Fidelity authenticator app works with open source TOTP app

[cupcakeswsprinkles]

Hello everyone,

I use an open source Android app called Aegis to manage my TOTP authentications (you can setup websites to require 6 digit tokens when you login for additional security since the American phone network is compromised).

Read a horror story about Fidelity account being compromised; saw the authenticator option of the bottom of the screen and thought I try to secure myself.

I previously read it used a nonstand app somewhere and I did not feel like installing a random bank app to use it.

This means Fidelity TOTP works with any TOTP app. I highly encourage you all to activate it if you haven't already.

[mrmass]

Hello everyone,

I use an open source Android app called Aegis to manage my TOTP authentications.

Read a horror story about Fidelity account being compromised; saw the authenticator option of the bottom of the screen and thought I try to secure myself.

I previously read it used a nonstand app somewhere and I did not feel like installing a random bank app to use it.

This means Fidelity TOTP works with any TOTP app. I highly encourage you all to activate it if you haven't already.

Been using Microsoft Authenticator for a while now. Prior to that I was using the Fido app on my phone.

[snic]

Hello everyone,

I use an open source Android app called Aegis to manage my TOTP authentications (you can setup websites to require 6 digit tokens when you login for additional security since the American phone network is compromised).

Read a horror story about Fidelity account being compromised; saw the authenticator option of the bottom of the screen and thought I try to secure myself.

I previously read it used a nonstand app somewhere and I did not feel like installing a random bank app to use it.

This means Fidelity TOTP works with any TOTP app. I highly encourage you all to activate it if you haven't already.

I was curious about why the app you mentioned is better than Google Authenticator, so I looked up their FAQ:

Most popular apps like Google Authenticator and FreeOTP don't bother with additional security measures. They allow access to your tokens right after opening the app. Aegis, on the other hand, encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.

Another important feature is the ability to export your tokens and import them into another device. Google Authenticator doesn't have this, which has not only annoyed users for years, but has also resulted in loss of access to lots of accounts.

So, more security and portability of tokens. Except, my Authenticator app is not accessible unless you have my finger print or unlock code, so what is the benefit of the additional requirement for a fingerprint? And re portability, I've already exported my tokens to a backup device. Authenticator gives you a QR code that you scan with the other device, and voila, your tokens are transferred. So again, what is the advantage of Aegis?

[Tom_T]

I recently switched my Fidelity account to use the 2FAS app. I'm trying to minimize the number of auth apps I need. They all have pros and cons.

[lostcoast2023]

This has been officially supported since last summer. Before that, they used Symantec VIP, which could be converted to TOTP with workarounds.

[Cyan]

Ente Auth is a nice authenticator app.

https://ente.io/auth/

Ente Auth is cross-platform, multi-device capable, allows for code import/exports, has a true desktop app, offers secure cloud backups, etc.

It is free, fully encrypted, open source, and actively developed.

[BH13]

I've been using the TOTP codes generated by the MacOS Passwords app. Works great for Fidelity & many other sites and auto-enters the codes (mostly).

I realize this is a single db of passwords & codes, but thus far I've accepted the compromise for ease of use.

[Hope]

I use Symantec VIP. Is this not as good as Aegis or even Microsoft Authenticator apps?

[LadyGeek]

This thread is now in the Personal Consumer Issues forum (website security).

(Thanks to the member who reported the post and explained what's wrong.)

[LISD]

Most popular apps like Google Authenticator and FreeOTP don't bother with additional security measures. They allow access to your tokens right after opening the app. Aegis, on the other hand, encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.

Another important feature is the ability to export your tokens and import them into another device. Google Authenticator doesn't have this, which has not only annoyed users for years, but has also resulted in loss of access to lots of accounts.

'

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

I assume "loss of access" just means you have to call Fidelity to re-establish access - not a big deal. And if you know you are going to change phones, just turn authentication off, and back on when you get your new phone.

[cupcakeswsprinkles]

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

Most peoples phones can be opened by their fingerprint after the first use of code for the phone in 24 hours on Android.

[cupcakeswsprinkles]

I was curious about why the app you mentioned is better than Google Authenticator, so I looked up their FAQ:

Most popular apps like Google Authenticator and FreeOTP don't bother with additional security measures. They allow access to your tokens right after opening the app. Aegis, on the other hand, encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.

