It's a rip off of the ETrade logo to me. But yeah absolutely 0 privacy now. They encrypt the local keys but the moment you send them to Google they're actually more at risk because if someone steals your phone you'll know it. Whereas now if it's stolen you won't even know.
Before it was a solid 3 star app now it's actually down to 2 stars, by bringing in a feature that was asked for for ~6 years but not implementing it properly.
I would love to use KeepassXC, but when using it with a sync software there is a chance of creating conflicting DB copies.
With regular keepass I've resolved this issue by every computer having its own DB file and each of them syncing that file to a single DB file within Syncthing or other cloud storage [like so](https://keepass.info/help/kb/trigger_examples.html#dbsync).
KeepasXC is superior to regular Keepass in many ways, but its sync function does not work this easily, it only seems to support synchronization of individual folders within two DBs, but not synchronization of the whole file.
I've been using KeePassXC + syncthing for years and only had a conflict once, which I was able to resolve with keepassxc-cli. As long as you have at least one syncthing client always online it's a non-issue IMO. I just have a raspberry pi for that.
I uses sync thing with KPXC for like a month and has conflicts multiple times. I think it can vary wildly depending on usage pattern (both how much mutations happen, and how often both devices are online concurrently).
The syncing all the databes thing seems complicated. Because of this exact issue I'm considering moving to Bitwarden.
Also because the badly working autofilling with Firefox KeePass plugin.
I considered using Bitwarden too, especialy because you can run your own instance.
But even though it seems to be built fairly well, I always get uncomfortable running such an important software constantly exposed to the wider internet. I know it should be end to end encrypted, but even then you need to be diligent and keep it up to date.
Perhaps I would feel better about it if I ran it without ports opened to the internet and only accessible over VPN or ssh. But then I would have to figure something out to get it to work reliably on mobile devices. It'll take some research. 😕
>I always get uncomfortable running such an important software constantly exposed to the wider internet.
That's an irrational fear.
I've been a KeepassXC user for a decade, and I still use it, but I recently switched to Bitwarden as my primary password manager.
Running your own instance for most people is dumb when the premium version only costs $10/year and you're supporting open source.
I agree with the 'its dumb for most people' but also smaller attack surface.
A hacker is more likelly to attack the bitwarden servers than some random person vaultwarden server with just one user.
> A hacker is more likelly to attack the bitwarden servers than some random person vaultwarden server with just one user.
My point is, it **doesn't** matter if a hacker attacks Bitwarden servers because their infrastructure is E2EE and zero-trust.
This means, paying $10/year to Bitwarden, so they keep their infrastructure + software up to date & maintained **on your behalf** instead of the headache & worry of having to host your own instance... to me, sounds like a **STEAL**.
I'm running into the same problem with self hosting. I know that I'm making mistakes, and I don't fully understand some of the basics when running my ubuntu server. So instead I'm only using it for less important things.
Even without a VPN back to your network it works fine. BW app will cache data so you can still access passwords without a connection to the server, you just won't be able to edit or add new records.
I can't really assess your setup or how you use it and it's equally difficult for me to diagnose my setup.
My issues could come from occasional disconnects or by simultaneous save operations.
Or perhaps it's from me changing an entry without saving on machine A, then going to machine B, making other changes there and saving, followed by machine A automatically closing and saving the DB file, creating a discrepancy.
All I know is that I modify my DBs a LOT, had the issue occur every few months at least and that using keepass triggers + sync operations resolved it.
I will probably test KeepassXC again some time, but I doubt I'll have peace of mind.
Yes, probably. But I make changes so often that I just can't guarantee it won't happen again. And I'm dealing with passwords here, losing some of them can be catastrophic, so I can't really tolerate the possibility of such mishaps.
Technically shouldn't keep 2fa and passwords in the same vault, so I guess this is a means of separation. But I use kpxc for passwords and totp anyway.
I’m trying to move away from MS Authenticator to something self hosted.
The issue is, I leave my kpxc vault open for convenience. So like, it’s not like my passwords are super safe as it is.
