Hello, one of the folks working on Ente Auth here. Thanks for putting us on the frontpage!
To give some context, we built Auth for ourselves because we wanted a product that was cross-platform, open source[1] and offered end-to-end encrypted backups[2].
Since launch[3], the product has undergone iterations[4][5].
Auth is now available on Android, iOS, Linux, Mac and Windows[6]. We also have a read-only companion app for the web[7].
Backups are end-to-end encrypted, optional and free. You can use all our apps (minus the web) without an account.
First of all thanks for providing an alternative 2FA app on iOS platform that is open source.
I wanted to be one of the users but when I tried to import my backup from Raivo your app just gives null point exception error. I sent an email to your support team and they said they will get back to me once they hear back more from devs, which was 2 weeks ago.
For now I am using 2FAs but it would be great if I can get to try your app once importing works fine.
Out of curiosity, have you tested what happens if you buy a new iPhone and upgrade from old to new one? (Preferably no backup, just the new/standard upgrade procedure where you bring the new device close to the old one, and Apple does its magic.)
The only reason why I use (and recommend) Authy is that when I get a new phone it just works, while other apps require to somehow open them and do some operation between old and new phone.
If it works, happy to switch to an open alternative! (Asking about iPhone, but I assume Android folks would also be interested.)
Security platforms should be open source by default. It provides assurance that nothing weird is occurring behind the covers and also shows confidence in the implementation and the cryptography behind it all.
I will also never forgive Authy for removing desktop support with near immediate deprecation and no way to export off their platform.
I will never use another Twilio product again after that.
I feel like this misses the problem with Authy. There are hundreds, possibly thousands of 2FA alternatives for Authy. But when my 401K provider requires Authy to login in without providing a generic 2FA option, THAT is the problem.
THE problem with Authy in my humble opinion isn’t just that it’s an obnoxious proprietary app I shouldn’t need — it’s that it forces you to accept SMS as a get-out-of-security-free card. Being able to get a reset text to your registered number (and you MUST register a number, of course) unlocks all your OTPs for the attacker (who slipped some teenaged phone salesman $50 or a fake ID to swap your sims.)
SMS is cancer to security and I won’t use any system that forces me to accept something so easy to exploit as proof of my consent.
If we're talking OTP/TOTP -- it's all the same. Even if a provider instructs you to use a specific app, e.g. Google or Authy, you can simply scan the QR code with whatever authenticator app you're using. All the QR code does is encode a URI containing the secret and issuer.
Is there a list of services that have a specific 2FA provider requirement? In my experience, my when my service ask for 2FA it usually says Google Authenticator and use Authy. I'm looking to migrate out of Authy in the near future.
People complaining about an "Authy jail" and yet I have no issues with Aegis. Which is also open source, available in the f-droid store, and been around for years.
I’ve had a really poor experience with the (open source) 2FA app Raivo on ios. Developer got bought out. Ads got added, and a bug was introduced where users lost 2fa backup. Losing 2fa access was not as bad as I expected since I stored 2fa backup codes in bitwarden notes. A lot of sites also feature email recovery. I ended up migrating totp 2fa to bitwarden and its been very convenient.
I moved to 2FAS Authenticator mainly because I didn't want my 2FA tokens linked up with my Bitwarden account. I backup my tokens in an offline KeePassX vault to ensure I won't lose access to them.
This looks quite nice, thank you for releasing it open source. Also neat to see a real Flutter app in the wild, this seems like a great use case for it. Would love to read your experience building something polished across ios/android on Flutter.
One note as I signed up for an account is that the email verification went to gmails spam. Probably nothing to be done about that but mentioning it.
I would also add an "authy" option when importing that just goes to an explanation of why it isn't possible and steps you can take to create new tokens etc.
Apps like Auth are a great fit for Flutter, where desktop support is nice to have. We're also using Flutter for our Photos[1] app, and it has served us well so far. Wherever necessary (cryptography, ML, transcoding, ...), we use a bridge to communicate with the native layer, and Flutter becomes a presentation layer of sorts.
Reg. Gmail marking our verification emails going to spam, we aren't sure what the issue is. We migrated from Zoho to SES recently hoping to fix this, but that has not helped. If anyone here understands email deliverability, please do share your thoughts, we'd be grateful!
We've a migration guide from Authy here[2]. They make it difficult, but it's possible.
I come from Authy and switched due to the desktop apps demise.
2FAS does not have a desktop app and and doesn’t offer self hosting. The browser extension is fine, but was clunky at times. I started disliking using a browser extension as my main thing to manage 2FA. I feel a lot better with the Ente Auth desktop app and mobile apps.
You can actually import stuff to 2FAS as well as Ente Auth, so no problem in trying out both.
I have been using Aegis but switched to Ente Auth as I decided to use Ente Photos as well. Both Aegis and Ente Auth are great options. This switch (export and import) was very easy.
