mccAs I awoke this morning from uneasy dreams I found that Google had replaced my authenticator app with an anus drawn by Kurt Vonnegut
bob@mcc good thing OTP is a standard
@bob How am I supposed to know which free OTP app to trust if I can't trust my OS vendor :(
@mcc I use aegis (https://github.com/beemdevelopment/Aegis). the code is straightforward and the crypto is just bouncycastle. I also use microg lineageos so google isn't *really* my OS vendor
@bob How much safety would you say "aegis" gives you against this concern? https://mastodon.social/@mcc/110430104840398160
@mcc cloud backup in aegis is disabled by default. instead by default it backs up to a file (encrypted with your passphrase) that you're supposed to copy to external storage
@mcc and getting into the app at all requires the passphrase
@bob Hm. On a non-rooted Android phone, I *think* there is some hypothetical way for apps to split between storage that other apps / adb cannot read and storage that other apps / adb can. It's probably not encrypted like the apple secure enclave but accessing it at least requires fully compromising the OS. I guess I don't know for a fact which side the google authenticator keys are stored on.
@bob I don't know. (Though if it encrypts it itself, then the question becomes where it stores the decryption key).
I've never looked into this, I just assumed Google, being the operating system vendor, would do something reasonable. But "upload your 2fa to the cloud" does not seem reasonable, so now I know nothing.
@mcc does it ask you for a passphrase? I've never used google authenticator