It is becoming increasingly important to properly protect your accounts on the internet with two-step verification. But there are some pitfalls to keep in mind. Aegis Authenticator is a very practical app to generate access codes. We show you how to use the app and how to use it safely.
Reports about leaked passwords due to data leaks, for example, are the order of the day. The old-fashioned combination of a username and password is clearly no longer sufficient. Fortunately, you can secure many accounts with two-step verification. Well-known examples are Google, GitHub, Dropbox, Facebook and Instagram, but that list is now much longer. A characteristic of two-step verification is that something you know (your password) is combined with something you have as a second factor (for example, your smartphone). So you need physical access to your phone to log in. In practical terms, this means that you enter an access code that you receive via text message or an app. Google Authenticator is often used, but it has some limitations. That is why we choose Aegis Authenticator for this workshop. We’ll show you how to take full advantage of this tool!
1 Installation
If you’re going to use two-step verification based on an app that generates passcodes, Google Authenticator is usually recommended. That app only has a few drawbacks, some of which will be discussed in this workshop. Since two-step verification usually uses the TOTP (Time-based One-Time Password) algorithm, you can use a variety of other apps in addition to Google Authenticator. Well-known examples are Authy and Microsoft Authenticator. Here we choose Aegis Authenticator. This app is free, open source and gives you more options than Google Authenticator. In addition, the app is very user-friendly. You can install Aegis Authenticator for free from the Google Play Store. There is no version (yet) for it iPhone or iPad.
2 Secure access
When you start Aegis Authenticator for the first time, you will be asked if you want to protect access to the data and how.
The bottom line is that you can (optionally) keep the keys extra safe on your device by encrypting them. If you choose to do so, you will be prompted for a password or fingerprint when starting the app. With this you can make the data readable again and generate the access codes. This is the biggest disadvantage: this extra step is always necessary.
You don’t need to use this extra security. Then the app works the same as Google Authenticator: after starting you will immediately see your access codes. In that situation, we recommend that you set up a good general screen saver and never leave the phone unattended.
3 Add access codes
Occasionally, the use of two-step verification is mandatory, but most of the time it is a choice. You can activate the two-step verification via the account settings of the website or service in question. We recommend that you do so, especially when it comes to sensitive or valuable data. When you turn on verification, a unique secret key is created first that you transfer to Aegis Authenticator. You do this by typing the key or scanning the QR code with the camera. Based on that key and the current time, the app then shows the six-digit access code, also known as a token. You have to enter this code after logging in with your username and password as an extra step. You don’t have much time for that: a new access code is created every thirty seconds. Accounts that you add can optionally be grouped. You can then filter on this later in the overview with access codes. This is useful if you have a lot of access codes. If you want to edit an item afterwards, long-press it and tap the paintbrush. You can also make the QR code visible again in order to share the key with another device, so that you can also generate valid access codes as a kind of backup.
4 Additional settings
Aegis Authenticator gives you additional settings via the menu to make the app even more secure. This is how you can with the option Screensaver prevent taking a screenshot of the screen.
We recommend that you activate this. In the past, this has sometimes been used as a back door to extract access codes from Google Authenticator. You can also use it with Tap to show choose not to show passcodes until you tap them. Handy if you are in a place where others can watch.
Via the settings you can also, for example, adjust the appearance, such as a specific theme or more compact display. You will also find options for importing and exporting which we will cover in the next point.
5 Backup
With Google Authenticator, all keys are safely stored on your smartphone. You can now manually transfer them to a second device via a QR code. Only that is (very) difficult if you have lost the smartphone. With Aegis Authenticator you can export all keys in one operation to a file, which you can later import on another device. To create the backup, open the settings and choose under Tools the option Export. Accept the standard format. You can save it on the device itself or via the option To share exchange in a different way. If you have the option Encrypt the vault checked, you will be prompted for a password. You will need that later when importing. Preferably keep the password separate from the backup file. Want to restore the data to a freshly installed app? Then choose via the settings for Import from a file. Select Aegis Authenticator as the format and browse for the file. Then enter the password. Check which items you want to import and confirm. Now you have all your keys back and you can start generating access codes for the websites and services in question.
.