Or am I just confused?
If you find the source or news article please share!
https://blog.paranoidpenguin.net/2024/05/raivo-otp-breaks-us...
Ente has free backups and it's own encrypted export format, which sounds promissing.
Yes true, but the Aegis format is supported on Linux by Gnome Authenticator: https://apps.gnome.org/en/Authenticator/
You don't even need to have Authy installed. The script pretends to be a new device and gets the keys from your backup. (You might need to run chmod +x for execute permission)
Also, Ente is fully open-source[2]. If you wish, you can self-host the service and point the app your custom server[3].
[1]: https://help.ente.io/auth/migration-guides/export
[2]: https://github.com/ente-io/ente/
[3]: https://help.ente.io/self-hosting/guides/custom-server/
Anyway, Aegis and Ente have export options, Aughy doesn't.
It is a pain to switch over; but that is the way it is with all sorts of proprietary programs. They just tighten the noose regardless if you pay or not.
Once you get rid of the noose, it's no longer a hassle.
For everyone going through this situation, please do a little bit of homework and read up on the capabilities of whatever alternative you're going to pick, and make sure that your data is yours and under your control, and you can back it up in a readable format.
Depending on your threat model, this solution is ok — way better than no 2FA at all or SMS.
1Password has a nice article regarding this point: https://blog.1password.com/1password-2fa-passwords-codes-tog...
I use a Yubikey as the 2FA for my bitwatden, then store all the TOTP codes with the passwords in the same vault. Quite convenient, and also adheres to the principles of MFA
If you were to use two apps / two stores, there is another hurdle.
I just have a strong vault password for my vault and that should be more than enough I guess
What I have seen though are Microsoft and Google trying to maneuver their own auth app and hiding the generic OTP option to lock people in.
As long as I can use any generic OTP app I'm happy, and Aegis is definitely my current favorite. I mean I'm a person with close to 50 OTP codes at this time, this is a serious tool in my life.
Similarly, I wrote this to get away from Authy, have the ability to inspect codes, share them (sometimes you need to at work) and export the data out in an agnostic format (JSON dump).
It uses the iCloud Keychain for syncing keys between your devices and storing the data itself -- which seems to be the big difference between Ente and what I'm shilling.
Source is available here:
https://github.com/tanishq-dubey/Sesame
If you see any problems, please make an issue and I'd be happy to fix it!
(The app store requires a website, so if you want a quick overview, DWS is me - Dubey Web Services) https://sesame.dws.rip
It'd be great if you could create a README.md with instructions to build the project (and screenshots if possible!)
2FAS — the Internet’s favorite open-source two-factor authenticator
[...]
> 2FAS works offline.
> 2FAS doesn't store any passwords or metadata.
Eh?
Does anyone know a 2FA app that only stores secrets offline? Eg without any networking code; as it's not only not required, but IMO is required NOT to be there for it to actually functionally be "two-factor authentication", and therefore locally-isolated.
iCloud is the worst choice of a place to store them as it's the same place the other factor may be routinely saved / backed-up, especially if "across devices".
Ente Auth works fully offline. E2EE backups are optional.
When I store my passwords and their 2FA secrets in my KeePass db, I’m arrogantly taking for granted that I won’t ever leak my whole secrets database, which is a risk I’m willing to take because I know what I’m doing (and don’t have any secrets valuable to state-level actors). I appreciate having the option to make this call so I don’t have to drop in to my email just to log into frigging Patreon.
2FAS does not have a desktop app and and doesn’t offer self hosting. The browser extension is fine, but was clunky at times. I started disliking using a browser extension as my main thing to manage 2FA. I feel a lot better with the Ente Auth desktop app and mobile apps.
You can actually import stuff to 2FAS as well as Ente Auth, so no problem in trying out both.
It is still a lot better than no 2FA, and more than sufficient for the average person.
For someone looking to improve their security a bit more and for someone with a "don't trust anyone" model, having a separate 2FA app has it's advantages. It protects them against unencrypted password DB leaks, security vulnerabilities in the password manager, or any intentional security threat induced by the developer of the password manager
Bitwarden can import them too.
(Yes, it's bad, no, it shouldn't exist, no, I don't know why they don't just <...>, etc.)
Anyway, I wanted to share this gist which might be of some help to migrate away from authy:
https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
There's nothing complicated about otpauth provisioning URIs i.e. what's encoded into the QR code.
[0]: https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-spec...
[1]: https://github.com/google/google-authenticator/wiki/Key-Uri-...
Try to be nicer next time.
I'm not aware of a way to export from the Authy phone app.