Another important feature is the ability to export your tokens and import them into another device. Google Authenticator doesn't have this, which has not only annoyed users for years, but has also resulted in loss of access to lots of accounts.

So, more security and portability of tokens. Except, my Authenticator app is not accessible unless you have my finger print or unlock code, so what is the benefit of the additional requirement for a fingerprint? And re portability, I've already exported my tokens to a backup device. Authenticator gives you a QR code that you scan with the other device, and voila, your tokens are transferred. So again, what is the advantage of Aegis?

I do not use my fingerprint for Aegis. I use a separate password.

For the file backup, I had to use that recently. My phone died, that Google Authenticator part requires your phone to still work and mine did not. A big advantage.

Aegis is open source, so other apps may be able to use that backup as well provided you put in your password. I have yet to see this anything take advantage of this, but I like being not being dependent on the Google or Apple ecosystem.

[cupcakeswsprinkles]

Ente Auth is a nice authenticator app.

https://ente.io/auth/

Ente Auth is cross-platform, multi-device capable, allows for code import/exports, has a true desktop app, offers secure cloud backups, etc.

It is free, fully encrypted, open source, and actively developed.

Is it dependent on an external website to store the tokens? If so, that is a deal breaker for me since I want to keep my tokens off the cloud and not be dependent on an external provider. The client looks open source.

[Northern Flicker]

'

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

That will support decrypting the data needed to generate a TOTP code on demand, instead of having to do it every time you unlock the phone whether or not you use it (or just not encrypting it). Just because an authenticator app can be configured to require a fingerprint to open does not guarantee that the app takes advantage of that to implement a more robust encryption. It can support significantly more robust encryption on a iPhone, and Apple has implemented that for their password safe, which includes support for TOTP.

Fidelity has supported Symantec VIP for some years, but the support for open TOTP is more recent.

[volstagg]

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

The general advantage to this is, if someone steals your phone from your hand on the street, at a resturant, etc when you're using it (so it's unlocked) and runs, without having your authenticator app needing some kind of reauthentication (password / biometrics) to open, they would be able to get your 2FA code(s).

Couple that with them likely having full access to your email account(s), SMS app and seeing what financial apps you have installed on your phone could pretty easily do a targeted attack on you to get into your accounts.

[michaelingp]

You may not need a separate app. Some password managers like Dashlane and Lastpass have either built-in or integrated authenticators. The algorithms are public so any authenticator should work fine.

[LISD]

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

The general advantage to this is, if someone steals your phone from your hand on the street, at a resturant, etc when you're using it (so it's unlocked) and runs, without having your authenticator app needing some kind of reauthentication (password / biometrics) to open, they would be able to get your 2FA code(s).

Couple that with them likely having full access to your email account(s), SMS app and seeing what financial apps you have installed on your phone could pretty easily do a targeted attack on you to get into your accounts.

But wouldn't they need my financial institution login ID and password too? AND - they would need to know what financial institution I have if they are going to try to login to it. (for example, if I don't have a Vanguard app on my phone, how would they even know I have a Vanguard account to try to hack into)?

[jayjayc]

When I login from my desktop, the Fido app sends a prompt. The prompt informs me that someone is trying to login to my account using X computer, at Y location, on this date & time. The prompt asks if that person is me or not. I much prefer this type of 2fa as it's more convenient to tap "Yes, it's me" vs searching my authenticator app for Fidelity, then typing the 6 digit code.

[alexbogle]

Even if you add totp, you must keep vip around. This is because some actions like adding an external account will still prompt for the old vip!

Very poorly communicated by fidelity.

[JBTX]

Even if you add to, you must keep vip around. This is because some actions like adding an external account will still prompt for the old vip!

Very poorly communicated by fidelity.

I did not know this !

We set up my parents accounts and went straight to an auth app. Never prompted to set up VIP app?

[nalor511]

Thank you for the heads up, last I knew you had to use the Symantec app, which I wasn't interested in doing, so this is very helpful to know. Thanks again

[Northern Flicker]

Even if you add to, you must keep vip around. This is because some actions like adding an external account will still prompt for the old vip!

