Password managers and authentication tools

You have heard it probably many time: you must use a unique password (and if possible several different email addresses or at least email alias) for all your online accounts. As each password must be unique, long, strong and often with special characters, there is no way you can remember all of them. To do so, you need to use a password manager that will store all your password in a vault (kind of archive file of your passwords). But as a login and password doesn’t change often usually there is a risk that it might be compromised at some point. And even if you would change it several times a years, there is a risk of phishing attack, it means someone fake the website or app you would like to use to trick you into logging in with your account and give access to it. To prevent this you need to use a second factor authentication (2FA), preferably U2F FIDO2 or if not offered by the service at least TOTP (that give a second password that change every minute on a security key or an app on your smartphone).

Password managers

Keepass XC
https://keepassxc.org/
One of the best fork of the most famous open source and offline password manager. You can create a kind of card for each of your account of secret key to remember and for each card you can enter as much information as needed, including files if you want to. With some add-ons, it can even autofill the password field on the website you are visiting, checking by the way that you are not on the wrong website, reducing the risk of phishing attack. The only downside, as it’s offline, you will a have to manager your password archive, make regular, if possible automated, backups of it and if needed sync it on all your device (with Nextcloud or Syncthing for example) to have access to the latest saved version at any time. Be careful to note down your master password (the password to decrypt your archive) and backup any additional key file (if you choose that option to have a stronger encryption) on top of having a backup of the archive, of course not stored in the same place! If you loose any one of these, you loose access to all your password forever.

Keepass2Android
Keepass2Android PlayStore link
As you will definitely need to access your password vault made in Keepass (XC or any other version) on your smartphone, here is my favorite open source Keepass app for Android. Unfortunatelly it’s only on the PlayStore and not on F-Droid (alternative store with only free open source app) but you can certainly get it from another source or using Aurora to access the PlayStore catalog (and this one is on F-Droid).

Keepass DX (Android)
https://www.keepassdx.com/
Another free open source option for Keepass on Android. This one is available on F-Droid. I used it for some times but moved to Keepass2Android for some practical functions that were missing on Keepass DX. Thus I think it did catch up since then so it should a good alternative if not better. Try by yourself which suit you the best.

Bitwarden
https://bitwarden.com
If you prefer the comfort of a password manager that is accessible online and sync automatically for you. Bitwarden is my top recommendation. The app and server is open source, you can use the app for free, even host your own server, but if you prefer to use the cloud from Bitwarden and don’t worry about backups and risk of loosing your archive, you can use their own cloud as well. Like Keepass or any other respectable password manager, you are the only one in control of your master password (archive password), so make sure you note it somewhere safe in case you forget it, otherwise you will loose access to your passwords permanently, but it’s a good thing, otherwise your passwords might be accessible to anyone following a data breach or by a malicious actor from the inside. Bitwarden offer a premium account for 10€ per year that offer additional features, like 2FA to access your password vault.

U2F FIDO2 security key

Universal 2nd Factor (U2F) is not an app or a service, it’s an open standard to have stronger and easier two-factor authentication (2FA). It comes in a form of a USB key that you keep always on you. When you login to a compatible service, you enable in the setting the U2F as a second factor authentication and register your security key by inserting it to the USB port and pressing physically a button on it. Each time you will login after than, you will need your login, password and press physically on the security key unique button, to prevent any access from a hacker that might have gain access to your device remotely. You can register more than one key per service and you can register the same key to as much service as you want. It’s even privacy friendly as it’s impossible to tell from the service side that it’s the same key registered on different services, so they cannot identify you by the key use between several service. As it’s an open standard, any manufacture is free to create its own key and sell it as long as they respect the standard they will all do the same. However some brand and models offer additional features like TOTP code storage (see below), hardware PIN protection or fingerprint protection as well as various form factor like USB, USB-C, lightning sometimes with NFC for use with smartphone without connecting to the USB port.
Note that if you loose your U2F security key, you loose access to your account, unless you setup another 2FA method like TOTP (see below) or recovery password that you store somewhere safe (not in the same archive as you password if possible, ideally offline, even on a piece of paper with two copies in two distant locations). Alternatively you can setup several security key (usually two, sometimes more) and keep one always on you and one always at home or in a safe place.

