Hacker News new | past | comments | ask | show | jobs | submit login
Ente Auth: open-source Authy alternative for 2FA (ente.io)
406 points by memset 5 months ago | hide | past | favorite | 201 comments



Hello, one of the folks working on Ente Auth here. Thanks for putting us on the frontpage!

To give some context, we built Auth for ourselves because we wanted a product that was cross-platform, open source[1] and offered end-to-end encrypted backups[2].

Since launch[3], the product has undergone iterations[4][5].

Auth is now available on Android, iOS, Linux, Mac and Windows[6]. We also have a read-only companion app for the web[7].

Backups are end-to-end encrypted, optional and free. You can use all our apps (minus the web) without an account.

You can also self-host[8] if you wish.

Please let me know if you have any questions!

[1]: https://github.com/ente-io/ente

[2]: https://ente.io/architecture

[3]: https://ente.io/blog/auth/

[4]: https://ente.io/blog/auth-v2/

[5]: https://ente.io/blog/auth-v3/

[6]: https://github.com/ente-io/ente/releases?q=tag%3Aauth-v3

[7]: https://auth.ente.io

[8]: https://help.ente.io/self-hosting/


First of all thanks for providing an alternative 2FA app on iOS platform that is open source.

I wanted to be one of the users but when I tried to import my backup from Raivo your app just gives null point exception error. I sent an email to your support team and they said they will get back to me once they hear back more from devs, which was 2 weeks ago.

For now I am using 2FAs but it would be great if I can get to try your app once importing works fine.

Good luck!


You could try to import in pieces and try different export formats, unfortunately Ente doesn't have a great parser, so some otp codes could break the import process


Out of curiosity, have you tested what happens if you buy a new iPhone and upgrade from old to new one? (Preferably no backup, just the new/standard upgrade procedure where you bring the new device close to the old one, and Apple does its magic.)

The only reason why I use (and recommend) Authy is that when I get a new phone it just works, while other apps require to somehow open them and do some operation between old and new phone.

If it works, happy to switch to an open alternative! (Asking about iPhone, but I assume Android folks would also be interested.)


We have intentionally opted out of this[1][2] for now, since we did not want to create a dependency on iCloud for backups.

So if you purchase a new device, you will either have to sign in to Ente Auth again (for E2EE sync), or export your codes from the older device, and import it to the newer device.

[1]: https://github.com/ente-io/ente/blob/8b696b1242bce2f166ddd6a...

[2]: https://github.com/mogol/flutter_secure_storage/blob/cb30953...


Thank you. FWIW, my need comes primarily from non-technical/inexperienced users. I can't tell my parents/many friends to remember to "sign into all these apps" as soon as they get a new phone, or they loose access to banks & co. Regardless I appreciate that at least you made a conscious decision.


I’ve seen this happen. A family member set up google auth. Then later got a new phone. I know I’ve transferred google auth across phones in the past - although possibly over iTunes? The new iPhone setup process works differently I guess. My family member did the new transfer feature, then wiped the old phone. Then later discovered that they don’t have access to some important accounts, because google Authenticator was completely empty. Luckily they did actually have a physically printed backup copy.


> I know I’ve transferred google auth across phones in the past - although possibly over iTunes? The new iPhone setup process works differently I guess.

There were a few brief years where an encrypted iTunes backup was a perfect, universally-restorable image of an iOS device. You could back up an iPhone, pop out the SIM card, destroy the original phone, then pop the SIM into a new one, restore the backup, and it would be nearly-impossible to determine that the device was different from a daily UX standpoint. Even MS Exchange email sync would still work.

Then around the time that iCloud K/V store showed up (which may be coincidental), this stopped working. Every app would start up and ask you to log in. Email needs reauthentication. Encrypted iTunes backups aren't terribly useful anymore.


> FWIW, my need comes primarily from non-technical/inexperienced users. I

Number one reason why most of my friends and family dont want to buy a new iPhone. They hate the pain and the anxiety of upgrading. And Apple hasn't done anything to make it easier.


It’s extremely easy these days.. you just put the phones near each other when prompted and follow the instructions.


OTP Auth supports iCloud sync in the paid version.


The free version does too. The paid version only adds cosmetics, last time I checked.


I might be mixing that up with Strongbox. Either way, solid app and worth paying for.


From the documentation I found for kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, it sounds like what you are doing here is explicitly opting out of support for the usual secure mechanisms Apple users have to back up their device--such as an encrypted iTunes backup--which, to me, seems pretty egregiously wrong.


Agreed with others here. It’s good that this was an intentional decision but I implore you to reconsider.


Thanks for the feedback, will reconsider.


If you’re in the Apple/iOS ecosystem and want the syncing to happen via iCloud, you might as well use Apple’s built-in password manager which has support for 2FA codes.


Just because your in the Apple ecosystem does not mean your not outside it as well and want the crossplatform side.


Exactly. I use BitWarden for this reason.


Oh wow, I missed the release. Will def test it. I've been using authy since 2017, anything I said above might need a refresh :)


I use Tofu on iOS and it nicely migrated my tokens from a iPhone SE to a 13 Mini. It does not do iCloud backups, so it was a straight device to device transfer.


