Recommended two-factor authenticator app for personal use?
I haven't really looked into authenticator apps before, but with the increases in SIM-jacking I think it's time. I don't use Google, so Google Authenticator is out. I use Duo at work; can you use that for arbitrary personal services? Are there others apps that come recommended?
Also, just general questions: are these apps usually free (if not, free isn't a hard requirement)? Is there some standard, or does each service only support a subset of apps? What happens if you lose your phone?
Any info is appreciated
Edit: One more question: I see rumblings from some people about using password managers as an alternative to 2FA apps. Is that a valid strategy? Does one make the other redundant?
Edit 2: I found this excellent deep-dive on the overall mechanism and the major players: https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/ Based on this I'll probably go with Authy
Aegis, it's FOSS and supports encrypted backups. Migrating to a new device is trivial.
Best of all: it even supports 7 digit TOTP that previously required Authy (I think Cloudflare and HumbleBundle use this variant).
https://github.com/beemdevelopment/Aegis
A vote in favour of Authy. Works well and easy to transfer to a new phone ( I even did it when my phone died while overseas ). It even has a desktop version (which I use on Linux ).
Authy is a good choice if you want to multiple devices, e.g. mobile and desktop. It is rather easy to add a new device or to make a backup.
Password managers, as 1Password, do offer 2FA. For those password managers that have free versions this is sometimes a paid add-on. Using password manager also for 2FA can be a little bit risky, but you can also use password manager only for storing 2FA or even use two password managers (one for 2FA, other one for passwords).
I used Google Authenticator some years ago on a phone that broke. At the time I was unable to restore it to my new phone. The proposed solution used to be to authenticate multiple devices (phones with Authenticator, Yubikeys) but to this day many Services only allow You to link a single second factor to your Account, meaning that upon loosing that factor you’re required to contact support to restore access to your Account. Is there any open source solution that generates a second factor in software and can be easily cloned/restored to multiple devices ? Nobody buys a single set of keys for their front door or car. I know why yubikeys don’t offer „spares“ but usecases can differ are there any yubikey protocol compatible competitors that offer spare keys ?
Maybe my needs are overly simplistic but most any of them will work just fine.
There is no real "magic" here. They apply a secret key (unique to your account) and the current time to a standard hashing algorithm and the results are pretty binary --- they either work or they don't. Those that don't --- well, you've probably never heard of them for obvious reasons.
So dive right in knowing you can move to a new app or a different device at any time by simply copying the key and applying the same standardized algorithm. UI, account setup and other things are mostly just window dressing.
EDIT - I haven't seem it personally but based on comments here, apparently there are some apps that try to hold your keys hostage. I would avoid any such app like the plaque.
You mention SIM jacking, but I see other comments here recommending Authy here, which requires a cell phone number and SMS OTP to set it up. Your second edit also says you're going with Authy. That doesn't make sense to me.
With any of these apps, you need to backup the first time setup code (or the QR code) for each site or platform where you're configuring 2FA. That's how you get the ability to set those up in another app if you lose your device.
If you're on iOS, the latest iOS version (iOS 15) has in-built support to generate and populate two factor codes. If you'd like a separate app, I'd recommend OTPAuth if you're on iOS/watchOS/macOS (the Mac app is a paid one, the rest are free and allow iCloud syncing).
RE the alternative question: 2FA is _not_ an alternative to password managers -- it's like seat-belts and brakes on a car, you're going to want both. You need a password manager to keep track of the random password you've set for each of the hundred sites you log into; and you should use 2FA for high-value sites in case the password you used for that site gets stolen (like via malware infestation on your computer, or you're tricked into entering your credentials on a phishing page, etc).
I will forever promote Authy as 2FA app, you can restore it on another phone even if your main one is dead.
Don't use Google Authenticator, if you forget to manually backup the keys, they're gone once you reset the phone. Learned it the hard way.
TOTP is an RFC, so when sites talk about Google Authenticator you can use any implementation. I use a couple of lines of own Python and the pyotp package. I audited it that much that it doesn't do any networking.
I use Microsoft’s Authenticator and so far have had no problems. I also use 1Password’s built in 2FA functionality which is a little redundant but it makes filling in 2FA code on websites and apps very easy.
Even if you don’t use Google, you can use their Google Authenticator app.
I have been using the Yubico Authenticator for about a year. The really handy part for me is that the otp codes are generated by the hardware YubiKey, so switching phones is a non issue.
I'm using OTP Authenticator which is on f-droid. It is nice. Before that I used a simple python script, but I finally broke down and started using a "smart" phone.
I have a script I can run on any of my machines to generate the OTP code (so I don't need a phone/app).
Pebble-authenticator.
2FA is a killer application for a smartwatch.
Equally awesome are barcodes, replacing membership cards.
I keep 2FA in a keepass db. I use keepassxc on computers and strongbox on phones.
Tofu is the best and only choice for an authenticator app on iOS.