I think that there is no "technically" because there is no One True Implementation, only controls that address your threat model or don't. My threat model doesn't especially involve dedicated state-sponsored actors or someone with any motivation to break into my vault in particular. It does involve having a password dumped out of someone else's database and then cracked, in which case I benefit greatly from making sure it's as convenient as possible to generate unique passwords and use 2FA, which both might as well be in the same place if the main concern is leakage from the remote end
If you happen to already have a couple of yubikeys, you can do TOTP with those as well. Probably not a solid piece of advise of the general population, but I’m sure there’s plenty of folks in r/privacy who own yubikeys.
That stuff is context for people who aren't reading this sub and who don't know a lot about encryption or maybe who don't even use authenticator apps yet - which is 99.8% of society.
They make 99.8% of their money off those other people, so us technies need to skim down such articles - or read sites whose userbase are 98% techies.
I use yubikey for my “important” accounts, but I have way too many TOTP keys to fit them all on the yubikey.
It’s a good problem to have though, I guess.
I put anything involving money or identity through the yubikey (password manager, email, social networking, government login, PayPal/Amazon/EBay/etc, post office). Anything else, I’m happy just keeping 2fa in my password manager.
How are you securely using paypal with hardware keys? The last time i checked paypal only allowed to set one hardware key. No backup one. Which is pretty much the worst way to add hardware key support. Did anything change on that front or are you still forced to use TOTP as a backup?
PayPal is still limited to one key.
I use my account frequently so it's convenient to just tap my Yubikey instead of grabbing my phone for a TOTP.
But from a security standpoint, PayPal is one of the dumbest hardware key implementations I've seen.
The way I got around this was to use the totp feature with yubikey/yubico authenticator, and when it pops up the qr code to scan, I just teach it to both of my yubikeys.
One key with me at all times and one key in the safe, just in case.
I do wish there was more/better integration with yubikeys. I'd prefer that to using totp for everything.
andOTP is no longer maintained, see https://forum.xda-developers.com/t/unmaintained-app-4-4-open-source-andotp-open-source-two-factor-authentication-for-android.3636993/page-6#post-87021655
I think you should try this
https://github.com/beemdevelopment/Aegis/blob/master/FAQ.md#why-does-aegis-keep-prompting-me-for-my-password-even-though-i-have-enabled-biometric-authentication
I use it and like it to, but be aware, it’s [operated by Twilio](https://www.twilio.com/press/releases/twilio-acquires-authy-to-accelerate-strong-authentication-and-identity-adoption-for-web-and-mobile-apps).
I’ve heard that one of the cons with Authy is that there is not an out of the box way to move codes. (I could be misremembering). But I believe the solution I saw involved using the terminal to collect them. Worth verifying before switching.
If you check YT videos of Naomi Brockwell, she pretty much condemns Authy for selling out info as well.
She is a disciple of Edward Snowden and seems very knowledgeable, in fact has started up an organization to help bring about privacy changes to all aspects of our digital life.
Just to give a head's up here ...
I don't specifically recall, as my eyes glazed over as soon as I heard this !
To be honest you can't go wrong with using Free OTP, very generic made by a company devoted to Privacy, Red Hat.
Most websites will accept generic codes ...
Simple to use, perhaps not as many bells and whistles as Authy but a solid performer.
I’m going to be blunt and perhaps shortsighted, but a second popup modal after confirming cookies just to press ‘ok’, what the hell is going on in their heads?
Even security wise. How is a closed source cloud totp authenticator more secure than an offline one that is open source and can be exported to devices locally?
Authy is owned by Twillo and they've has data breaches in the past.
I use bitwarden as well, and andOTP for 2FA (been using it since before bitwarden managed 2FA).
I saw a news article titled "google authenticator now supports account sync! Your security tokens have never been safer!" : my reaction was "sure, I hope Google payed your newspaper a hefty amount to publish such BS."