Any plans to release an Apple Watch app? That’s my one requirement for a 2FA app.



That’s fantastic you can optionally self host. Well done!


Is it possible to have ente on your phone (Android) synch using e.g. Dropbox, same as KeepassXC with it's password database?


if i lose all my devices can i still recover 2fa accounts? I can do it in Authy with email and mobile verification.


Yes, you can.

Ente Auth backs up your codes, end-to-end encrypted. You can access your data on any device, at any time with your email address and password (/recovery key).


Authy has one superb feature: you can switch a toggle to lick/unlock accessing a vault from new devices.

quite handy and can further increase security (trading it of course with lack of recovery would you lost all your devices).


Interesting, thanks for sharing!


Security platforms should be open source by default. It provides assurance that nothing weird is occurring behind the covers and also shows confidence in the implementation and the cryptography behind it all.

I will also never forgive Authy for removing desktop support with near immediate deprecation and no way to export off their platform.

I will never use another Twilio product again after that.


I feel like this misses the problem with Authy. There are hundreds, possibly thousands of 2FA alternatives for Authy. But when my 401K provider requires Authy to login in without providing a generic 2FA option, THAT is the problem.


THE problem with Authy in my humble opinion isn’t just that it’s an obnoxious proprietary app I shouldn’t need — it’s that it forces you to accept SMS as a get-out-of-security-free card. Being able to get a reset text to your registered number (and you MUST register a number, of course) unlocks all your OTPs for the attacker (who slipped some teenaged phone salesman $50 or a fake ID to swap your sims.)

SMS is cancer to security and I won’t use any system that forces me to accept something so easy to exploit as proof of my consent.


Regulators should mandate 2FA with an OTP standard, such as OATH TOTP. Here in EU, lots of banks use their own proprietary OTP-like standard or SMS.

I never understood why SMS are preferred to OTPs generated offline using credit cards and a card reader, which were fairly popular.

Actually, EU regulations state SMS should be phased out, but banks largely ignore that. SIM cloning is fairly easy...


The readers cost money and people lose them. I still have one for one bank but otherwise it's SMS everywhere.

They clearly just don't see it as a realistic threat, on top of all the other security measures in place (for me it's a password, and also a memorable word that isn't typed on the keyboard, then SMS OTP). It's not a great defence of SMS but perfect is the enemy of good, and SMS is just about ok.

Most hacking stories I hear about seem to happen through social engineering, where people go to great lengths to authenticate themselves for someone over the phone.

One thing that is starting to take hold is banking apps, which once installed can be used to authenticate payment. Again not perfect but better than SMS, and users are increasingly likely to have them installed because of ease of use.


At least here, SIM cloning is a very popular attack.


Where is here? We can't see your geo coordinates :p


As per my parent post, here = EU.


Maybe your country. You do not speak for all of the EU.


Passkeys.


Not a portable format, yet.


at most relying parties you can create multiple passkeys, so this is IMO a good solution until portability might be better


Never will be. Attestation is part of the spec and portability isn't. They are incompatible features.


The main problem with secure device based 2FA is how to handle the case when device gets lost and you don't have backups (many people don't really think this kind of stuff beforehand). How can a person re-establish their identity? For services like Google, Facebook etc. the answer might be "you don't", but it is more difficult for companies where the end user is also the customer.

And I think the best answer is government issued digital identity and being able to use that to recover your access to the online services (of course up to you if you wish to make this connection).


That's why Apple forces you to register two FIDO U2F keys if you use that option for iCloud.


The card reader with scanning a barcode is incredibly obtrusive. It requires you to carry the card/bank specific reader with you. So when you're on the go you and want to pay something online with a debit/credit card, you need to whip out the card and the specific reader.

And it included that annoying scanning a barcode on screen AND confirming € amount.

And the readers had 2 options. Sign and confirm (?). Why they couldn't incorporate this into the barcode?

It was all done because it definitely lowered mistakes and was more secure than card number and CVV to pay online.


This is a terrible, terrible idea. TOTP is secure for nerds but presents very very real security downsides for literally everyone else. Increased popularity of TOTP invites increased frequency of malicious TOTP apps exfiltrating user OTPs. This is pretty much THE reason why it’s quite common to see companies provide TOTP as a hidden, nerdy alternative. Again, if HN got what it wanted as far as tech regulation, the world would be a terrible place, but HN consistently puts nerdy desires ahead of what would actually help wider society.


The reason that SMS is preferred is that "everyone has it". Requiring all customers to get an app is much harder than requiring them to have a phone number than can receive SMS


"everyone has it" and it is "good enough" at preventing large scale attacks like credential stuffing from data breaches.

Most online services aren't so worried about a small number of users being SIM-swapped. They are worried about large numbers of users that reused their password across thousands of sites 5 of which had their database dumped.

SMS 2FA isn't about providing individual users a high level of security. It is about providing a baseline level of security for all users.


I disagree. A bank reported ~1,000 SIM swap attacks happened to their clients during 2021 alone in a single EU country. That's a lot. Furthermore, these attacks target high value individuals which I imagine is a particular cause of concern for banks. For this reason, the EU has phased out SMS as a valid 2FA, although not many banks have complied yet.