SMS is cancer to security and I won’t use any system that forces me to accept something so easy to exploit as proof of my consent.
I never understood why SMS are preferred to OTPs generated offline using credit cards and a card reader, which were fairly popular.
Actually, EU regulations state SMS should be phased out, but banks largely ignore that. SIM cloning is fairly easy...
They clearly just don't see it as a realistic threat, on top of all the other security measures in place (for me it's a password, and also a memorable word that isn't typed on the keyboard, then SMS OTP). It's not a great defence of SMS but perfect is the enemy of good, and SMS is just about ok.
Most hacking stories I hear about seem to happen through social engineering, where people go to great lengths to authenticate themselves for someone over the phone.
One thing that is starting to take hold is banking apps, which once installed can be used to authenticate payment. Again not perfect but better than SMS, and users are increasingly likely to have them installed because of ease of use.
Most online services aren't so worried about a small number of users being SIM-swapped. They are worried about large numbers of users that reused their password across thousands of sites 5 of which had their database dumped.
SMS 2FA isn't about providing individual users a high level of security. It is about providing a baseline level of security for all users.
Some banks, like ING, already refuse to send OTPs by SMS and effectively require using an app. SMS is also bad from a user perspective as it turns your phone into a single point of failure. Also, if you are roaming abroad, SMS delivery is usually slow and unreliable. Imagine going to another country and being unable to validate a credit card transaction.
And I think the best answer is government issued digital identity and being able to use that to recover your access to the online services (of course up to you if you wish to make this connection).
And it included that annoying scanning a barcode on screen AND confirming € amount.
And the readers had 2 options. Sign and confirm (?). Why they couldn't incorporate this into the barcode?
It was all done because it definitely lowered mistakes and was more secure than card number and CVV to pay online.
Or a rotten apple working at the store who is working together with the perpetrator
Once logged in, you need to enter that "second" password in order to get access to the TOTP codes and Authy will notify you of the new device connected.
The victim will be disconnected from the network, but there's no way in hell the first line of carrier support will detect any of this. You'll have to put your faith in the security monitoring of your carrier (the ones letting spoofed numbers in and out of the network, so good luck I guess). There's absolutely nothing you can do about this thread other than hope that your carrier is smart enough and that you're not important enough for a sophisticated fraudster to target.
As for cheaper threads, everyone who tweeted about owning a crypto exchange account with their phone number on display will probably lose their SIM at some point. SIM swapping is easy with a fake ID, and people within phone stores have been caught doing it from the inside.
SMS is insecure and often abused. Don't use it. Maybe also disable 2G on your phone while you're at it.
I've been able to use Yubikey Authenticator for anything that said it wanted any of the above, and the awesome thing is you can plug the Yubikey into another device, install and open up Yubikey Authenicator on that device and it works just fine and has all of your services stored on the hardware key, making it easy to upgrade phones or plug they key into a desktop and not depend on a phone.
Another reason it's terrible is for business. Lots of businesses have an account that several people will need to access (yes, it's great to have multiple user support, but not all things do, or sometimes you need a 'bot user'). With something that supports real TOTP you can put that secret into 1password (or heck, scan the code into 7 different people's phone authenticator apps). With Authy you have to pick some random person's cell phone to tie that account to, and hope they don't go on vacation.
you will be crying for them to let you go back to authy and sms.
One note as I signed up for an account is that the email verification went to gmails spam. Probably nothing to be done about that but mentioning it.
I would also add an "authy" option when importing that just goes to an explanation of why it isn't possible and steps you can take to create new tokens etc.
In any case, well done and thank you!
Apps like Auth are a great fit for Flutter, where desktop support is nice to have. We're also using Flutter for our Photos[1] app, and it has served us well so far. Wherever necessary (cryptography, ML, transcoding, ...), we use a bridge to communicate with the native layer, and Flutter becomes a presentation layer of sorts.
Reg. Gmail marking our verification emails going to spam, we aren't sure what the issue is. We migrated from Zoho to SES recently hoping to fix this, but that has not helped. If anyone here understands email deliverability, please do share your thoughts, we'd be grateful!
We've a migration guide from Authy here[2]. They make it difficult, but it's possible.
[1]: https://ente.io
I'm currently unable to find a straight forward way of getting data out of Authy, will bump up this thread when I do.
1. Unlock the bootloader (if not already done) (this will wipe your device)
2. Install Authy on it and log into your Authy account
3. Root your device (I used Magisk https://github.com/topjohnwu/Magisk)
4. Once rooted, you can access the Authy app data and extract the TOTP secrets, then import them into a different app (there's a script to make this easier here https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d..., but you can also just go exploring manually in the root file system and find the Authy storage file)
It was somewhat of a pain in the ass to do this, but Authy really annoyed me with how difficult they make it to migrate off of their bullshit, so it was worth it to me to finally be able to delete their app after extracting the secrets this way.