Very poorly communicated by fidelity.

I did not know this !

We set up my parents accounts and went straight to an auth app. Never prompted to set up VIP app?

You have to call Fidelity to set up VIP.

[Northern Flicker]

The general advantage to this is, if someone steals your phone from your hand on the street, at a resturant, etc when you're using it (so it's unlocked) and runs, without having your authenticator app needing some kind of reauthentication (password / biometrics) to open, they would be able to get your 2FA code(s).

Couple that with them likely having full access to your email account(s), SMS app and seeing what financial apps you have installed on your phone could pretty easily do a targeted attack on you to get into your accounts.

But wouldn't they need my financial institution login ID and password too? AND - they would need to know what financial institution I have if they are going to try to login to it. (for example, if I don't have a Vanguard app on my phone, how would they even know I have a Vanguard account to try to hack into)?

They could see where you have accounts from the authenticator app entries. Many services authenticate password resets using 2FA (violating independence of authentication factors). If the login ID is not guessable from your first and last name (many are), you are left with the "Forgot Login ID" feature as the last line of defense.

You probably could find a phone and call financial institutions to prevent abuse of your login account before it occurred, but the risk is significantly lowered with a pin/biometric protection of the TOTP app.

[Kagord]

For those who use KeyPass, it does this as well. I use it for OTP just because I use KeyPass and don't want to have yet another app for a generic OTP task.

In KeyPass, it's obscure to set up, here's how for those interested: Advanced tab in entry, Add "TimeOTP-Secret-Base32" under the name drop down and enter your secret, save it. Then you can right click on the entry and select Other Data, Copy or Show Time-Based OTP.

[volstagg]

But wouldn't they need my financial institution login ID and password too?

They have your phone, they have your email, they have your 2FA method. They could put your account through a password reset process, which generally requires your 2FA method when setup.

AND - they would need to know what financial institution I have if they are going to try to login to it. (for example, if I don't have a Vanguard app on my phone, how would they even know I have a Vanguard account to try to hack into)?

In my scenario, they have your 2FA app, unlocked (since they ripped the unlocked phone from your hand and ran before you could do anything) which lists that you have a 2FA code saved for Vanguard, therefore they know you have a vanguard account (which isn't a thing since Vanguard doesn't support TOTP).

But lets take Fidelity which does support TOTP, which I use with Fidelity. The TOTP code in my Google Authenticator app clearly shows Fidelity Investments, therefore one could then assume from that, I likely have an account at Fidelity Investments.

They could figure out my name, address, etc from reviewing my email on my phone thanks to that Amazon order confirmation I have, get some other missing details about me from a dark web search thanks to all the breaches at OPM, Equifax, etc I've been subject too and then put my Fidelity Investments account through a password reset process.

Fidelity will ask them for some details (Name, Date of Birth and last 4 of my social security, all of which they would have at this point), then finally for the ultimate in security, ask for the 2FA code off my authenticator app, which they also have from my stolen unlocked phone, because I didn't add the additional security setup on my 2FA app to ask for a password / biometric when the app was launched.

[volstagg]

Even if you add to, you must keep vip around. This is because some actions like adding an external account will still prompt for the old vip!

Very poorly communicated by fidelity.

Yeah, I ran into this also. Likely an oversight on Fidelity's side, but I actually like it. That means no one who might get into my Fidelity account would be able to add an external account for wire/ACH unless they have both my TOTP code (login) and my VIP code.

[LISD]

I need a code to open up my phone, why would another code to open the Authenticator App. be significant?

The general advantage to this is, if someone steals your phone from your hand on the street, at a resturant, etc when you're using it (so it's unlocked) and runs, without having your authenticator app needing some kind of reauthentication (password / biometrics) to open, they would be able to get your 2FA code(s).

Couple that with them likely having full access to your email account(s), SMS app and seeing what financial apps you have installed on your phone could pretty easily do a targeted attack on you to get into your accounts.

FYI (something I just learned): You can force any app on an iphone to use FACEID to open. Just hardpress on the app and a menu will open - then select "Require FaceID". In this way, anyone that has your unlocked phone can't open up Google Authenticator (or any other App that doesn't require an ID/passcode).