I come from Authy and switched due to the desktop apps demise.
2FAS does not have a desktop app and and doesn’t offer self hosting. The browser extension is fine, but was clunky at times. I started disliking using a browser extension as my main thing to manage 2FA. I feel a lot better with the Ente Auth desktop app and mobile apps.
You can actually import stuff to 2FAS as well as Ente Auth, so no problem in trying out both.
Ok, except that the secret is the TOTP generator. Anyone that has the secret can generate any TOTP for any point in time, and own your 2FA. An attacker needs nothing else. So if the secrets are stored online - ever - it's nullifying the "offline" claim.
Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.
iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".
You’re not wrong, a hardware keychain gizmo with a camera for scanning QRs would be the ultimate actually-secure 2FA device (at least against remote attackers). Personally though I view standards-based 2FA more as a tool to reclaim my login abilities from the insane zoo of “let us email or text you a code” confirmations various sites force on you because they assume you must use a stupid and reused password so that’s not enough now.
When I store my passwords and their 2FA secrets in my KeePass db, I’m arrogantly taking for granted that I won’t ever leak my whole secrets database, which is a risk I’m willing to take because I know what I’m doing (and don’t have any secrets valuable to state-level actors). I appreciate having the option to make this call so I don’t have to drop in to my email just to log into frigging Patreon.
2FAS — the Internet’s favorite open-source two-factor authenticator
https://2fas.com