this post was submitted on 30 Jul 2024
59 points (85.5% liked)

Technology

58760 readers
5176 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
59
Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox (arstechnica.com)
submitted 2 months ago by [email protected] to c/technology
22 comments fedilink hide all child comments
 

Losing access to Authy leads to another reckoning with Google's security model.

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 38 points 2 months ago* (last edited 2 months ago)

This really isn't about Authy specifically.

It's about a possible trend of Apps refusing to run without Play Protect (which GOS can't provide) since it's not a signed Google OS.

It's a worrisome trend, but I don't think it will kill GOS because plenty of apps want to run on Chinese phones which cannot have Play Protect.

Play Integrity, formerly SafetyNet Attestation, essentially allows apps to verify whether an Android device has provided permissions beyond Google's intended models or has been rooted. Root access is not appealing to the makers of some apps involving banking, payments, competitive games, and copyrighted media.]

The last paragraph of the article has a bad link, going to reddit and not the GOS page they said they would link... it should be https://grapheneos.org/articles/attestation-compatibility-guide

The more I think about this, the more upset I become, this is removing user agency. Requiring verified hardware and software environments to run code has benefits, especially around security, but if someone wants to do banking from their VM they should be able to. The hardware should only empower user agency, never remove it.

[–] 0oWow 33 points 2 months ago

Um, if you're security minded, you're already staying far away from Authy, so I'm not really sure what the article's focus is.

That said, I'm using 2fa all day long on Grapheneos. No issue. And prior to Grapheneos, I ran rooted and had been using Authy with no issue, so this kind of sounds like an advertisement piece for Authy.

[–] eager_eagle 27 points 2 months ago* (last edited 2 months ago) (1 children)

I don't know why the article chooses Authy to showcase the issue, when it's an app that is trivially replaced by alternatives (if one is patient enough to migrate). Finance and streaming apps are hardly equivalent on the other hand.

"We don't want to punish users of alternative OSes, but there's really no other option at the moment," Wilden added before his blunt conclusion. "Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model."

We know what this is about, and it's not about security. It's about only allowing apps that make shareholders happy.

[–] [email protected] 4 points 2 months ago* (last edited 2 months ago)

Thank you for sharing the Doctorow talk, its really good

muted something he said... I wonder what it was

[–] [email protected] 26 points 2 months ago (2 children)

Does Authy do anything valuable that Aegis doesn't?

[–] [email protected] 21 points 2 months ago

Authy was arguably dogshit.

[–] eager_eagle 6 points 2 months ago* (last edited 2 months ago) (1 children)

Built-in synchronization of codes and ability to revoke devices.

You'd need to set up e.g. Syncthing to have at least the sync part with Aegis, but the vendor lock-in of Authy is really not worth it.

[–] [email protected] -1 points 2 months ago (1 children)

Bitwarden has a free 2FA app, and 2FA is integrated into autofill with the premium version of the password manager (which is $12/year) and is fully open source and even self-host able.

Why go through all the trouble of KeePassX and SyncThing when it’s literally LastPass without downsides

[–] eager_eagle 4 points 2 months ago

Aegis and syncthing*

In my case it is because I don't like the idea of having 2fa in the password manager. It partially defeats the purpose of 2fa.

[–] [email protected] 25 points 2 months ago (1 children)

Oh no, who will leak my phone number now?

[–] [email protected] 23 points 2 months ago (2 children)

I'm not sure why the author thinks that Authy is the only option? I've never used it on my phone running Graphene.

[–] AbidanYre 23 points 2 months ago* (last edited 2 months ago) (1 children)

Authy isn't even the best option. Especially if you're the kind of person who is going to run GrapheneOS.

[–] [email protected] 7 points 2 months ago

It's me. My bad. I was running Calyx OS and using authy and also just realized I'm in this boat after switching to Graphene so I finally sacked up and started using Aegis backed up to my nextcloud. I'll be better.

[–] helpImTrappedOnline 4 points 2 months ago (1 children)

Some people dont realize there's alternatives to much of anything - they use what's handed to them and that's that.

[–] [email protected] 2 points 2 months ago

In that case those people probably wouldn't be on Graphene anyways. If they're open minded enough to try Graphene they're probably open to trying new apps such as Aegis.

[–] JoeKrogan 13 points 2 months ago* (last edited 2 months ago) (1 children)

FreeOTP+ is offline and in fdroid and let's you export the entries you have saved. No third party needed. Just back it up as a habit every time you add a new entry. Store the backup encrypted with gpg or veracrypt or whatever

[–] [email protected] 8 points 2 months ago

Even to get the fancy always online shit, run your own vaultwarden setup and use bitwarden.

[–] [email protected] 8 points 2 months ago* (last edited 2 months ago) (1 children)

page on their site

links to reddit

~~And Authy is runbby twillio which is owned by Facebook.~~ Don't give corporations control over this shit. They'll take it away whenever they want.

[–] [email protected] 5 points 2 months ago (1 children)

Source? Can't find anything about Twilio being owned by FB/Meta. Looks like they're publicly traded.

[–] [email protected] 3 points 2 months ago

Oh huh. It's not.

[–] [email protected] 2 points 2 months ago

Dang. Really hope this gets sorted soonish. In the market for something new and planned on going GOS or lineage.