this post was submitted on 28 Oct 2023
6 points (100.0% liked)

Self-Hosted Main

511 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

Yesterday, I accidentally removed an authenticator app from my phone. Fortunately, I have another copy of the app on a different device. It made me realize how easy it is to lock myself out of my accounts. Do you think it's a good idea to create a Windows VM with an Android emulator on it and install copies of all my authenticator apps, this will not cause any security issues?

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

You should be backing up your secrets to some type of app like Vaultwarden or KeePassXC.

And you shouldn't need to VM host an android OS just to have a secondary means of authenticating. There are plenty of apps out there that support adding your secrets.

Vaultwarden, Bitwarden, KeePassXC, or hell, a Yubikey 5 device and then use Yubikey Authenticator.

[–] [email protected] 2 points 1 year ago

How do you back up your secrets? Do you have to do it at the time you first see them?

[–] [email protected] 2 points 1 year ago (3 children)

why not consolidate your auth apps?

i use selfhosted vaultwarden (with backups ofc) for everything, except for vaultwarden, which is protected by authy . and authy can be backed up easily

[–] [email protected] 1 points 1 year ago

Instead of authy, may I suggest Ente Auth. It works the same as authy but is open source.

[–] [email protected] 1 points 1 year ago

I backup the data but not the apps

[–] [email protected] 1 points 1 year ago (1 children)

Sane MFA apps explicitly disallow their data from being backed up. That would be a massive attack vector if it was possible.

[–] [email protected] 1 points 1 year ago

Which is exceedingly dumb IMHO. Sure it would be a vector, but it's a vector to something that should be an additional step to username and password. Idk, I use vaultwarden and find myself worrying less about "what if?". I'm also enabling TOTP far more often now that I can easily add it to my phone and have it sync to other systems.

[–] [email protected] 2 points 1 year ago (1 children)

Instead of an android emulator, you could self-host a 2FA web app like https://github.com/Bubka/2FAuth

[–] [email protected] 1 points 1 year ago

I think that would be the best option for what the OP is looking for. A web accessible version for OTP codes. Problem is then you have to protect that page somehow. That repo shows it can use Yubikeys for AuthN, which IMO is the best way to protect it.

I personally put my TOTP seeds in Vaultwarden. Then they sync over to whatever device I'm on. Just protect your Vault login however you need per device.

[–] [email protected] 1 points 1 year ago

I use the totp in keepassxc for Backup and PC use

[–] [email protected] 1 points 1 year ago

I use Authy 2FA because it syncs across my devices so I have the codes on my PC & phone. Would definitely recommend!

[–] [email protected] 1 points 1 year ago

Ente Auth - an Open Source E2E 2FA Cloud app. It even has a web app. Highly recommended.

[–] [email protected] 1 points 1 year ago

for semi serious accounts i use the inbuild totps from bitwarden premium (knowing full well that if someone gets access to my bitwarden he gets access to those accounts - but its just sooo damn convinient)

for super serious accounts i use yubikeys (3x) with fido2 if supported and if not at least totp through yubikey with their app.

[–] [email protected] 1 points 1 year ago

I self host Vaultwarden and when adding the QR, I add it to my free account with LastPass Authenticator app at the same time. Both back up so if my phone dies, I don't lose the 2fa.

[–] [email protected] 1 points 1 year ago

Just use a sane authenticator app that lets you export the keys, and backup those safely.

I've been using aegis which is available on F-Droid. Whenever I add a new "critical" account I make a backup of the data. That's it.

[–] [email protected] 1 points 1 year ago

Use the aegis authenticator. Its opensource an you can setup periodic export of encryptrd 2fa vault. Then you can integrate it into your existing backup flow

[–] [email protected] 1 points 1 year ago (1 children)

That is the reason why I don’t self host my password manager: my 2FA passwords are in there, very conveniently and independently of any other device. I trust 1Password with that.

[–] [email protected] 0 points 1 year ago (2 children)
[–] [email protected] 1 points 1 year ago (1 children)

So? No customer data got leaked. And even if the vaults would get leaked (which they didn’t), they are 2FA encrypted.

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

Encrypted and 2FA protected.

[–] double_oh_walter 1 points 1 year ago

lol. did you really read the article you linked?