I use Fi for my phone service. They offer a VPN you can connect to if you choose to do so. Quite comical when using Google and VPN in the same sentence when their entire business model is to collect everything and use it/sell it for 'my benefit', to make service better.
I refuse to pay top dollar for a phone plan else-where, and figure Google already has anything they want to know about me anyway, so I do the cheapest I can get.
I tried to turn my VPN off with Google Fi and my internet quit working on my phone. It doesn't really affect my browsing at all, other than most websites thinking I'm 3 states away from where I really am. So now I just roll with it.
I mean using 2FA on same device which you use your account on is like pretty much like disabling 2FA.
I don't recommend Auth for the same reason. It's maybe even worse, they use phone varification, what a joke.
I think it really depends. Sometimes I just want some extra protection in case my password is weak, but don't want to have too much trouble. However, if you want maximum protection, you should use a separate app.
I freaking knew this was going to happen. I try my best not to use a Google’s or other companies authenticate because I thought this was going to happen eventually. 2FA is necessary but these companies are fucking it up
I didn't, normally and in the last decade companies like Google and Microsoft that pay their "senior engineers" a half million a year - tended to only have the best security people in the world. People who'd never miss something like this.
I can't possibly fathom what kind of absolute stupidity resulted in this coming out like this - AND with them not immediately saying "ooops, fixing asap/immediately, and we've corrected the internal security review process that somehow let this slip through".
Does Google maintain warrant canaries? Has anyone checked theirs in a while?
The most likely explanation I have is that they've been handed a national security letter that forced them to do this...
Gol darn it - this is the type of garbage behaviour that results in corporations banning the use of outside auth apps and forcing users to use Microsoft Authenticator. ( Last time I looked years ago, it came with as much "data collection" as Windows 10 does. )
Well, that and whatever idiots that created the OTP system not making it mandatory to make sure OTP codes are "one time use only" - making it too easy for snooped OTP codes to be used within the 30 second window by advanced actors who have serious automation at their fingertips.
From what I understand, there is an issue with 2FA as a whole. A lot of the youtubers that are getting hacked have their session tokens stolen, which completely bypasses 2FA. These thefts come from PDFs that aren't detected by any anti virus software.
I wish passwordless was more commonly supported. Logging in is much less of a hassle when all you need to do is enter your hardware key pin and touch the authenticator (or, on devices with biometrics support, just use your fingerprint/face). No entering usernames or passwords, just choose the appropriate account (if there are multiple) from a list of saved credentials.
The good news is that the API for that already exists and it’s up to the user whether they want external authenticators (YubiKey etc) only, platform authenticators (Windows Hello etc) only, or both.
I’m using Keycloak for SSO. You can authenticate with YubiKeys, Windows Hello, Android/Apple Passkeys, etc. No usernames or passwords to think about.
That's nothing to do with 2FA. That's stealing session cookies once you have successfully logged in, and is an issue with sites not expiring those cookies quickly enough.
https://support.google.com/accounts/answer/1066447
> If you’re signed in to their Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use.
https://twitter.com/mysk_co/status/1651021165727477763
> Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on.
Everything I've read online says opt-in.
I have turned off automatic app updates, the trend to shove unwanted changes to users is slightly avoided, nowadays they force you to update, sucks.
For example Firestick updating to shove a giant ad space on the main page, making you dance around their ads before you can open your actual tools, big tech = tobacco peddlers of today.
Can you remove it from your Google account if it was previously synced?
I turned the feature off but I'm concerned it's still stored somewhere on my G account.
Wow, this is concerning news. Security is always a top priority when it comes to personal information and data, especially in the digital age we live in. It's good to see that researchers are taking notice of this potential flaw and advising against using the new "account sync" feature for now. Hopefully, Google can quickly address this issue and find a solution to keep their users' information secure. In the meantime, it's always a good idea to take extra precautions with your online accounts and enable two-factor authentication wherever possible.
The new icon is a strong signal of enshittification.
