenticator and Authy

Via https://twitter.com/martinfowler/status/1091097388201230339

Related :

Nope. It’s just a secret encoded in a QR code.

Here’s the docs on the format of the URI in the QR code: https://t.co/AJhT6PFAzx

The QR code delivers a simple, durable, shared secret.

Use U2F if you can. It is much safer, as it cannot be phished or copied.

Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.

Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?

 

–jeroen

Posted in Android, Authy, Development, Mobile Development, Security, Software Development | Leave a Comment »

Calls from +18553308653 might be because someone is trying to use your phone number to setup a Microsoft account two factor authentication

Posted by jpluimers on 2019/02/18

Got some calls to my phone numbers in The Netherlands from +18553308653 that I did not ask for. The below searches revealed it is likely someone trying to use those to setup Two Factor Authentication.

It was not my live account, as that was already covered by the Microsoft Authenticator app (you can set up your phone number through account.live.com/names/Manage and authentication through account.microsoft.com/security, see steps at [WayBack] Microsoft – Authy).

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Power User, Security | Leave a Comment »