Some banks, like ING, already refuse to send OTPs by SMS and effectively require using an app. SMS is also bad from a user perspective as it turns your phone into a single point of failure. Also, if you are roaming abroad, SMS delivery is usually slow and unreliable. Imagine going to another country and being unable to validate a credit card transaction.


App, that steals my data is no go for me.


I don't like apps either, that's why I'd like standardized 2FA.


Many sites are blocking my Google Voice number from being used for 2FA, so apparently not "everyone" has a number that "everyone" finds acceptable.


Its easy 2 step verification for making bank transfer. Much more favourable then dedicated bank app for me that steals your data.


Authy isn't that proprietary, and neither is Google Authenticator or Microsoft Authenticator (?). They are closed source apps but they aren't proprietary forms of TOTP.

I've been able to use Yubikey Authenticator for anything that said it wanted any of the above, and the awesome thing is you can plug the Yubikey into another device, install and open up Yubikey Authenicator on that device and it works just fine and has all of your services stored on the hardware key, making it easy to upgrade phones or plug they key into a desktop and not depend on a phone.


If a company requires you to use Authy you can't just put that into another authenticator. Yes, you the Authy app can ingest a normal TOTP QR or secret and be used the same way as those others, but their special weird 7-digit OTP thing is proprietary to them, and businesses which choose "Authy" as their only OTP solution are locking people into using this crappy, SMS-linked app.

Another reason it's terrible is for business. Lots of businesses have an account that several people will need to access (yes, it's great to have multiple user support, but not all things do, or sometimes you need a 'bot user'). With something that supports real TOTP you can put that secret into 1password (or heck, scan the code into 7 different people's phone authenticator apps). With Authy you have to pick some random person's cell phone to tie that account to, and hope they don't go on vacation.


Decrypting the OTPs on another device has required a password for a long time now (maybe always, I can't actually remember if it was always there or just added years ago). It isn't only bound to your phone number.


curious, why SMS is insecure? It's not like a hacker can simply clone your sim.


No, that's the problem, a hacker can clone your SIM. it's not trivial, but it's not impossibly hard, as in there are known attacks and if your fortune is protected by SMS 2fa, you'd better hope you don't draw attention from a motivated attacker. SS7 attacks and others are not theoretical.


Actually all it needs is walking into the AT&T/Verizon store with a convincing fake ID + "I lost my phone"

Or a rotten apple working at the store who is working together with the perpetrator


A hacker can perform a SIM swap attack, where they convince the operator using bribes and/or fake IDs to provide a replacement SIM card for your number.


what's the better alternative?


Physical Security Key > TOTP/Authenticator Apps > SMS 2FA


Requiring a TOTP to get into the app handling your TOTP might not be the easiest for most. A strong encryption password on Authy prevents this and you can also disable multi-device / enrollment when not needed.


If Authy wants to not be a joke, then they should end their mandatory SMS authentication method, then. I certainly am not going to trust it when there's an SMS requirement to even get in. Because I (not unreasonably) assume if you contact Authy support and can pass their SMS check, they might have some way of "giving you back access to your account" and by "you" I mean criminals posing as you.


As far as I know, and I may be wrong there, but Authy gives you access back to your account. Not to your TOTP codes which are encrypted by your Backup Password.

Once logged in, you need to enter that "second" password in order to get access to the TOTP codes and Authy will notify you of the new device connected.


A hacker doesn't need to clone your SIM, all they need is access to an SS7 line almost anywhere in the world and they can see your messages, regardless of carrier or phone. I suppose North Korea probably doesn't have access to SS7 servers, but that might just be the only one. Granted, SS7 isn't cheap or easy to get access to, but when it comes to banking fraud, the economics change.

The victim will be disconnected from the network, but there's no way in hell the first line of carrier support will detect any of this. You'll have to put your faith in the security monitoring of your carrier (the ones letting spoofed numbers in and out of the network, so good luck I guess). There's absolutely nothing you can do about this thread other than hope that your carrier is smart enough and that you're not important enough for a sophisticated fraudster to target.

As for cheaper threads, everyone who tweeted about owning a crypto exchange account with their phone number on display will probably lose their SIM at some point. SIM swapping is easy with a fake ID, and people within phone stores have been caught doing it from the inside.

SMS is insecure and often abused. Don't use it. Maybe also disable 2G on your phone while you're at it.


They can clone it, they can eavesdrop on it by having hacked your phone, they can be eavesdropping on the wireless network. But the most likely is they can dupe your carrier to port your number out


If we're talking OTP/TOTP -- it's all the same. Even if a provider instructs you to use a specific app, e.g. Google or Authy, you can simply scan the QR code with whatever authenticator app you're using. All the QR code does is encode a URI containing the secret and issuer.


Authy supports TOTP, but also has its own proprietary TOTP-esque format that a bunch of sites & companies use (Twitch and my bank, among them) that can't be copied into another site.

(Yes, it's bad, no, it shouldn't exist, no, I don't know why they don't just <...>, etc.)


I use keepassxc for twitch so it should be something fairly standard, I don't remember using special settings.

Anyway, I wanted to share this gist which might be of some help to migrate away from authy:

https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...


