One more step to unhitching from Google…
Right now the only option I see in F-Droid is Aegis.
I’m not sure what to actually look for side from checking for unexpected permissions and reasonably frequent updates.
Hopefully something I can sync with a GNOME app…
I just realized, the formatting of my last reply got lost somehow, sorry for that. Nevertheless, thank you very much for your response. Really appreciate the insights of a long time user.
I switched from Authy to Aegis like 2 years ago, because I didn’t want to rely on an online service either. Similar to something like Keepass, the database is local and you are in charge of making backups and such. But that is also the great thing about it. If your phone dies you just copy the backup to the new device and your golden. I already thought about the switch to a Yubikey back then, but didn’t go through with it.
With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key
Yes always plugged in works of course, I just meant that you are somewhat compromising the security that you have gained by using dedicated hardware. But as you said, if touch is enabled and the key is password protected you are probably fine. In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.
Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.
I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.
Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.
Yeah maybe this guide wasn’t there when you bought yours or it is outdated. Problem is, you have to setup the 2FA from scratch for these accounts if you don’t have the QR code anymore. Might still be worth a try to really get two identical keys.
Aegis is still an app on your phone. It just is not connected to an online service so you control the database file youself. It of course always depends on you setup e.g. if you have a single device that acts as your 2FA “key” and keep offline backups of the database you don’t have to host anything. If you want to authenticate with multiple devices and add new accounts often some form of automatic sync might be helpful. Even though I like the app, I don’t want to convince you of Aegis. I just didn’t want to paint the wrong picture.