With Passkeys being the password-replacement-of-choice (secure, MITM-attack-resistant, convenient), it’s time to review the alternatives:
- SMS/Phone
- Email
- Backup Codes
- TOTP
SMS/Phone
Known to be a problem since it’s possible to get a new SMS issued with your phone number. While I assume that most phone providers are careful, this is not in your control and it has happened.
Email
Similar to SMS/Phone, but even less secure, but you have more control here: enable 2FA to secure your email account. If this is GMail, enable 2FA. Do not use Recovery email unless that one is using 2FA too.
Backup Codes
Often consists of a long string of digits/characters or several words. Supposed to be stored offline. Risks are: recovery codes stored online (and you don’t have access to the account to read the recovery codes), forgetting where you kept the physical printout, losing the physical printout, or requesting a new recovery code and not updating the old one.
Can be only used once, so it’s really used to recover an account. That unfortunately means that it’ll likely never be used. And you cannot even test it in most cases.
TOTP
Pretty safe if kept offline. The seed can be stored offline, e.g. in shape of a printed QR code for convenience.
However TOTP is often available as the only 2FA method (ignoring SMS and email), so contrary to Backup Codes, you might want to have it available on your phone. Which makes it an online thing. Splitting account into regular-use-TOTP and exceptional-use-TOTP is an option, but it means more work to keep up-to-date.
While the usual suspects Google Authenticator, Microsoft Authenticator, Auth0 Guardian, etc. are probably well-written, I don’t like the thought that my Google TOTP is on the Google Authenticator. On the other hand, I like the cloud synchronization as I have several mobile devices, but it would be nice to disable cloud sync on some devices. “Offline-lite” if you like.
I used Google Authenticator and it worked well: it’s cloud synchronized, but you can be offline too on another phone. But at over 20 TOTP entries, it’s cumbersome to find the code you need. Sorting is manual too.
Enter 2FAS: it’s like Google Authenticator, but better:
- Can group TOTP entries together (e.g. “Social Networks” or “Dev Stuff”) making the overall look much cleaner
- Sort manually or alphabetically
- Cloud sync which can be turned on/off
- Local storage of your seeds file possible
- Nice icons for each entry! Helps a lot to find the one you need.
Basically it has some extra features and all of those I like, and it’s open-source.
Migration Process
Google Authenticator can export up to 10 entries at a time with a large QR code. 2FAS can import it. If you have more than 10 entries, then do the next 10 after the first 10. Repeat until completed. Once done, you can export all entries at once, so this is a one-time-action.
To avoid using potentially the wrong tool for TOTP I removed all entries in the Google Authenticator app after confirming that 2FAS shows the same codes. Then it was time to uninstall Google Authenticator.
Creating folders in 2FAS took me a while to find out: click on the 3 vertical buttons on its main app screen, then create folder. Now long-press each item and you can assign them to any existing folder.