Discussion:
Alternative to Authy
(too old to reply)
Mick Ab
2024-07-22 19:50:01 UTC
Permalink
Now that Authy is no more, I am looking for a suitable replacement. I have
a Debian Bullseye desktop PC, using a CLI interface rather than a desktop
interface.

Can anyone help with this, please ?

I also need to replace Authy on a Windows 11 laptop, so it would help if
any suggestion could cope with Windows as well as Debian.

Thanks very much.

Mike
Jeremy Andrews
2024-07-23 01:20:01 UTC
Permalink
I switched to Ente Auth, it's working pretty well for me so far.
Post by Mick Ab
Now that Authy is no more, I am looking for a suitable replacement. I have
a Debian Bullseye desktop PC, using a CLI interface rather than a desktop
interface.
Can anyone help with this, please ?
I also need to replace Authy on a Windows 11 laptop, so it would help if
any suggestion could cope with Windows as well as Debian.
Thanks very much.
Mike
jeremy ardley
2024-07-23 02:20:01 UTC
Permalink
Post by Jeremy Andrews
I switched to Ente Auth, it's working pretty well for me so far.
Now that Authy is no more, I am looking for a suitable replacement.
I have a Debian Bullseye desktop PC, using a CLI interface rather
than a desktop interface.
Can anyone help with this, please ?
I also need to replace Authy on a Windows 11 laptop, so it would
help if any suggestion could cope with Windows as well as Debian.
Thanks very much.
Mike
I use Google Authenticator as an option in pam to secure ssh connections.

It can be plugged into other services such as httpd and normal cli login.

I expect Google authenticator also works on Windows.

NB. Google Authenticator does not use any Google cloud services. It is
purely a local application on your machine.
jeremy ardley
2024-07-23 03:00:01 UTC
Permalink
Post by jeremy ardley
I use Google Authenticator as an option in pam to secure ssh connections.
It can be plugged into other services such as httpd and normal cli login.
I expect Google authenticator also works on Windows.
NB. Google Authenticator does not use any Google cloud services. It is
purely a local application on your machine.
I just did a quick search about Google Authenticator vs Authy. It seems
an issue is the GA phone client not having a PIN.

In my main use case of ssh connections I have multiple layers of
security so having my phone compromised won't help an attacker.

Using PAM:

1. I require my ssh connection to provide a certificate. I store the
public key in LDAP and use only that rather than any user installed key.

2. I require the user to provide a password that can be local and/or in LDAP

3. I require the user to enter a 2FA Google Authenticator code.

This can be modified in PAM so that machine accounts only need a
certificate while interactive users get the full security treatment

Where the login is on a TTY, only password and Google Authenticator are
required.

Where the login is https or openvpn I can require a client certificate,
a password, and a 2FA code.
Max Nikulin
2024-07-27 01:50:01 UTC
Permalink
Post by jeremy ardley
I use Google Authenticator as an option in pam to secure ssh connections.
[...]
Post by jeremy ardley
NB. Google Authenticator does not use any Google cloud services. It is
purely a local application on your machine.
Do you mean rfc6238 Time-based One-time Password (TOTP) that is
implemented in a number of applications besides Google Authenticator or
some other protocol?
jeremy ardley
2024-07-27 09:00:02 UTC
Permalink
Post by Max Nikulin
Post by jeremy ardley
I use Google Authenticator as an option in pam to secure ssh connections.
[...]
Post by jeremy ardley
NB. Google Authenticator does not use any Google cloud services. It is
purely a local application on your machine.
Do you mean rfc6238 Time-based One-time Password (TOTP) that is
implemented in a number of applications besides Google Authenticator or
some other protocol?
Yes. it is set up as TOTP on the host.

But the more interesting part is the client application which can do
things like image recognition to read QR codes generate on the server.

I presently use the google client on android but I could easily replace
it with freeOTP with a change to the host plugin.

I read that google uses 80 bit encryption while the standard is at least
128 bit. I'm pretty sure that is not a problem with my use-case.

Loading...