Compatible services are still limited but growing each day with all hacking and data breach happening these days. Most famous are Google, Nextcloud, WordPress, GitHub, Microsoft account (including passwordless Windows unlock), Microsoft Azure, Amazon AWS, Dropbox and even Facebook (the security-friendly privacy-disaster).

Yubikey by Yubico. I use the Yubikey 5 NFC model, it’s a most complete model and the most famous brand, they are from Sweden. I bought two of them to have a backup but you might use one and keep backup codes and TOTP as backup as anyway you might need them to connect from a mobile to some services.

Token2 is another brand, from Switzerland, it offers cheaper version both with a U2F only model and with an more advance one that add TOTP and other options.

OnlyKey is another interesting product, that offer a (thus larger) security key with 6 physical buttons that allow you to protect your security key by a PIN and can also store some static password storage by registering one password to a given number you enter on the pad. The key act like a physical keyboard and type the password for you, on top of the usual U2F login function. You can even set a fake PIN that will erase the device in case you are forced to unlock it. I like this option a lot, it’s made for paranoid but it makes your life a bit more complicated as you will still need a password manager in parallel for all other account that will not fit on the key (you can store 24 accounts on it) and you have to remember the number for each one of them as far as I understand. So I’m not using it at the moment, I might try it in the future.

TOTP and other 2FA

As said above only a handful of services are compatible with U2F FIDO2 but using a second authentication factor is still widely with other technologies and you should already be familiar at least with the most basic methods.

SMS is often used as 2FA in many services, including Google, Microsoft but also some banks, public services and many other services. it’s bare simple, you give your mobile phone number and then at login you are asked to enter your login and password, then a code is send by SMS on your mobile and you have to copy it to finish the login. The advantage is that you most people already have a mobile phone and most probably have it always with them thus are able to get a code (when the network is available of course). But they are more disadvantages countering this facility of use. It’s less secure for login on mobile as if someone get access to your mobile phone and get you password, he can login and be able the SMS code. Even without unlocking your phone you might by default be able to read the SMS from the lock screen without unlocking the phone or even on a smart device like a smartwatch or car radio. Even if nobody can come close to your phone, it’s not impossible to get control of your mobile phone number and get the authentication code without compromising any of your device. Someone might do some social engineering (pretending to be you) to get a new SIM card of your phone number from your operator or even directly intercept SMS code send in clear over the GSM networks as SMS are using an old protocol from 1984! On top that from a privacy point of view, having to give your mobile phone number to some services might not be suitable.

Email 2FA is also used by some services, especially to login from a new device, you get a code on the email you used to register to the service to validate the new login from a new device or IP address. For similar reasons than SMS 2FA, your email might be already compromise if your service login is compromised (even if you respect the good practice to use a unique and strong password for each service). Often email account are always log on mobile device and computer for convenience of the user. So if a hacker get access to one of you device, this 2FA is already compromised as well, unless your email account is always logged out and email app protected by a separate password or at least bio-metric lock, but this is rarely the case.

TOTP is the most used 2FA recommended after U2F. OTP stand for One Time Password and the T is for the Time variant. Basically it’s a tool that take a secret key as an input (entered once at setup) and generate a code (usually 6 digits) that change every minute. It can be on a keychain, in an app on your mobile, in your password manager (not recommended, if you password vault is compromised, you loose your 2FA security as well) or in your Yubikey or other security key used for U2F if compatible. This 2FA method is used in many services nowadays and it’s recommended to use it whenever U2F is not available or as a backup login for U2F (forgot your key home, lost them and have no backup key, U2F not compatible on a device/browser…). Note that sometimes this method is called Google authenticator but don’t be scared, Google was one of the first to use it and create an Android app to generate your codes but they didn’t create it. It’s a standard created by Initiative for Open Authentication and can be used with many open source app, I will give some recommendation below.

