There is no way I will install authentificator as flatpak.

Just curious, why?

If I had to guess, which currently I do as GP has not provided an answer, I would guess it has to do with the the ease with which the flatpak can be updated maliciously compared to a traditional OS package that usually goes through a separate maintainer. Thus, if the project was hacked or the owner of the flatpak turned evil, they could reap a pretty major bounty with no blocks in the way.

If this were my concern, I would just build from source as it is quite easy to do with this project.

> It's been downright luxurious having my seeds on my phone and my laptop and desktop.

The same is possible for my iOS tool of choice (called "OTP auth"). It can also synchronize to iCloud (passphrase encrypted) and make use of that on macOS.

I've resisted the temptation of that comfort so far (and of just putting the TOTP seeds into Bitwarden or 1Password), because it does seem a lot like collapsing what's now definitely two or maybe three factors into two or sometimes only one.

Indeed, I went through a very similar philosophical dilemma as well. I eventually decided that the convenience outweighed the security reduction, in part because the security reduction feels fairly minimal as they still live only on local devices and not on a device accessible to anyone besides me.

I still can't bring myself to put them into bitwarden, though. I suspect that will be a line I refuse to cross for quite some time, even though the convenience and luxury of doing so is tempting. Having my seeds in the cloud to me definitely reduces a factor

Just thanking you for your tips. I was looking for something after Authy's decision to discontinue the desktop version. This sounds like a great option.

I'm going to probably gnome authenticator on top of WSL2, because I like monstrosities.

You can just use a Keepass database and then you aren't locked in to a single OS (KeepassXC, Keepass2Android, etc.). Synchronize any way you like.

Why not Keepass?

Having both your passwords and your OTP seeds in the same tool defeats the purpose of multi-factor auth.

So, even though you'll have both installed in your phone, separating that over apps helps you think? Why not just of two keepass databases then?

What makes you think I have both installed on my phone? Have we met?

Which is idiotic, as having your seeds on your desktop no longer makes it two factor authentication, rendering the use of phrase factually incorrect.

If you login on some services on your phone, you have the same problem.

2FA protects you mainly from password leaks, not from people phisically accessing your devices.

Yes, very much agree. I am uncomfortable with the idea of putting them into a cloud service such as bitwarden, not because of a distrust for bitwarden, but rather having them on the cloud and/or in the same place as the passwords feels like big reduction in security. Simply having them on an additional local device does not feel like much of a change to me.

To each their own though, and everyone has a different level of risk, and a different level of risk tolerance. With all security, it comes down to an evaluation of that. I know some people in a very safe area who don't even lock their car or their house. They have not had any issues, and it can be very convenient not to have locks. That security posture is not for me, but it works for them.

You do not have the same problem, though. Sandboxing on mobile OSes is much more severe. No app can just magically access the rendering context of other application without elaborative million dollar exploits.

That is neither true nor idiotic.