Twitch supports regular TOTP now, thank goodness.


Is it standardized?


Authy (the app) does support generic TOTP which as you mentioned, so do hundreds of others. Unfortunately, the authy app (and some well meaning but not so well versed companies) opt to use Authy's proprietary OTP which isnt compatible with other clients.


This is simply not true. Just today an app asked me to use Microsoft Authenticator, and scanning the QR code with Google Auth and Authy didn’t work, earning me an “Invalid QR code” error and forcing me to install the app from MS.


I don't think there's a formal spec for the otpauth URI yet [0], even if there is a spec by Google [1], so this may just come down to MS adding some incompatibility to force usage of their authenticator, or the app using some proprietary authentication scheme that is not otpauth.

There's nothing complicated about otpauth provisioning URIs i.e. what's encoded into the QR code.

[0]: https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-spec...

[1]: https://github.com/google/google-authenticator/wiki/Key-Uri-...


You assume that because you were not able to overcome whatever error/s you encountered with Google Auth and Authy, that you were being forced to use MS Authenticator.


Pretty uncharitable interpretation on your end. I am a developer and went to the extent of verifying the content of the QR code and the optional URL for manually adding it. No OTP code in there.

Try to be nicer next time.


I truly did not mean to come off as rude. The 'content of the QR code' would've revealed the actual seed and so would corroborate your assumption if you did, in fact, verify as much. I merey stated a troubleshooting fact. No offense intended.


My bad for misunderstanding the tone of your comment. I likely wouldn't have gone off in this direction if you asked me what measures I took to check the OTP code in a collaborative/constructive way rather than expressing doubt they way you did. Either way, all good.


I don’t think that’s what they’re saying. Authy supports TOTP but they also have a proprietary format.


That is also supported by Aegis.


And it seems to be totally generic, just 7 digits, and switching every 10 seconds instead of 30.

Bitwarden can import them too.


Authy has this 7 digit TOTP, which seems kind of proprietary. But Aegis supports that too, and is open source.


Is it possible to 'transfer' the 7 digit account from Authy over or best to start over?


There used to be a roundabout (unsupported) way to export from Authy Desktop to another app but Authy discontinued the Desktop app and Windows at least won't let you launch it anymore.

I'm not aware of a way to export from the Authy phone app.


Is there a list of services that have a specific 2FA provider requirement? In my experience, my when my service ask for 2FA it usually says Google Authenticator and use Authy. I'm looking to migrate out of Authy in the near future.


oh boy, wait until you have to use anything under id.me, which is in bed with the federal govt.

you will be crying for them to let you go back to authy and sms.


People complaining about an "Authy jail" and yet I have no issues with Aegis. Which is also open source, available in the f-droid store, and been around for years.


I never even heard of this Authy issue but people seem up in arms over it.

What I have seen though are Microsoft and Google trying to maneuver their own auth app and hiding the generic OTP option to lock people in.

As long as I can use any generic OTP app I'm happy, and Aegis is definitely my current favorite. I mean I'm a person with close to 50 OTP codes at this time, this is a serious tool in my life.


Aegis, Bitwarden Authenticator, FreeOTP, and now Ente Auth. These are the best ones.


+1 I just host my Vaultwarden server and then, I have all my 2FA secrets in my vault as well. Works very conveniently with autofill enabled by default for OTP codes.

I just have a strong vault password for my vault and that should be more than enough I guess


I use Bitwarden for passwords, so... i dont really like that mucho having 2Fa there too... It losses the porpoise of the 2fa.


Bitwarden has a separate 2fa app so your totp codes aren't in the same password vault (though you can do that, but shouldn't).


Why shouldn't you?

I use a Yubikey as the 2FA for my bitwatden, then store all the TOTP codes with the passwords in the same vault. Quite convenient, and also adheres to the principles of MFA


If your one Bitwarden store were compromised in any way, it is game over since it also contains the 2FA codes.

If you were to use two apps / two stores, there is another hurdle.


That is exactly why I do it.


Not really? Even in the same basket, having TOTP and passwords on iCloud mitigates a lot of scenarios, such as leaked passwords.

Depending on your threat model, this solution is ok — way better than no 2FA at all or SMS.

1Password has a nice article regarding this point: https://blog.1password.com/1password-2fa-passwords-codes-tog...


Add 2FAS to that.


Am I misunderstanding your comment or do you think that Authy is the same as Aegis?

Anyway, Aegis and Ente have export options, Aughy doesn't.


More like, why do they complain if alternatives exist.


Authy supports normal TOTP but also has its own proprietary TOTP format for which alternatives do not exist.


This^

It is a pain to switch over; but that is the way it is with all sorts of proprietary programs. They just tighten the noose regardless if you pay or not.


You're right, it's a pain to switch, BUT: you only have to do it once, if you do it right. Switch to an alternative that gives you the functionality you need (TOTP, and that's it, for me at least) and allows you to export your data to a format that can be reimported to another application at another time (or restore from it in case catastrophe hits).

Once you get rid of the noose, it's no longer a hassle.

For everyone going through this situation, please do a little bit of homework and read up on the capabilities of whatever alternative you're going to pick, and make sure that your data is yours and under your control, and you can back it up in a readable format.