I’ve tried the app a few times over the last couple of years and had a dislike of the UI because it did not _feel_ right, like it was slow or something. I can’t say exactly what.
It is almost certainly because it is using flutter rather than native DOM elements.
(I’ve been keeping track of ente but never quite made the jump - not solely due to the UI though!)
Not an engineer/experienced with email deliverability, but, I _did_ feel something off when I received the Email verification code email (which too was marked as spam by Gmail). Thoughts/observations:
1. The email body is very minimal, which could be a good thing, but, > it did not have the usual trust markers/indicators - no brand logo or name at the top, > a generic envelope/letter icon/image as the largest visual item in the message > just a single "Use this code to verify your email address" line in the message body (except the "ente.io" link at the footer)
2. I did a quick comparison between the Ente verification code emails and some recent verification code emails from other products (Backblaze, Google, Instagram, IBM Security..) > none of them were as barebones/non-descript like the Ente emails. > They had descriptive text that provided a bit of context ("you recently signed up for an account at XYZ with PQR email address, and this code is required to...") > They had the brand identity (Name / Logo) prominently somewhere in the beginning of the message > AND most of them had the company name, registered address, and contact details in the footer. (Adds accountbility/trust?). Some even had links to privacy and support pages.
3. I believe you must have already explored the BIMI, VMC route for the "gmail blue tick".
BIMI + VMC seems like an expensive workaround, we'll first experiment with your first two recommendations. We'll also have to figure out a way to reset the score with Gmail. Hopefully they haven't penalized the whole domain, and a new from-address will do it.
Thanks again for taking the time out to share your thoughts, really appreciate it! :)
It is far from perfect but already very usable. There’s also a Linux desktop client that allows me to sync all my photos on my computer.
I really recommend them (nice team)
Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.
1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.
2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.
Ability to synchronize encrypted backup is a different story.
Higher assurance authenticators need more than TOTP. Usually that means adding a knowledge component (ie pin), challenge/response, a physical token, biometric or all of the above.
Having it integrated with a password manager is less secure than having it as a separate app in a separate device, but it makes it so much easier for the average person that they're more likely to actually use it.
In a vacuum, yes, you're right. It's not as secure this way. I wouldn't use that for something hyper-sensitive like classified systems. But as a system, "less secure but widely used" beats "more secure but most people avoid using it whenever possible".
It's like with the NIST recommendation against regularly rotating passwords. In an ideal world, it's a great ideal to require new passwords frequently. In this world, it only makes people pick bad passwords and append the date or serial number to it. As a system, it's more secure to require strong passwords and then leave them alone until/unless you suspect they've been compromised.
That second factor needs to be separate from the originating authenticating service, not that it has to be on a single device hidden away kept in a safe, or on your wrist, or in your pocket. It could be a single device [a server] running bitwarden and you're viewing it through a browser on your <whatever>.
Not everyone wants to follow every single recommendation from a data security perspective, and it becomes an anti-pattern when laymen start using workarounds to not have to comply with the safety recommendation of the week.
There are benefits to this. I've left my phone at work, and would have been SOL, except I have a tablet that never leaves my home which can also provide my second factor.
You can also pin your favorite codes to the top.
I will also never forgive Authy for removing desktop support with near immediate deprecation and no way to export off their platform.
I will never use another Twilio product again after that.
Is there a better alternative? Authy is fine for this use, the rest of my 2FA tokens are in 1Password itself.
I guess there has to be a vulnerability _somewhere_ to make it possible to get back in again in an emergency.
You can also set up a security key[1] as 2FA, in which case you'd need both the secret key and security key.
You need to know the user/email, password, the secret key (and security key if you've added one) to get into an account. 1Password cannot recover your account for you. On a family or company account you can set up trusted members that can recover your account for you, but if everyone loses their credentials all at once then you're locked out forever and need to start over with new vaults.
In Safari, right click on TOTP QR codes.
How much stringency does a code/platform change get at Authy vs Apple? However, once you are in the Apple walls, they are just as ruthless at keeping you locked inside, which is why I try to minimize my dependencies where possible.
BTW, there's a hack you can do to create an iOS Password app in iOS 17 and below by using Shortcuts to launch the deep linked setting directly.
And the news about the Authy leak yesterday validated my move, if anything.
I don't really care for ente; it's more complicated than what I need from a password manager. And the fact that pass is so much more customizable (being as it's only 700 or so lines of shell script), I don't feel like I need anything more _personally_.
Just clone beneath /opt/pass and configure with the standard environmental variables, or use the default password-store location, and you're good to go. I use this to ensure all my systems have access to the same passwords (which are stored in a private git repository).
To give some context, we built Auth for ourselves because we wanted a product that was cross-platform, open source[1] and offered end-to-end encrypted backups[2].
Since launch[3], the product has undergone iterations[4][5].
Auth is now available on Android, iOS, Linux, Mac and Windows[6]. We also have a read-only companion app for the web[7].
Backups are end-to-end encrypted, optional and free. You can use all our apps (minus the web) without an account.
You can also self-host[8] if you wish.
Please let me know if you have any questions!
[1]: https://github.com/ente-io/ente
[2]: https://ente.io/architecture
[3]: https://ente.io/blog/auth/
[4]: https://ente.io/blog/auth-v2/
[5]: https://ente.io/blog/auth-v3/
[6]: https://github.com/ente-io/ente/releases?q=tag%3Aauth-v3
[7]: https://auth.ente.io
The only reason why I use (and recommend) Authy is that when I get a new phone it just works, while other apps require to somehow open them and do some operation between old and new phone.
If it works, happy to switch to an open alternative! (Asking about iPhone, but I assume Android folks would also be interested.)
So if you purchase a new device, you will either have to sign in to Ente Auth again (for E2EE sync), or export your codes from the older device, and import it to the newer device.
[1]: https://github.com/ente-io/ente/blob/8b696b1242bce2f166ddd6a...
[2]: https://github.com/mogol/flutter_secure_storage/blob/cb30953...
There were a few brief years where an encrypted iTunes backup was a perfect, universally-restorable image of an iOS device. You could back up an iPhone, pop out the SIM card, destroy the original phone, then pop the SIM into a new one, restore the backup, and it would be nearly-impossible to determine that the device was different from a daily UX standpoint. Even MS Exchange email sync would still work.
Then around the time that iCloud K/V store showed up (which may be coincidental), this stopped working. Every app would start up and ask you to log in. Email needs reauthentication. Encrypted iTunes backups aren't terribly useful anymore.
Number one reason why most of my friends and family dont want to buy a new iPhone. They hate the pain and the anxiety of upgrading. And Apple hasn't done anything to make it easier.
Ente Auth backs up your codes, end-to-end encrypted. You can access your data on any device, at any time with your email address and password (/recovery key).
quite handy and can further increase security (trading it of course with lack of recovery would you lost all your devices).
I wanted to be one of the users but when I tried to import my backup from Raivo your app just gives null point exception error. I sent an email to your support team and they said they will get back to me once they hear back more from devs, which was 2 weeks ago.
For now I am using 2FAs but it would be great if I can get to try your app once importing works fine.
Good luck!
You cant easily export your codes into a different format using this app, meaning that it is difficult to migrate away once you have already moved your codes over.
Other than the (hopefully temporary) lock-in, this is a great app.
There is also an option to view / export individual QR codes.
Let me know what we could do better, would love to do better.
[1]: https://help.ente.io/auth/migration-guides/export#how-to-use...
Owky is short for “Own your keys”. Therefore the user owns the data - can easily be exported, and there’s no server sync (on purpose). No iCloud sync, nothing.
The app needs some love indeed, but it’s in a usable state.
edit: simple in terms of only ever needing to compile/validate the thing for linux (arm + intel)
If you have an RPi that is accessible over a network, you could self host it as well: https://help.ente.io/self-hosting/
I will never forgive Authy/Twillio for deliberately making exports impossible.
Also, if this comment[1] is right, API access has also been broken.
It's just a one day project so far. But it has some nice features like taking a screenshot and reading qr codes from it and storing everything in a single enrypted file (which you can easily put on a cloud drive if you want to sync, otherwise it's completely offline)
It only supports the standard RFC 6238 TOTP so far.
1. Uses KeePass file format for secure credential storage 2. Supports One-Time Passwords (OTP) for two-factor authentication (2FA) 3. Provides a convenient CLI interface for retrieving 2FA codes
The project, named Passlane, offers a streamlined approach to password management directly from the terminal. It's particularly satisfying to generate 2FA codes via command line!
For those interested in exploring the code or contributing, you can find the project on GitHub: https://github.com/anssip/passlane
I'd appreciate any feedback or suggestions for improvement.
Is there any shared etymology between Ente and Entra? I'm curious where both come from.
If you're interested, here's more of the backstory: https://ente.io/blog/ducky/