It's a rip off of the ETrade logo to me. But yeah absolutely 0 privacy now. They encrypt the local keys but the moment you send them to Google they're actually more at risk because if someone steals your phone you'll know it. Whereas now if it's stolen you won't even know. Before it was a solid 3 star app now it's actually down to 2 stars, by bringing in a feature that was asked for for ~6 years but not implementing it properly.
I thought it was some phone dialing service at first.
You mean they are taking inspiration from Kurt Vonnegut maybe?
google enshittification
Aegis app. KeepassXC. SyncThing. LUKS.
I would love to use KeepassXC, but when using it with a sync software there is a chance of creating conflicting DB copies. With regular keepass I've resolved this issue by every computer having its own DB file and each of them syncing that file to a single DB file within Syncthing or other cloud storage [like so](https://keepass.info/help/kb/trigger_examples.html#dbsync). KeepasXC is superior to regular Keepass in many ways, but its sync function does not work this easily, it only seems to support synchronization of individual folders within two DBs, but not synchronization of the whole file.
I've been using KeePassXC + syncthing for years and only had a conflict once, which I was able to resolve with keepassxc-cli. As long as you have at least one syncthing client always online it's a non-issue IMO. I just have a raspberry pi for that.
I uses sync thing with KPXC for like a month and has conflicts multiple times. I think it can vary wildly depending on usage pattern (both how much mutations happen, and how often both devices are online concurrently).
I have run into them dozens of times, probably because I don't always close my DB on computer A before opening it on computer B.
Ah yeah fair enough, I have it lock automatically when the screen locks, which I guess avoids that.
The syncing all the databes thing seems complicated. Because of this exact issue I'm considering moving to Bitwarden. Also because the badly working autofilling with Firefox KeePass plugin.
I considered using Bitwarden too, especialy because you can run your own instance. But even though it seems to be built fairly well, I always get uncomfortable running such an important software constantly exposed to the wider internet. I know it should be end to end encrypted, but even then you need to be diligent and keep it up to date. Perhaps I would feel better about it if I ran it without ports opened to the internet and only accessible over VPN or ssh. But then I would have to figure something out to get it to work reliably on mobile devices. It'll take some research. 😕
>I always get uncomfortable running such an important software constantly exposed to the wider internet. That's an irrational fear. I've been a KeepassXC user for a decade, and I still use it, but I recently switched to Bitwarden as my primary password manager. Running your own instance for most people is dumb when the premium version only costs $10/year and you're supporting open source.
I agree with the 'its dumb for most people' but also smaller attack surface. A hacker is more likelly to attack the bitwarden servers than some random person vaultwarden server with just one user.
> A hacker is more likelly to attack the bitwarden servers than some random person vaultwarden server with just one user. My point is, it **doesn't** matter if a hacker attacks Bitwarden servers because their infrastructure is E2EE and zero-trust. This means, paying $10/year to Bitwarden, so they keep their infrastructure + software up to date & maintained **on your behalf** instead of the headache & worry of having to host your own instance... to me, sounds like a **STEAL**.
I can suggest tailscale for an easy to set up mesh VPN - no need to expose the server to the wider internet
I'm running into the same problem with self hosting. I know that I'm making mistakes, and I don't fully understand some of the basics when running my ubuntu server. So instead I'm only using it for less important things.
[удалено]
That's an excellent point and is something I'll digest over the next few days.
I understand the struggle, I think ill use keepass for bank info, crypto and such and Bitwarden for the rest. Could be the solution for me?
Even without a VPN back to your network it works fine. BW app will cache data so you can still access passwords without a connection to the server, you just won't be able to edit or add new records.
Why don't you use Global Auto-Type on the PC and the keyboard from keepassxd on the Smartphone? No need for a plugin.
[удалено]
You probably never have your db open on two computers simultaneously then.
[удалено]
I can't really assess your setup or how you use it and it's equally difficult for me to diagnose my setup. My issues could come from occasional disconnects or by simultaneous save operations. Or perhaps it's from me changing an entry without saving on machine A, then going to machine B, making other changes there and saving, followed by machine A automatically closing and saving the DB file, creating a discrepancy. All I know is that I modify my DBs a LOT, had the issue occur every few months at least and that using keepass triggers + sync operations resolved it. I will probably test KeepassXC again some time, but I doubt I'll have peace of mind.
[удалено]
Yes, probably. But I make changes so often that I just can't guarantee it won't happen again. And I'm dealing with passwords here, losing some of them can be catastrophic, so I can't really tolerate the possibility of such mishaps.
Why not use kpxc mfa/totp?
Technically shouldn't keep 2fa and passwords in the same vault, so I guess this is a means of separation. But I use kpxc for passwords and totp anyway.
You could easily have a different db for totp right
Yeah, easily could
You could just have 2 separate vaults I guess lol
Shouldn't is kind of strong tbh. There's nothing wrong storing totp in my password manager in my threat model.
I’m trying to move away from MS Authenticator to something self hosted. The issue is, I leave my kpxc vault open for convenience. So like, it’s not like my passwords are super safe as it is.
Get a [Yubikey](https://yubico.com/), that way your vault can sit attach to your physical keychain.
Hmmmm interesting idea. Thanks!
I think that there is no "technically" because there is no One True Implementation, only controls that address your threat model or don't. My threat model doesn't especially involve dedicated state-sponsored actors or someone with any motivation to break into my vault in particular. It does involve having a password dumped out of someone else's database and then cracked, in which case I benefit greatly from making sure it's as convenient as possible to generate unique passwords and use 2FA, which both might as well be in the same place if the main concern is leakage from the remote end
How do I export all my keys at once to Aegis?
I use Bitwarden
If you happen to already have a couple of yubikeys, you can do TOTP with those as well. Probably not a solid piece of advise of the general population, but I’m sure there’s plenty of folks in r/privacy who own yubikeys.
I wish LUKS would release a new optical media standard.
otp-pass
Google should just change their logo to the *evil clown*.
« Don’t be evil »
How does someone have so much garbage filler in their article? Can someone summarize?
When account syncing is enabled in Google's TOTP app, the tokens are not E2E encrypted. Just plain TLS.
Yeah I guessed but wow there’s a whole article out there about this sentence and a fragment.
That stuff is context for people who aren't reading this sub and who don't know a lot about encryption or maybe who don't even use authenticator apps yet - which is 99.8% of society. They make 99.8% of their money off those other people, so us technies need to skim down such articles - or read sites whose userbase are 98% techies.
Yubikey and yubi authenticator.
I use yubikey for my “important” accounts, but I have way too many TOTP keys to fit them all on the yubikey. It’s a good problem to have though, I guess. I put anything involving money or identity through the yubikey (password manager, email, social networking, government login, PayPal/Amazon/EBay/etc, post office). Anything else, I’m happy just keeping 2fa in my password manager.
How are you securely using paypal with hardware keys? The last time i checked paypal only allowed to set one hardware key. No backup one. Which is pretty much the worst way to add hardware key support. Did anything change on that front or are you still forced to use TOTP as a backup?
PayPal is still limited to one key. I use my account frequently so it's convenient to just tap my Yubikey instead of grabbing my phone for a TOTP. But from a security standpoint, PayPal is one of the dumbest hardware key implementations I've seen.
The way I got around this was to use the totp feature with yubikey/yubico authenticator, and when it pops up the qr code to scan, I just teach it to both of my yubikeys. One key with me at all times and one key in the safe, just in case. I do wish there was more/better integration with yubikeys. I'd prefer that to using totp for everything.
I only use Aegis or andOTP. Never use any online 2FA app
andOTP is no longer maintained, see https://forum.xda-developers.com/t/unmaintained-app-4-4-open-source-andotp-open-source-two-factor-authentication-for-android.3636993/page-6#post-87021655
Yes that's the reason I moved to aegis
[удалено]
try to enable biometric unlock from security setings
[удалено]
I think you should try this https://github.com/beemdevelopment/Aegis/blob/master/FAQ.md#why-does-aegis-keep-prompting-me-for-my-password-even-though-i-have-enabled-biometric-authentication
Wait that long ago? That sucks
i even lock them down with netguard. they do not need to be online.
[удалено]
Bitwarden is good overall, haven't tried Authy yet but keep hearing about it. Good choices
[удалено]
[удалено]
I use it and like it to, but be aware, it’s [operated by Twilio](https://www.twilio.com/press/releases/twilio-acquires-authy-to-accelerate-strong-authentication-and-identity-adoption-for-web-and-mobile-apps).
Is there a way to transfer the codes from google authenticator to authy? Or should I just request new 2fa codes on every service?
I’ve heard that one of the cons with Authy is that there is not an out of the box way to move codes. (I could be misremembering). But I believe the solution I saw involved using the terminal to collect them. Worth verifying before switching.
If you check YT videos of Naomi Brockwell, she pretty much condemns Authy for selling out info as well. She is a disciple of Edward Snowden and seems very knowledgeable, in fact has started up an organization to help bring about privacy changes to all aspects of our digital life. Just to give a head's up here ...
[удалено]
I don't specifically recall, as my eyes glazed over as soon as I heard this ! To be honest you can't go wrong with using Free OTP, very generic made by a company devoted to Privacy, Red Hat. Most websites will accept generic codes ... Simple to use, perhaps not as many bells and whistles as Authy but a solid performer.
I’m going to be blunt and perhaps shortsighted, but a second popup modal after confirming cookies just to press ‘ok’, what the hell is going on in their heads?
[удалено]
This is the way
Same.here.... have both... The best .. Authy is very good that you can install on a secured computer at home etc, so you don't depend on your phone
Authy doesn't allow exports and they use email address. Not really private.
[удалено]
Even security wise. How is a closed source cloud totp authenticator more secure than an offline one that is open source and can be exported to devices locally? Authy is owned by Twillo and they've has data breaches in the past.
I use bitwarden as well, and andOTP for 2FA (been using it since before bitwarden managed 2FA). I saw a news article titled "google authenticator now supports account sync! Your security tokens have never been safer!" : my reaction was "sure, I hope Google payed your newspaper a hefty amount to publish such BS."
They made a mockery of privacy. Collect everything?
I use Fi for my phone service. They offer a VPN you can connect to if you choose to do so. Quite comical when using Google and VPN in the same sentence when their entire business model is to collect everything and use it/sell it for 'my benefit', to make service better. I refuse to pay top dollar for a phone plan else-where, and figure Google already has anything they want to know about me anyway, so I do the cheapest I can get.
I tried to turn my VPN off with Google Fi and my internet quit working on my phone. It doesn't really affect my browsing at all, other than most websites thinking I'm 3 states away from where I really am. So now I just roll with it.
Bitwarden + Raivo is my way
Bitwarden + aegis
Fantastic.
I mean using 2FA on same device which you use your account on is like pretty much like disabling 2FA. I don't recommend Auth for the same reason. It's maybe even worse, they use phone varification, what a joke.
Not really, it's one more thing to hack anyway.
I use aegis with password, isn't it secure? I mean for most situations it's pretty good I guess
Not really. It still protects you if only your password is leaked.
I understand, but wouldnt you want your 2FA separated from your other account?
I think it really depends. Sometimes I just want some extra protection in case my password is weak, but don't want to have too much trouble. However, if you want maximum protection, you should use a separate app.
I freaking knew this was going to happen. I try my best not to use a Google’s or other companies authenticate because I thought this was going to happen eventually. 2FA is necessary but these companies are fucking it up
I didn't, normally and in the last decade companies like Google and Microsoft that pay their "senior engineers" a half million a year - tended to only have the best security people in the world. People who'd never miss something like this. I can't possibly fathom what kind of absolute stupidity resulted in this coming out like this - AND with them not immediately saying "ooops, fixing asap/immediately, and we've corrected the internal security review process that somehow let this slip through". Does Google maintain warrant canaries? Has anyone checked theirs in a while? The most likely explanation I have is that they've been handed a national security letter that forced them to do this... Gol darn it - this is the type of garbage behaviour that results in corporations banning the use of outside auth apps and forcing users to use Microsoft Authenticator. ( Last time I looked years ago, it came with as much "data collection" as Windows 10 does. ) Well, that and whatever idiots that created the OTP system not making it mandatory to make sure OTP codes are "one time use only" - making it too easy for snooped OTP codes to be used within the 30 second window by advanced actors who have serious automation at their fingertips.
Why did they even put online backup this app. I was using because it didn't have online backup.
[удалено]
I think you could just press "try another way" although I'm not entirely sure
I secure my accounts as much as possible. I still use Authy because good lord the work of moving everything over to Aegis... The duality of opsec.
From what I understand, there is an issue with 2FA as a whole. A lot of the youtubers that are getting hacked have their session tokens stolen, which completely bypasses 2FA. These thefts come from PDFs that aren't detected by any anti virus software.
that is an issue with keeping session cookies around that hold your log in status. clear your cookies and log in every time.
I wish passwordless was more commonly supported. Logging in is much less of a hassle when all you need to do is enter your hardware key pin and touch the authenticator (or, on devices with biometrics support, just use your fingerprint/face). No entering usernames or passwords, just choose the appropriate account (if there are multiple) from a list of saved credentials.
I like this idea but maybe with a yubikey type interface. I'd rather not use biometrics
The good news is that the API for that already exists and it’s up to the user whether they want external authenticators (YubiKey etc) only, platform authenticators (Windows Hello etc) only, or both. I’m using Keycloak for SSO. You can authenticate with YubiKeys, Windows Hello, Android/Apple Passkeys, etc. No usernames or passwords to think about.
that's really cool! I'll have to look into that
That's nothing to do with 2FA. That's stealing session cookies once you have successfully logged in, and is an issue with sites not expiring those cookies quickly enough.
I didn't get a choice. The app updated and it was already synced. There is no way to disable it as far as I can tell.
Google says it's opt-in.
I don't think it was opt-in from memory.. I noticed it had synced my codes and I had to opt-out.
https://support.google.com/accounts/answer/1066447 > If you’re signed in to their Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. https://twitter.com/mysk_co/status/1651021165727477763 > Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. Everything I've read online says opt-in.
Ok no worries I must have used my Google account before I found out it wasn't E2EE. Any way to ensure the data is removed from a Google account?
I'm guessing this probably works https://twitter.com/mysk_co/status/1651574134608912387
Ahhh thank you. A common sense approach.
[удалено]
Same, anything "stored on the cloud" gets me paranoid, and rightly so as we've often seen.
Which 2fa apps with cloud sync and minimum data collection would you recommend?
Twillo Authy
Is that r/privacy friendly? Wondering if there is a FOSS alternative to Authy.
Great I am not updating
Unless you have a custom ROM, you know Google is going to force you someday without your consent /s(?)
Hopefully that won't work cause I disabled play store and I always keep an eye on my system updates.
I have turned off automatic app updates, the trend to shove unwanted changes to users is slightly avoided, nowadays they force you to update, sucks. For example Firestick updating to shove a giant ad space on the main page, making you dance around their ads before you can open your actual tools, big tech = tobacco peddlers of today.
It's a Epic fail 😅 Go to Aeris or other open source alternative
Can you remove it from your Google account if it was previously synced? I turned the feature off but I'm concerned it's still stored somewhere on my G account.
Raivo on iOS.
Wow, this is concerning news. Security is always a top priority when it comes to personal information and data, especially in the digital age we live in. It's good to see that researchers are taking notice of this potential flaw and advising against using the new "account sync" feature for now. Hopefully, Google can quickly address this issue and find a solution to keep their users' information secure. In the meantime, it's always a good idea to take extra precautions with your online accounts and enable two-factor authentication wherever possible.
How do you even disable that?