I just received a reminder that I still haven’t activated 2FA for my GitHub account. I understand I have to choose a TOTP application (the GitHub message mentions 1Password, Authy and Microsoft Authenticator), but I’m not sure which one to choose. Or even which criteria I should use to select a TOTP app.
But I feel like this is an important choice, and I do care about not giving sensitive information to 3rd parties. So would you please have any recommendation to give me?
Thanks in advance!
If you are in a Linux machine:
oauthtool -b --totp 'yourprivatekey'
EDIT: the drawback here is that you have to be careful about your private key being stored in your shell history.
EDIT: replaced Python version with Julia version. This is mostly to demonstrate that the TOTP algorithm is trivial to implement.
# should work with GitHub ...
pkey = replace("ABAB ABAB ABAB ABAB ABAB ABAB ABAB ABAB")
function get_timestamp(; valid_interval=30)
timestamp::UInt64 = htol(trunc(Int, time()) ÷ valid_interval)
hex2bytes(string(timestamp, base=16, pad=16))
function totp(; num_digits=6)
key = transcode(Base32Decoder(), pkey)
data = get_timestamp()
hash = hmac_sha1(key, data)
offset = (hash[end] & 0x0f) + 1
code::Int32 = hash[offset] & 0x7f
code <<= 8;
code |= hash[offset + 1]
code <<= 8;
code |= hash[offset + 2]
code <<= 8;
code |= hash[offset + 3]
I’d suggest giving bitwarden a try. People are generally quite happy with it (me too), the client and server code base is open source and you have the possibility to self-host it.
Being open source is a big plus in my opinion, and I wouldn’t use any password manager or TOTP application that isn’t.
Only downside for your use case is that the TOTP is behind the premium plan, but it is very reasonably priced (10$ per year). If you don’t want to pay anything, there is the possibility to self-host vaultwarden, which is an independent implementation of the Bitwarden API (I think it might also be free in the self-hosted bitwarden server, not sure though).
If all you need is the TOTP functionality, you can go with pretty much any offline TOTP client, but having everything encrypted on a server has the benefit of not being locked out of your accounts if you happen to lose your phone or didn’t store backup keys somewhere.
You can also use https://keepassxc.org/ , perhaps as backup…
Many thanks everyone, you’ve given me very useful recommendations and insight!
I’m personally using a hardware token with NFC support for 2FA. Works like a charm, and I don’t have to unlock my phone every time I log in somewhere.