The "jail" is having ~100 secrets there that you cannot take out, so moving out is adding new 2fa on each service.


I’ve had a really poor experience with the (open source) 2FA app Raivo on ios. Developer got bought out. Ads got added, and a bug was introduced where users lost 2fa backup. Losing 2fa access was not as bad as I expected since I stored 2fa backup codes in bitwarden notes. A lot of sites also feature email recovery. I ended up migrating totp 2fa to bitwarden and its been very convenient.


I moved to 2FAS Authenticator mainly because I didn't want my 2FA tokens linked up with my Bitwarden account. I backup my tokens in an offline KeePassX vault to ensure I won't lose access to them.


But how do you deal with the 2fa codes for bitwarden itself?


This looks quite nice, thank you for releasing it open source. Also neat to see a real Flutter app in the wild, this seems like a great use case for it. Would love to read your experience building something polished across ios/android on Flutter.

One note as I signed up for an account is that the email verification went to gmails spam. Probably nothing to be done about that but mentioning it.

I would also add an "authy" option when importing that just goes to an explanation of why it isn't possible and steps you can take to create new tokens etc.

In any case, well done and thank you!


Thank you!

Apps like Auth are a great fit for Flutter, where desktop support is nice to have. We're also using Flutter for our Photos[1] app, and it has served us well so far. Wherever necessary (cryptography, ML, transcoding, ...), we use a bridge to communicate with the native layer, and Flutter becomes a presentation layer of sorts.

Reg. Gmail marking our verification emails going to spam, we aren't sure what the issue is. We migrated from Zoho to SES recently hoping to fix this, but that has not helped. If anyone here understands email deliverability, please do share your thoughts, we'd be grateful!

We've a migration guide from Authy here[2]. They make it difficult, but it's possible.

[1]: https://ente.io

[2]: https://help.ente.io/auth/migration-guides/authy/


Reg. Gmail marking Ente verification emails as spam and showing the "Similar messages were used to steal people's personal information" warning.

Not an engineer/experienced with email deliverability, but, I _did_ feel something off when I received the Email verification code email (which too was marked as spam by Gmail). Thoughts/observations:

1. The email body is very minimal, which could be a good thing, but, > it did not have the usual trust markers/indicators - no brand logo or name at the top, > a generic envelope/letter icon/image as the largest visual item in the message > just a single "Use this code to verify your email address" line in the message body (except the "ente.io" link at the footer)

2. I did a quick comparison between the Ente verification code emails and some recent verification code emails from other products (Backblaze, Google, Instagram, IBM Security..) > none of them were as barebones/non-descript like the Ente emails. > They had descriptive text that provided a bit of context ("you recently signed up for an account at XYZ with PQR email address, and this code is required to...") > They had the brand identity (Name / Logo) prominently somewhere in the beginning of the message > AND most of them had the company name, registered address, and contact details in the footer. (Adds accountbility/trust?). Some even had links to privacy and support pages.

3. I believe you must have already explored the BIMI, VMC route for the "gmail blue tick".


Thanks for sharing these!

BIMI + VMC seems like an expensive workaround, we'll first experiment with your first two recommendations. We'll also have to figure out a way to reset the score with Gmail. Hopefully they haven't penalized the whole domain, and a new from-address will do it.

Thanks again for taking the time out to share your thoughts, really appreciate it! :)


The migration guides dont work as of the hack as they all rely on desktop tools which used the api that script kiddies used to dump that list of 33m phone numbers. Any updated guides?


If you have an Android phone (even if just an old one you don't use anymore, or a cheap one you're willing to buy) and you're willing to root it and wipe all data on it, you can:

1. Unlock the bootloader (if not already done) (this will wipe your device)

2. Install Authy on it and log into your Authy account

3. Root your device (I used Magisk https://github.com/topjohnwu/Magisk)

4. Once rooted, you can access the Authy app data and extract the TOTP secrets, then import them into a different app (there's a script to make this easier here https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d..., but you can also just go exploring manually in the root file system and find the Authy storage file)

It was somewhat of a pain in the ass to do this, but Authy really annoyed me with how difficult they make it to migrate off of their bullshit, so it was worth it to me to finally be able to delete their app after extracting the secrets this way.


That's unfortunate, thanks for letting me know.

I'm currently unable to find a straight forward way of getting data out of Authy, will bump up this thread when I do.


Ah, so _that’s_ why the ente photos app feels so “off” - it’s using flutter.

I’ve tried the app a few times over the last couple of years and had a dislike of the UI because it did not _feel_ right, like it was slow or something. I can’t say exactly what.

It is almost certainly because it is using flutter rather than native DOM elements.

(I’ve been keeping track of ente but never quite made the jump - not solely due to the UI though!)


My hunt for an open source Authy took me to 2FAS, which has been fine. Any opinions on this offering?

2FAS — the Internet’s favorite open-source two-factor authenticator

https://2fas.com


I come from Authy and switched due to the desktop apps demise.

2FAS does not have a desktop app and and doesn’t offer self hosting. The browser extension is fine, but was clunky at times. I started disliking using a browser extension as my main thing to manage 2FA. I feel a lot better with the Ente Auth desktop app and mobile apps.

