36
What are you all using for a 2FA token manager?
(lemmy.blahaj.zone)
I use Aegis, it works well
I like Aegis.
Bitwarden. I don't self host it, though. $10 a year for password management and 2FA is fine by me.
I've been using KeePassXC. I use Syncthing to keep the database synchronized between computers.
Same here. If it's TOTP based 2fa, you can keep them in entries and use them from there.
Tbh, if you're using the same DB for PWs, you've successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth
More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn't compromise full access to your password database, which is still a lot better than using just passwords without a second factor.
that's like calling strong randomly generated passwords 1.5FA.
with proper MFA, even if you steal my password (database), you won't be able to steal my account, as you're missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.
password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they're not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn't paying enough attention, as it's not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.
2FAS Authentication
Been using it for a while. It's pretty awesome.
1password
Definitely this, especially if you'll be sharing with a non techie. My wife was able to pick 1password up and use it immediately and she normally turns her nose up at any of my recommendations.
For the 1password accounts 2FA, use a yubikey or aegis. Everything else to 1 password.
Bitwarden Authenticator because Bitwarden seems to have a good reputation. I don't use their password manager, though.
It does seem faintly insecure that it displays all of the codes at once on one page, but I'm having trouble imagining a scenario where it's actually a problem.
Yubikey. I dont want to trust my phone, so I use some separate hardware instead
I'm currently using FreeOTP from F-droid. Aegis seemed to have way too much extra crap. You don't want to sync multiple 2fa applications together since the idea of the 2nd factor is it's only in one place. Even being able to back it up is sort of contra, but if you have to, make sure the backup is well safeguarded.
The basic TOTP algorithm is quite easy to implement fwiw. A dozen or so lines of Python.
Enteauth
FreeOTP/FreeOTP+
depending on your goal for this (real 2fa vs just simulated) you shouldn't have sync in the first place.
you could also look into security keys (hardware solution, webauthn/FIDO2) as an alternative that has strong security with good user experience (no typing anymore), but they're not as widely accepted.
What you mean syncing with Gnome app?
Yubikeys. I have 2 of them and both have the same entries in case one breaks.
Aegis
I used aegis for a long time, switched to protons after they introduced it. Ideally I'd be using something physical though like a yubikey
Aegis ♥️
I use Aegis, automatically backed up every time a new key is added. Was using Authy for a while, but they're going down the enshittification hole, so I dumped them.
Aegis.
I like the auto backup feature (encrypted) . Then the backup is synced to computer via Syncthing.
Set and forget setup.
Aegis
Yubikey for 2Fa codes also works well for sudo and su (2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.
We use yubikeys at work, far better then an OTP. Also I have 2 for home use, the only issue is I need to put 1 on some keys I carry as I sometimes need 1 and don't have it.
Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience. Things like:
Are there accounts that you didn't get to work? Do you have separate keys for personal and work accounts? Do you just have it on your keychain an plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn't really make sense. As far as I know you can't just clone a key. How easy is it to setup a backup key? Does this work for all accounts? I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys? How is your experience? USB or NFC?
Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience.
I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.
Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.
Do you just have it on your keychain a plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn't really make sense.
It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.
As far as I know you can't just clone a key.
So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.
How easy is it to setup a backup key?
While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.
I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys?
So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.
Proton Authenticator. Has both Desktop and Mobile apps. Free. Don't have to sync to Proton.
Do they have a Linux client for the desktop?
deb, rpm and aur-bin
I use freeotp+, but it looks like it could be dead now. But I does have an export to file.
I've been using Aegis for several years now without any problems. It replaced the Google Authenticator seamlessly.
I use Aegis on my phone.
FreeOTP+
keepassxc and a yubikey. And syncthing to keep all devices in sync
Yubikey. It supports TOTP as well as passkeys. Plus is a physical device separate from my phone. Recommend getting 2 to have 1 as backup
Ente Auth
Bitwarden as Vaultwarden enables TOTP.
view more: next ›
this post was submitted on 13 Oct 2025
36 points (97.4% liked)
Selfhosted
52779 readers
77 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS