How to use TOTP for MAXIMUM Security

We receive so many questions about 2FA, so we went all out on this guide--enjoy it! (Screw Authy!)
00:00 Section 1 - Introduction
00:38 Section 2 - 2FA Explained
02:01 Section 2.1 - SMS 2FA Explained
04:05 Section 2.2 - Ecosystem 2FA Explained
06:34 Section 2.3 - TOTP Explained (Simple)
09:42 Section 2.4 - Hardware 2FA Explained
10:01 Section 2.5 - Outlier Services
10:24 Section 2.6 - The Best Method
10:49 Section 3 - TOTP Explained
11:01 Section 3.1 - TOTP Clients
12:07 Section 3.2 - TOTP Seeds Explained
13:50 Section 3.3 - TOTP Real-World Usage
15:13 Section 3.4 - TOTP Backups
17:40 Section 3.5 - TOTP Pro-Tip & Story Time
19:07 Section 3.6 - Enemies of TOTP (F*** Authy!)
24:08 Section 3.7 - Full TOTP Recap & Summary
26:50 Section 4 - Conclusion

For a number of years my steam account was better secured than my bank account.

honestly wouldn't be mad if Techlore just has a video (or multiple videos) where he just rants about companies that claim theselves as "private"

Thank You Techlore for sharing this amazing guide for TOTP. Waiting for your U2F guide. Sharing this guide in my whole circle. Keep up the great work!

This was the perfect TOTP video for me. I had a really hard time finding something (text or video) that wasn't just the bare-bones basics or something that went into way too much into the nitty gritty technical details. Thanks for such a great introduction!

The information about making TOTP backups was what I exactly needed. Thank you so much.

Thank you for taking the time to do this video. I'll admit I'm gonna need some time to fully understand it and use it correctly, but it's worth the time and effort. Thanx again

This was definitely good info. Watched the whole thing and took notes! Thanks, Henry!

I wish I watched this video yesterday before I removed all of 2FA from my old device in the same way you did. oh well. live and learn.
great content. Yesterday I took the plunge and put CalyxOS on my device. (also been using Calyx MiFi 5G as my backup connection for internet, and it has worked beautifully.
I'm data smart, but not tech smart and this channel has helped me out a ton.

Your channel is gold. Thank you so much.

I almost lost access to all my 2fa when I realized that authy created an account for my gemini account. I was trying to fix the problem merging the two accounts and I end up in some kind of limbo for a while, luckily I was able to gain access in one of my old devices that was out of sync with the cloud.

So, the main takeaways here are that everyone should use 2FA (ideally TOTP when available) where they can, and Henry really isn't Authy's biggest fan.

this was incredibly helpful. thanks a lot!

So clear and good, Henry.

So helpful :) Thank you for this information-rich and amazing video!

Thanks for making this. I just learned that Authy was shutting down its PC service. While looking for alternatives, I found your video. Down the rabbit hole.

So I was deliberating changing from Authy...now my paranoia shot through the roof. Guess what my weekend project is going to be? Thanks for all the information!

I just transitioned from Authy to Raivo OTP. Thank you @Techlore

Thanks for another detailed guide🙌💯

Such a great video, thanks a lot!

Man... You have showed this aging man how silly he's been time and time again. Former LastPass user and tomorrow I'll be a former Authy user. I thought I was doing great with Authy.
I wonder what else you'll be informing me what I'm doing wrong. I look forward to it.

Preach, Henry! I was going to get Authy before I watched this.

Wished I knew this 1 year ago and save those damn seeds! Awesome video going to be helpful for people who haven't save their seeds before needing them in case you lose or break your phone.

100% accurate keep it coming!

Thanks bro, convinced me to migrate from authy to aegis.

The most infuriating thing for me is that Authy was one of the recomendations from other privacy youtuber. I installed it based on that recomendation! Now I need to clean up this mess!

Fantastic video, subscribed

Love your work

Looking forward to a guide to physical security keys 😎👍

I didn't think I'd reach the end of the video. 30 minutes is quite a lot. Nonetheless, with my time. Thank you, mate!

Really enjoyed the presentation. Informative, with many valid points. I also steer people away from Authy just based on the requirement for a phone number. But in fairness, what authentication apps export the seed keys? I don't mean allow you to transfer to another device, but generate the actual original secret key that was registered at the time of adding the account? Excellent Mate! Thank you

fantastic info! gracias duder

even though i'm fairly tech savy and care about privacy and security, i wasn't really sure how to use apps like aegis i just knew they are good for privacy. this video was really simple to grasp and i'm able to use 2FA quite easily now. thanks :)

I love your videos! Major fan! I've been watching your videos for almost 2 years now and you have taught me so much and actually gave me the inspiration to pursue a career in cybersercurity. I love your videos on going incognito from Google. Everyone thought I was crazy when I was doing my research and when I found out what all Google can do on my devices as well as Samsung in my opinion. Lol. But anyway you have let me know I'm not so crazy and I'm on the right track. Your awesome please keep making all these videos you do

thank you for good info and interesting videos :)

Good video. Unfortunate phrasing when you said “enter it before the thirty second timer runs-out.” The little bit of wiggle-room you get by being able to use the code before or after the one for the current time is very nice (and sensible ‘cause you know, not everyone has an atomic clock). I’ve personally heard people being annoyed they “have to” wait until the timer runs-out and they have time to enter the code. Sometimes this annoyance is even _the_ blocker for them (it sounds silly, but if you’re a really slow typer, have a disability or whatever else, it can be very hard to enter something within ten seconds).

I came here from a "best apps for Linux" where the comment was "authy! yikes!" with the link to this video, and let me tell you when I saw the kind of shitty lighting and a vaguely scruffy dude in a hoodie with the hood up I was getting strapped in for a conspiracy rant video, needless to say I was very pleasantly surprised, so much so I have now subscribed. I used to use lastpass for a bunch of things, but the difficulty to use put me off, so I'm glad I made a good choice

Excellent video

Keep going my Friend , keep going 👍🕊️🙏

Also I can't recommend Bitwarden enough.
My threat level: I am not wealthy, famous, or politically/publically/militarily relevant
Bitwarden has:
1) zero knowledge encryption
2) Cloud Syncing
3) Extensions for all browsers
4) Android, iOS, Windows, Linux, and MacOS apps
5) Built in TOTP authenticator
6) Built in password generator
7) Option to download all passwords and seeds
8) Auditing tools to check for weak, reused, and compromised passwords
9) It is open source
10) Regularly audited by 3rd parties & findings are publically accessible
It is $10 dollars a year to get premium. It is one of the only pieces of software I have bought. It really is a great product.

I finally transferred out of Authy.
I had it on my list anyway. You just gave the push I needed.

Valeu!

I have to remove all my 2fa from all my sites then remove authy then set them all up again in Aegis. Thanks for the info.

Amazing video...... I left Auty about a month ago (Desktop version and IOS version were not syncing property and Auty admitted that their desktop version has many flaws) and went to Microsoft Authenticator but I had to disable 2FA for all my 26 accounts when I was changing from Authy to Microsoft Authenticator....... :( :( :( .......

This video finally game me motivation to move away from Authy. I have literally had other open source totp app on my phone for a year, but since there no export option it's just going to be so pain in the ass.
Gotta also remember to send them message to delete all my data.

I've got a somewhat unrelated question...I am interested in using the Trezor as a Fido key. Usually when you use something like a yubikey it is recommended to use multiple ones to make sure that you can still log into your accounts when one of them breaks (because apparently there is no way to recover a broken ones seed ???). Is the same thing true for the Trezor? If your Trezor breaks you can recover your wallet with the seed words but would that also recover my U2F or is that something different?

Is there a list somewhere of which services provide 2FA and which implementations they offer?

Great video, why backup the seed when there are 2fa recovery codes?

I definitely agree that we should stop using SMS for everything. I hate SMS

Your reasons for hating Authy are less than convincing (at least to me). If you follow best practices and save your seeds independently as you create them then it doesn't matter if you are using Authy or not. If you haven't saved your seeds already and are using Authy you can go to your originating websites and get your seeds from them. When you do be sure to independently save them (you should do this regardless of the app you are using) using secure 3-2-1 backup procedures. While you are doing this you should also save the emergency access information as well. Tedious, sure and obviously an export feature makes this easier but not really that big of a deal. You do it once and you are good to go long as you follow proper backup procedures and save them independently as you create them going forward. Of course, regardless of the app you use if you don't export them or save them before you somehow lose access to your authenticator it really doesn't matter which app you use - you better have the emergency access information handy or you are screwed.
Tying it to a phone number is a more valid issue but isn't really a deal-breaker nor is having to create an Authy account. It may be preferable to have other options but not the worst thing in the world particularly if you find Authy's features of value.
While I do tend to prefer open-source software philosophically, realistically from an end-user point of view it isn't that much of an advantage. Yeah, it is great that in theory thousands of sets or eyes can be looking at the code finding all the bugs, and making sure no one slips something malicious in there. In reality, this doesn't happen much. Ultimately the end-user has to trust the developer whether it is open-source or closed-source and the reputation of the software in the community. Authy overall is well respected and to my knowledge has no actual issues.
Shrugs, I'm not looking to convince anyone to use Authy - I'm thinking about moving away from it myself. I'm not even saying that the issues Techlore brings up are not something to take into consideration when selecting a TOTP authentication app, you should be aware of them and decide how important it is for you. My point is that they don't make Authy the devil's dumpster fire he makes them out to be.

I know it's a relatively old video, but thank you for saying all the things I think about Authy. Seriously, fuck that service!

When I got the TOTP from Microsoft, I pasted it in a note, and pasted the same text file into an authenticator. A few days later, I pasted the same text string into a different authenticator, and it gives the same numbers, but not with exactly the same time. Why are they not changing at exactly the same time?

Yeaaaaaaa kk thanks 🙏!

Thanks

Good dentist.

3:32 maybe the codes should be sent via signal. I know Facebook are planning on sending login codes via WhatsApp. (I guess also to get more people to use WhatsApp due to the rise in signal users).

Be sure to save your keys (seeds) in a secure location.
I store mine in an encrypted text file that I save on a flash drive stored in a safe.
That way I can switch to a different authenticator app.
It's tedious to add the keys, but gives the most flexibility.

When is the surveillance report 52 gonna come out henry?

TOTP already saved me several times (even with strong password)

Any recommendations for a MacOS 2FA client? Something like Ravio for mac?

What should we use instead of google school stuff example google docs sheets slides etc
any private alternatives?

I had a conversation with my bank about how I can’t use there rsa key for there banking app and the lady said to me why don’t I use sms 2fa and I said cause you can clone or intercept sms. Her response was if the bank thought it could be down they would change.

god, that was awesome and I really want to get that guy on a date...

What do you think about Standard Notes and its 2FA extension?

Wow I didn't know about that Twitch Authy thing! This video is a year old and it's still valid because Twitch STILL uses Authy. I just checked and there's no mention of Authy in the Terms of Service but users are still reporting issues with it on Reddit!

If TechLore is genuinely MAD about something on camera, you know it’s serious.

The password manager was mentioned as a less secure option for TOTP, than a dedicated app... Is This relation stil stands if it is two seperate database, file, account whatever, with seperately strong masterpasswords?

Is using a secure VOIP phone number more secure than just your ol’ Verison phone number?

TANK YOUUUUUUU

hey, recently I found that many shopping websites track our position as well as where we are scrolling where we are clicking. .. they just capture the screen. .. how to stop that kind of privacy leaks???

Hi. I have a question if I may ask. Do you think Instagram should have a security key option for 2FA? Just curious about your thoughts.

Thks

Fortunately, banks in Germany have their own type of 2FA method, with which you need a reader (a small device with a camera and a screen and a keypad) and your bank debit card. The smartcard processor on the debit card does the crypto, while the reader device just is the interface between your screen, you and the smartcard processor on your debit card. It's really secure, much better than SMS 2FA or their newest clown idea, a 2FA app for your spyphone...

If TOTP is a standard, does this mean I can use a windows program to login to my google account? (I don't see the seed code on my Google authenticator)

We need a video on how to get off LastPass

I am confused with this scenario and not able to find a proper answer
Let's say i have 2FA on for all my account and have backed up all the seeds in case i need them
I lose my device , since i have the backups i can easily setup my 2FA in my new device
But what about the old device ? It still has the 2FA running on it , what if someone somehow manages to get to the 2FA app and then they have access to my seed and 6 digit 2FA codes

Google Authentificator blocks the seed "reveal" as well...

I’m switching to Raivo OTP and when setting up a token it gives the option to chose SHA1/SHA256/SHA512. Is it ok to choose any of them or does the service I’m setting up 2FA for need to support it?

Sorry, instead of saving the seed alpha-numerical code, can I directly save the QR code as a JPEG? Particularly if the websiite only provides the QR code and I don't wanna scan it with a third part app. Thank yiu

some services like Twitch literally only give you a choice between SMS and Authy

Maybe it's possible to get your authy seeds on a rooted android phone just like from the steam app?

I will push back gently on the idea that multi device sync is not important - maybe in your life, you have plenty of people that don't switch devices (or lose them) but to the layman, that stuff happens all the time. I wish the FOSS authenticators did what bitwarden does and have multi-device sync. Usability is important if we want non-technically minded folks to use these things - that's why authy has the reputation (despite the other flaws you rightfully point out)

andyotp extension is best option or not for browser??? plz ans me

checking in

Is it correct that only services that use a 7-digit code really need Authy (i.e. those only work with Authy and not any other TOTP app)? I transfered all my accounts from Authy to Aegis using the method recommended in the video and I want to delete my Authy account now but I'm not sure if any services I use still need it.

What do you think of Apple 2FA IOS15 ecosystem?

Is microsoft authenticator good??

What about keeping 2FA authenticator app and password manager in the same device? For example keepass+aegis in the same android device. There is a single point o f failure because if the device gets hacked the attackers has 2 databases (keepass and aegis) to crack.

Can you do a video on how to use TOTP with KeePass

Question :
Is Microsoft 2AF good enough ?

How about Dashlane TOTP ?

How to export from other apps? Like Google?

-I switched to Aegis on recommendation from this vid but I've had non-stop problems where the generated code is "invalid" and its super annoying to be somewhat soft locked out of my accounts. I have no clue if its a bug, User error or if I just got unlucky but it's super frustrating.-
Edit: user error, Due to constantly living on BST and not changing the clocks lol

Google Authenticator also does not allow you to reclaim the seed for the accounts! Wonder how you missed that point! One can only transfer it to another Google account with a QR code which can only be read by Google...

Is DUO still a viable option? They are making us use it at work, so I want to make sure I'm not screwing myself.

Why you have remove tofu 2fa from your recommandation ?

and if you're running a VPN on all your devices SMS it's secure and encrypted is it not or does it bypass it?

I wish I knew all of this before getting a new phone

When everyone covers most secure TOTP apps, no one ever mentions Yubikey's. With their app the keys are on the Yubikey hardware key to store the seed. The app supplies the screen to show the code and the timer. The app can't be used without the hardware key. And the hardware key needs the app. So it seems like that adds another layer of protection in case your phone gets hacked. You can have two keys so you have a back up. And if you switch devices, all you have to do is install the Yubikey authenticator on the new device. Then connect your key when you need a code. It seems like the only down side to it would be the cost of the keys. But since no one ever talks about it, I don't know for sure. Any thoughts?

2FA is great, i use it all the time. But I also hate the implementation of it. If it is set up you may not been able to log in to the service without the code. I know that this is the intention for 2FA.
For example on Steam you can't that easy play any game you installed. On banking one bank for needs the code for everything the other is more reasonable and only require the second factor for money transfer.
No one offers me a setting for when the code should be required.