You can actually import stuff to 2FAS as well as Ente Auth, so no problem in trying out both.


2FAS iCloud storage is not e2e encrypted: https://github.com/twofas/2fas-ios/issues/43


> 2FAS syncs across your mobile devices.

[...]

> 2FAS works offline.

> 2FAS doesn't store any passwords or metadata.

Eh?


Syncing happens via files in your iCloud Drive.


this is storing/syncing the shared secret used to generate the TOTP. generating the TOTP is fully offline.


Ok, except that the secret is the TOTP generator. Anyone that has the secret can generate any TOTP for any point in time, and own your 2FA. An attacker needs nothing else. So if the secrets are stored online - ever - it's nullifying the "offline" claim.

Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.

iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".


You’re not wrong, a hardware keychain gizmo with a camera for scanning QRs would be the ultimate actually-secure 2FA device (at least against remote attackers). Personally though I view standards-based 2FA more as a tool to reclaim my login abilities from the insane zoo of “let us email or text you a code” confirmations various sites force on you because they assume you must use a stupid and reused password so that’s not enough now.

When I store my passwords and their 2FA secrets in my KeePass db, I’m arrogantly taking for granted that I won’t ever leak my whole secrets database, which is a risk I’m willing to take because I know what I’m doing (and don’t have any secrets valuable to state-level actors). I appreciate having the option to make this call so I don’t have to drop in to my email just to log into frigging Patreon.


> Does anyone know a 2FA app that only stores secrets offline?

Ente Auth works fully offline. E2EE backups are optional.


I'm very happy with Aegis.


Aegis is great but it's Android only. I really like their thoughtful export system. Ente has export as well, I wonder how it compares.


> Aegis is great but it's Android only.

Yes true, but the Aegis format is supported on Linux by Gnome Authenticator: https://apps.gnome.org/en/Authenticator/


Ente has built in backups and encrypted export options. Export should be better than Aegis


I have been using Aegis but switched to Ente Auth as I decided to use Ente Photos as well. Both Aegis and Ente Auth are great options. This switch (export and import) was very easy.


Me too, but it had this nasty bug where me and a bunch of other users occasionally only saw a black screen after unlocking. For me rebooting my phone fixed it, but not for everyone. I can't really afford to not be able to access my 2fa codes. This lasted for over a month, so I decided to move to ente auth.


Ente Auth is awesome - I've been using it ever since Authy discontinued their desktop app: https://mrbluecoat.blogspot.com/2024/03/bah-authy-discontinu...


It should be highlighted that the flagship app from ente is not their 2FA but their wonderful encrypted photo app. It is a fully encrypted alternative to Google Photo.

It is far from perfect but already very usable. There’s also a Linux desktop client that allows me to sync all my photos on my computer.

I really recommend them (nice team)


Last week, I started to explore `pass`[1], to move away from my current Authy + iCloud Keychain ecosystems. It's pretty barebones but that's what I like about it. I like it so much that one week later, I've fully migrated away and couldn't be happier.

And the news about the Authy leak yesterday validated my move, if anything.

I don't really care for ente; it's more complicated than what I need from a password manager. And the fact that pass is so much more customizable (being as it's only 700 or so lines of shell script), I don't feel like I need anything more _personally_.

[1]: https://www.passwordstore.org/


I use the same thing, and put together a "distribution" of pass, with a couple of plugins including the OTP extension:

https://github.com/skx/pass

Just clone beneath /opt/pass and configure with the standard environmental variables, or use the default password-store location, and you're good to go. I use this to ensure all my systems have access to the same passwords (which are stored in a private git repository).


Because I got fed up with all the existing 2FA apps (lack of backup, export, ...) I created a simple (desktop) CLI app which works for me: https://github.com/Dobatymo/otp-tool

It's just a one day project so far. But it has some nice features like taking a screenshot and reading qr codes from it and storing everything in a single enrypted file (which you can easily put on a cloud drive if you want to sync, otherwise it's completely offline)

It only supports the standard RFC 6238 TOTP so far.


Nice role-your-own solution. Just a FYI - Aegis does have backup, export etc. I would also not use it if it couldn't export.


I've been using Authy as a backup for 1Password (previously BitWarden/LastPass)'s 2FA since in a worst-case scenario I can get a replacement SIM card from my phone network's store and get back into my 1Password account via recovery. This has had to be tested once when my phone got pickpocketed in Amsterdam.

Is there a better alternative? Authy is fine for this use, the rest of my 2FA tokens are in 1Password itself.


If you’re on a Mac and use Safari, it has a neat 2FA integration built in, which saves and autofills OTPs from iCloud Keychain.


If _I_ can get a replacement SIM card from your phone network's store, can I get into your 1Password account via recovery?


You'd need ID to get one. And you'd need the security key also.

I guess there has to be a vulnerability _somewhere_ to make it possible to get back in again in an emergency.


ID can easily be social engineered. What is the security key?


The secret key a random 34 character key[0].

You can also set up a security key[1] as 2FA, in which case you'd need both the secret key and security key.

You need to know the user/email, password, the secret key (and security key if you've added one) to get into an account. 1Password cannot recover your account for you. On a family or company account you can set up trusted members that can recover your account for you, but if everyone loses their credentials all at once then you're locked out forever and need to start over with new vaults.

[0] https://support.1password.com/secret-key-security/

[1] https://support.1password.com/security-key/


I see, thank you.


1Password accounts have a password and a security key/token you need to login.


This looks good, as I wanted to "escape" the Authy jail (you cannot easly move out with your secrets), but moving a lot of 2fa's to a "new thing". How to make sure they are a good project?


Like a sibling comment mentioned, unlike Authy, you can easily export your data[1] from Ente.

Also, Ente is fully open-source[2]. If you wish, you can self-host the service and point the app your custom server[3].

[1]: https://help.ente.io/auth/migration-guides/export

[2]: https://github.com/ente-io/ente/

[3]: https://help.ente.io/self-hosting/guides/custom-server/


You can't but they should be better than Authy, at least they have export options...


I was hoping for allow importing Authy secrets, has anyone sucessfully "taken" the backup out of the app and imported in other tool. As security measure the secrets only live in Authy, but thats when I cannot move out when I want.


Ente has an Authy export guide. https://help.ente.io/auth/migration-guides/authy/

You don't even need to have Authy installed. The script pretends to be a new device and gets the keys from your backup. (You might need to run chmod +x for execute permission)


What's the point of having your 2FA codes synchronized across all your devices?

Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.

1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.

2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.

Ability to synchronize encrypted backup is a different story.


It's "Two Factor Authentication", not "Second Factor On A Single Device You Always Have On Your Person Authentication".

That second factor needs to be separate from the originating authenticating service, not that it has to be on a single device hidden away kept in a safe, or on your wrist, or in your pocket. It could be a single device [a server] running bitwarden and you're viewing it through a browser on your <whatever>.

Not everyone wants to follow every single recommendation from a data security perspective, and it becomes an anti-pattern when laymen start using workarounds to not have to comply with the safety recommendation of the week.


I mentioned all this in another story, but:

Having it integrated with a password manager is less secure than having it as a separate app in a separate device, but it makes it so much easier for the average person that they're more likely to actually use it.

In a vacuum, yes, you're right. It's not as secure this way. I wouldn't use that for something hyper-sensitive like classified systems. But as a system, "less secure but widely used" beats "more secure but most people avoid using it whenever possible".

It's like with the NIST recommendation against regularly rotating passwords. In an ideal world, it's a great ideal to require new passwords frequently. In this world, it only makes people pick bad passwords and append the date or serial number to it. As a system, it's more secure to require strong passwords and then leave them alone until/unless you suspect they've been compromised.


It’s really two step auth. Basically the point is that it defeats password spray attacks.

Higher assurance authenticators need more than TOTP. Usually that means adding a knowledge component (ie pin), challenge/response, a physical token, biometric or all of the above.


It means you are providing two factors, not necessarily that you only have two factors.

There are benefits to this. I've left my phone at work, and would have been SOL, except I have a tablet that never leaves my home which can also provide my second factor.


I recently had this experience when my phone had issues. I was foresighted enough to have Aegis installed on my E-Ink reader.


I'm worried that if my device fails I won't be able to recover all the sites I've registered on my phone. Does anyone know if this can enable backup quickly to another device in a secure way?


1Password, Bitwarden, and Vaultwarden support 2fa and let you view/export the secrets.


I think it has its own backup service. But it otherwise lets you export/import your data. I feel like as long as I can do an export in some way then that’s good enough for me.


You don't need regular backups, just every time you add a new service.

Ente has free backups and it's own encrypted export format, which sounds promissing.


Yea, i was hoping for iCloud / Apple Watch support..but unfortunately:

https://github.com/ente-io/ente/issues/182


So basically there’s no reason to use this over something with a bit more trust, like Bitwarden’s 2FA app.


Well, a downside of Bitwarden (and 1Password) might be that it's hosted on their own servers. So, no separation between the App Developer/software, and the location where your data is stored.


Which service does have separation?



I'm waiting for bitwarden or aegis export capability before trying this out.

You cant easily export your codes into a different format using this app, meaning that it is difficult to migrate away once you have already moved your codes over.

Other than the (hopefully temporary) lock-in, this is a great app.


Hey, you can migrate your data in bulk to a plain text / encrypted[1] file.

There is also an option to view / export individual QR codes.

Let me know what we could do better, would love to do better.

[1]: https://help.ente.io/auth/migration-guides/export#how-to-use...


Does the plain text format easily translate to other apps, or are you still stuck manually copying codes over one by one?


There is no universally agreed upon format for bulk imports. We've adopted one that we found to be used by a few other apps - a plain text file with otpauth:// URIs separated by a newline.


Thanks


This makes me want to restart working on Owky - my 2FA open-source pet project.

Owky is short for “Own your keys”. Therefore the user owns the data - can easily be exported, and there’s no server sync (on purpose). No iCloud sync, nothing.

The app needs some love indeed, but it’s in a usable state.


sounds more simple than Ente's Auth; for instance I can see having a simple totp record-keeping app on an internet-less rpi or similar (or highly restricted networking where an auth'd user can only webui interface with some backup/restore feature when blue-green'ing the device), integrated with some built in (touch)?screen to select/search service-account to read totp from and adding-new via screen as well.

edit: simple in terms of only ever needing to compile/validate the thing for linux (arm + intel)


fwiw, Ente's Auth works fully offline. E2EE backups / account creation is optional.

If you have an RPi that is accessible over a network, you could self host it as well: https://help.ente.io/self-hosting/


yep i did check all that; i however did not check Owky and only now realize it is an apple app; i was implying dont giveup on simple-apps just because another has similar features - sometimes simple things can have huge benifits (all subjective though)


Understood :)


Is there any problem using Password Manager's feature to get 2FA codes? I use 1Password and it has this feature built in and automatically fills after filling the password. Even iPhone's latest Password app also has this built in.


Storing passwords and 2FA in one place only protects you against password reuse, password leaks, and some more common threats that the large majority of people should be looking out for.

It is still a lot better than no 2FA, and more than sufficient for the average person.

For someone looking to improve their security a bit more and for someone with a "don't trust anyone" model, having a separate 2FA app has it's advantages. It protects them against unencrypted password DB leaks, security vulnerabilities in the password manager, or any intentional security threat induced by the developer of the password manager


I don't see people mention this enough, but iCloud Keychain generates TOTPs. I've been migrating all of my accounts slowly to just use the built-in Apple Passwords functionality.

In Safari, right click on TOTP QR codes.


Additionally, iOS 18 will introduce a Password app making the functionality easier to discover. People are still surprised to learn that iOS has built in TOTP support, but it's just buried deep in the settings.

BTW, there's a hack you can do to create an iOS Password app in iOS 17 and below by using Shortcuts to launch the deep linked setting directly.


And when Apple's automated systems disable your account you're locked out of your accounts.


Indeed, I don't understand why people's reactions to not liking and being trapped by a lock-in walled garden strategy (Authy) is to switch to another lock-in walled garden strategy (Apple).


I trust no corporate entities, and try to minimize my exposure, but I agree it makes some sense. Apple is too big/public to screw around with making a quick buck by changing terms. They are also likely to have significantly better security posture on every aspect of application development and distribution.

How much stringency does a code/platform change get at Authy vs Apple? However, once you are in the Apple walls, they are just as ruthless at keeping you locked inside, which is why I try to minimize my dependencies where possible.


If a single remote service can lock you out of your 2FA accounts then you failed with your backup policy. I don't use it, but Apple Passwords makes TOTP secret backups possible, via bulk export and initial key setup.


I mean the same happens with GMail, sure.


Anyone else confused with this name vs Microsoft Entra, the new name for Active Directory?

Is there any shared etymology between Ente and Entra? I'm curious where both come from.


No shared etymology, "ente" means "mine" in Malayalam. Felt like a nice name to build a privacy company around. Also the domain was available :)

If you're interested, here's more of the backstory: https://ente.io/blog/ducky/


Do any of the many TOTP options have the ability to organize, or put codes into vaults? One you have more than a couple of dozen saved, it starts to get tedious.


Aegis allows you to create groups and put codes into them, and then you can filter the list to any number of groups. Works quite well for me.


With Ente Auth you can assign tags to a code, and use them as a filter.

You can also pin your favorite codes to the top.


How does this compare to duo? Is there anything beyond being open source that differentiates it?


Somewhat related: I hope there will be more news coverage/attention on the whole Ravio situation. It totally seems like something that should be reported on. Raivo, marketed as open source, despite never being OSI-defined open source, created by a computer security professional & expert sold it (2fa app) to a shady & unknown guy from Morocco, who put people's codes behind a paywall. Crazy story. And we (probably) found out the guy behind it too.


Tangentially: I just got rid of Authy, it took me 2h to to migrate everything, moved to apple passwords (yea yea, still propriatary) which has a so far solid export feature.

I will never forgive Authy/Twillio for deliberately making exports impossible.


Hey, would you mind sharing how you exported your codes out of Authy?



Thanks! But this method requires Authy's Desktop client, which is unfortunately unavailable at this point.

Also, if this comment[1] is right, API access has also been broken.

[1]: https://news.ycombinator.com/item?id=40885456


Manually, hence the 2 hours. Authy completely broke all exporting.


[dead]


Screenshots look cool!

It'd be great if you could create a README.md with instructions to build the project (and screenshots if possible!)


Isn't this the thing that fell victim to a hostile takeover a few weeks ago?

Or am I just confused?



Authy has been having security incidents. This is an OSS competitor to Authy (Twilio).


I have heard only prise recently...

If you find the source or news article please share!


I've developed a command-line password manager and authentication application in Rust. Here are the key features:

1. Uses KeePass file format for secure credential storage 2. Supports One-Time Passwords (OTP) for two-factor authentication (2FA) 3. Provides a convenient CLI interface for retrieving 2FA codes

The project, named Passlane, offers a streamlined approach to password management directly from the terminal. It's particularly satisfying to generate 2FA codes via command line!

For those interested in exploring the code or contributing, you can find the project on GitHub: https://github.com/anssip/passlane

I'd appreciate any feedback or suggestions for improvement.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: