@schnittchen What a bullshit of a PSA
I recommend setting up a free nextcloud account and storing keepass database on it
Then you can just remember your master password and access it anywhere anytime and securely.
Using Google Authentificator or even FreeOTP sacrifices on security as Google and the upstream developer knows your secrets.. On Keepassxc you get these from F-Droid preferably on an Android device that was degoogled.
PSA regarting 2FA (TOTP)
@kreyren Language please!
I am moving my TOTP secrets _into_ a password manager. Please read again what I wrote above.
And why exactly would the upstream developer have access to the secrets I enter on my phone? FreeOTP has no cloud feature and no need to move data anywhere off my phone.
> @kreyren Language please!
That was such a terrible PSA that you deserved that :p
I was commenting on:
> ALWAYS export your TOPT secret (which is hard!) to a 2nd secure location.
which is malpractice as then anyone who gets the hold of your device (like google, NSA, etc.. who has access to it at all times and remotely) can then have access to all of your other accounts that they might not have by law access to + the threat of a physical access and 0-days.
The one way you can get secure access to this sensitive data is by opening a user session that stores the processing data in RAM which makes it significantly more difficult for a bad actor to read as they then have to interpret binary data (unless the developer doesn't care and just stores plaintext there).
> And why exactly would the upstream developer have access to the secrets I enter on my phone? FreeOTP has no cloud feature and no need to move data anywhere off my phone.
I meant Apple in this case as you are using their proprietary solutions which is filled with backdoors and spyware for them to use at any time they want + their security is trash.
I consider FreeOTP relatively safe assuming that it's complying with GPLv3 (https://github.com/freeotp/freeotp-ios), but i didn't read the code to know for sure.
---
So again depending on your threat model the solution that i am recommending is:
Get a device that runs Android or even Linux with components and their wiring that you trust
In case of Android get a trusted 3rd party distribution such as LineageOS/DivestOS so that you remove all the malware that google and the device manufacturer put there in terms of a software (might also be concerned about the bootloader).
In terms of linux (which is significantly better in comparison to android in terms of functionality and security) i recommend distros that comply with GNU FSDG.
For the password management i recommend KeepAssXC/KeepAssDX that you got from a trustable source. In terms of android that is F-Droid or building the apk yourself assuming that you configure it to not use google services.
For the storage i recommend nextcloud such as https://tab.digital that then you can sync anywhere.
If you don't care that apple and their creepy friends are constantly watching and listening to you then i guess anything will work for you as long as it shows numbers *shrug*
FWIW i would also recommend to deprecate your dependence on SIP calls and use e.g. matrix.org for calls and SMS to further surveillance, if you really need to be able to use SIP calls e.g. to call an emergency number then i recommend getting a dumb phone with a quick bootup so that it can be turned off when you don't use it.
