Looks like it uses TOTP, so it should Just Work, I think? Have you tried using the Google Authenticator option, but scanning a QR code in the Aegis app to see if it works?
If it does, we can probably update the language of the UI to indicate any TOTP authenticator would work (as I think it would, if I understand how it works).
Edit: Maybe Iâm wrong, though. Our UI for this is clunky.
Seeing your reply, I tried adding via qr-code and it worked.
Tried to login 5 times and succedeed all 5 times 1st try. No more wrong OTP.
I was starting to be afraid to login in case I get locked out with Google Athenticator.
So it seems Aegis works just fine.
I have to mention that Aegis Authenticator is a free and open source app.
Indeed, the wording might use a refresh to indicate the user that other authenticators can be used also.
Iâll see if @Jamie or @Ilia wants to tackle updating the GUI for 2FA. I think we want to say something like âTOTP (e.g. Google Authenticator)â and then Authy, which I think maybe uses a different protocol. But, maybe they all support TOTP and we donât need to ask what kind of authenticator, since any one that supports TOTP should work.
And, yeah, I looked at Aegis, it looks really good! I donât love Google Authenticator, either. The danged thing has to be manually refreshed or as you noticed it serves an old token.
Thanks, Joe! Ironically, weâve already fixed this for the next, upcoming Webmin release! It came up before, and Jamie updated the UI just a few weeks ago:
@Jamie, now that it caused confusion for @inteq, Iâm thinking the dropdown could instead say TOTP (e.g., Google Authenticator, Apple Codes, or Aegis Authenticator)âŠ
Perhaps we shouldnât display Authy option at all, as we discussed earlier? We could check if Authy is currently in use, and only then show the dropdown. For new installs, we should leave it out entirely, making TOTP the only option, while providing a clear explanation about TOTP â what it is and which applications are supported. I think this would be more beneficial.
However, this wonât work if we add new 2FAs in the future â but will we?
good question but I thought the use of âpasskeysâ was something that involved cookie authentication (in particular session cookies) revoking/renewal. something additional to MFA rather than alternative.
I could of course be misguided as well as out of touch.
Oh, but, any users whoâd created the old Authy style thing (assuming it wasnât TOTP, I donât even know how weâre doing 2FA with Authy), theyâd be locked out until getting a new TOTP token.