TOTP is very reliable but still has some drawback. As U2F it works only for services where you login to a server, because on the server side there must be the counter key (to say it simple) that will allow to validate the one time password entered. Unless U2F, in addition the generating device need to have access to the date and time and it must be synced with the server time with at least one minute precision. As the code is generated based on date and time, if your device have the wrong time, it will generate an old or a future code that will not be seen valid by the server. Finally from a security point of view TOTP as as secure as the decide where you store them, usually your mobile phone, with some options to protect your TOTP app with a PIN, password or (slightly less secure) biometric to unlock the generation of TOTP codes. So you have to take care how your manage your TOTP private key and how the app works to make backup to be sure that an hacker don’t access private keys and be able to generate your future codes without the need to access your device again. Finally TOTP is not protecting your against phishing attack. If your end up on a fake login page of a service and didn’t notice that the address is wrong or the certificate not from the intended service (who check them systematically?), nothing prevent your from entering your login, password and the one time password and then your account is compromised. U2F prevent that as you are not able to use your FIDO2 key to login if it’s not the legit service asking you to sign the message with your key (the key will not “recognized” the service and will not give a valid code to login on the real one). on a privacy point of your, TOTP is offline and on your devices, no concern to have in this regard, it’s impossible for Google (if you use TOTP to login to Google) to know that you use the same device to login to other services with the same TOTP app (Google has other way to know everything about you, but that’s another story). So let’s dig in some options to use TOTP in the best possible way.

List of TOTP hardware and app recommended

U2F key with TOTP support. First, if you already use (or plan to use following my recommendation) on of the U2F key above, they all offer one or more versions compatible with TOTP as well. It might be slightly less convenient than using a mobile app but it’s more secure as the private key needed to generate the one time passwords are stored in the hardware device and it’s impossible (extremely difficult at least) to get it back from the key after the initial setup. This is also an inconvenient as you has to make sure your setup all your TOTP in all of your U2F key and you might need to redo the complete TOTP setup for all your services if you need to replace or want to use a new key in the future (unless you back the private keys somewhere else in a safe place; not in your main password vault if possible). Usually you need a special app on your mobile and computer to be able to select the account for which your want to get a one time code, double click the account in the app, touch the key physically or scan it by NFC and then paste the code in the login field after entering your password. It’s quite convenient and as long as you get the habit to carry your U2F key always with you and have a backup at home, it might be worth spending a few more for a model that support TOTP as well.

Keepass (see above) is also able to store your TOTP private key and generate OTP code when needed. Thus you should only store TOTP key for services that are not so critical in the same password vault than the one you use for the same login and passwords. Maybe for your Nintendo account, Twitter or shopping service that might be already good enough but why take the risk? For sure avoid to store in the same vault the password and TOTP for main email accounts, bank, cryptocurrency exchange , domain name registrar and other critical account. If you want to use Keepass to store and generate your TOTP codes, which I don’t do but I know some do, your should setup a second separate Keepass vault with a different password and open the first one to get the login and password and the second for the TOTP code. If find it not convenient, especially on mobile but it might be worth it as a backup vault for all your TOTP in case your use a U2F, so you can always get back the private key in order to setup a new U2F TOTP hardware key in the future without resetting the 2FA setup from the service itself, forcing your to reconfigure all your key and apps and make new backup in some cases.

andOTP is my favorite Android app for OTP. It’s free and open source, available from F-Droid and Play Store. It allows you to manage your account by tag (to filter out the most used ones), order them by most used. The secret keys are encrypted on the phone and you can protect the access by a PIN or password (that should not be the same as your phone PIN/password). So if someone get access to your phone, he still need the andOTP password to generate the one time password or to export your private key. andOTP offer to make encrypted backup and allow to use OpenPGP to encrypt the backup so you don’t have to store yet another password in your password manager. It’s my favorite app, thus I use it mostly as a backup as I know store my TOTP key on my Yubikey.

Aegis Authenticator is another valid option for Android that is free and open source and used by many. It has the same level of security with local encrpytion of the private key and app protected by a PIN, password or biometric, like andOTP. It also offer the possiblity to export your database in order to make a backup but not to encrypt it with OpenPGP (as far as I know). I don’t use because I was already used andOTP that I like slightly more and my Yubikey as the main 2FA tool.

For iPhone users, I didn’t test it yet as I don’t use Apple device myself, but after some research one of the best free and open source option for iOS is Raivo OTP. It has a nice interface, the possibility to lock the app access and an export functionality for backups.

Other apps like Google Authentificator, FreeOTP, Authy, … that I found and tried are not recommended either because they are not free and open source, they don’t allow the lock the app access and encrypt the key on your phone or they do backup in the cloud, something I would avoid when possible, I prefer to manage my backup myself and don’t relay on third party that are more prone to be targeted by a hack or willing to sell your data somehow.

As a sum up, I’m currently using Keepass XC on desktop and Keepass2Android on mobile as password manager plus a pair of Yubikey 5 (for U2F and OTP) and andOTP (mostly as backup) to secure my online accounts. It’s also important to manage the backup of your password vault and TOTP key, for this I use my own Nextcloud instance hosted at home with a backup on another site. I also keep an old Android phone at home with a copy of my Keepass and andOTP (sync manually from time to time) that might be useful in some critical recovery scenario and it also save me some times in case I have to re-install my everyday phone from zero for any reason as I can restore many app and backup from the second phone directly.

You can find all these tools on the Tools and links page, it will be a reference page regularly updated.

Don’t hesitate to leave a positive comment if you like this article (always appreciate) but also if you don’t like, find a mistake or if you would like to share another tools or good practice that you use to secure your accounts.

If you like this article and don’t want to miss the next ones, use your favorite RSS reader to subscribe anonymously to the blog, every new entry will be added to the feed automatically. If you prefer social media (but don’t spend too much time on them) you can follow @eluc on Mastodon or @ElucTheG33k on Twitter.

You may also like...

2 Responses

  1. Rastacool says:

    Thank you for all these tips.
    3 questions:
    *) Do you know if there is a way to switch from Microsoft Authenticator to andOTP without having to reset everything?
    *) Are you using Yubico as an additional security layer with Bitwarden?
    *) Finally, do you host your Bitwarden or do you pay the subscription?

    Thanks,
    Rastacool

    • Eluc says:

      Hello, thanks for the comment.
      I never really used MS Authenticator so I cannot says if it’s possible or not. Looking online didn’t give me a clear answer either. My first TOTP app was Google Authenticator and unfortunatelly I had to reset all of them at the time to migrate. andOTP allows you to see the secret so you can always import it somewhere else if whished. Which could also be a small risk in can you don’t secure andOTP properly. OTP stored on a Yubikey in contrary, can never be exported, you have to backup the secret or use a recovery method (like recovery code list) to reset it in case you lost or damage your Yubikey.

      I use mainly Keepass and yes I have setup the Yubikey as additional security for some vault. I sync my keepass vaults with Nextcloud but I did use Syncthing in the past and it was also very efficient, espacially if you have no real server, just be sure one of the synced device is off-site and as much as possible online (you could even sync with the phone of another family or friend living in a different place, they don’t have your password/Yubikey shared secret anyway).

      I use Bitwarden on the side for some services but it’s self hosted with local access only, so I cannot use WebAuth (Yubikey) as 2FA, for this a domain name with valid certificate is required I think, so external access needed, which I don’t want.

      To be honest I would gladly use Bitwarden service and pay the subscription (which really reasonnable), it would be easier and less risk to lost access (server offline, data loss, problem with Yubikey, …). However when I was about to shift, I figured out that there are 1-2 functionallies that I would miss vs KeepssXC. The main one would be the auto-type feature to fillup login+password on any windows or even on website not compatible. I don’t like to copy+paste password which end up in the clipboard accessible to other app on the PC. And I even use this feature to auto-type other things beside password, like a poor-man AHK script.
      But if you can leave without it, I would recommand Bitwarden for its ease of usage and excellent reputation over Keepass that is more complicated to sync and backup properly as you have to manage it yourself.
      Maybe I will change if they implement that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.