Me too, but it had this nasty bug where me and a bunch of other users occasionally only saw a black screen after unlocking. For me rebooting my phone fixed it, but not for everyone. I can't really afford to not be able to access my 2fa codes. This lasted for over a month, so I decided to move to ente auth.
It should be highlighted that the flagship app from ente is not their 2FA but their wonderful encrypted photo app. It is a fully encrypted alternative to Google Photo.
It is far from perfect but already very usable. There’s also a Linux desktop client that allows me to sync all my photos on my computer.
Last week, I started to explore `pass`[1], to move away from my current Authy + iCloud Keychain ecosystems. It's pretty barebones but that's what I like about it. I like it so much that one week later, I've fully migrated away and couldn't be happier.
And the news about the Authy leak yesterday validated my move, if anything.
I don't really care for ente; it's more complicated than what I need from a password manager. And the fact that pass is so much more customizable (being as it's only 700 or so lines of shell script), I don't feel like I need anything more _personally_.
Because I got fed up with all the existing 2FA apps (lack of backup, export, ...) I created a simple (desktop) CLI app which works for me: https://github.com/Dobatymo/otp-tool
It's just a one day project so far. But it has some nice features like taking a screenshot and reading qr codes from it and storing everything in a single enrypted file (which you can easily put on a cloud drive if you want to sync, otherwise it's completely offline)
It only supports the standard RFC 6238 TOTP so far.
I've been using Authy as a backup for 1Password (previously BitWarden/LastPass)'s 2FA since in a worst-case scenario I can get a replacement SIM card from my phone network's store and get back into my 1Password account via recovery. This has had to be tested once when my phone got pickpocketed in Amsterdam.
Is there a better alternative? Authy is fine for this use, the rest of my 2FA tokens are in 1Password itself.
This looks good, as I wanted to "escape" the Authy jail (you cannot easly move out with your secrets), but moving a lot of 2fa's to a "new thing". How to make sure they are a good project?
What's the point of having your 2FA codes synchronized across all your devices?
Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.
1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.
2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.
Ability to synchronize encrypted backup is a different story.
I'm worried that if my device fails I won't be able to recover all the sites I've registered on my phone. Does anyone know if this can enable backup quickly to another device in a secure way?
I think it has its own backup service. But it otherwise lets you export/import your data. I feel like as long as I can do an export in some way then that’s good enough for me.
I'm waiting for bitwarden or aegis export capability before trying this out.
You cant easily export your codes into a different format using this app, meaning that it is difficult to migrate away once you have already moved your codes over.
Other than the (hopefully temporary) lock-in, this is a great app.
This makes me want to restart working on Owky - my 2FA open-source pet project.
Owky is short for “Own your keys”. Therefore the user owns the data - can easily be exported, and there’s no server sync (on purpose). No iCloud sync, nothing.
The app needs some love indeed, but it’s in a usable state.
Is there any problem using Password Manager's feature to get 2FA codes? I use 1Password and it has this feature built in and automatically fills after filling the password. Even iPhone's latest Password app also has this built in.
I don't see people mention this enough, but iCloud Keychain generates TOTPs. I've been migrating all of my accounts slowly to just use the built-in Apple Passwords functionality.
Additionally, iOS 18 will introduce a Password app making the functionality easier to discover. People are still surprised to learn that iOS has built in TOTP support, but it's just buried deep in the settings.
BTW, there's a hack you can do to create an iOS Password app in iOS 17 and below by using Shortcuts to launch the deep linked setting directly.
[+] [-] vishnumohandas|1 year ago|reply
To give some context, we built Auth for ourselves because we wanted a product that was cross-platform, open source[1] and offered end-to-end encrypted backups[2].
Since launch[3], the product has undergone iterations[4][5].
Auth is now available on Android, iOS, Linux, Mac and Windows[6]. We also have a read-only companion app for the web[7].
Backups are end-to-end encrypted, optional and free. You can use all our apps (minus the web) without an account.
You can also self-host[8] if you wish.
Please let me know if you have any questions!
[1]: https://github.com/ente-io/ente
[2]: https://ente.io/architecture
[3]: https://ente.io/blog/auth/
[4]: https://ente.io/blog/auth-v2/
[5]: https://ente.io/blog/auth-v3/
[6]: https://github.com/ente-io/ente/releases?q=tag%3Aauth-v3
[7]: https://auth.ente.io
[8]: https://help.ente.io/self-hosting/
[+] [-] bonjurkes|1 year ago|reply
I wanted to be one of the users but when I tried to import my backup from Raivo your app just gives null point exception error. I sent an email to your support team and they said they will get back to me once they hear back more from devs, which was 2 weeks ago.
For now I am using 2FAs but it would be great if I can get to try your app once importing works fine.
Good luck!
[+] [-] ecesena|1 year ago|reply
The only reason why I use (and recommend) Authy is that when I get a new phone it just works, while other apps require to somehow open them and do some operation between old and new phone.
If it works, happy to switch to an open alternative! (Asking about iPhone, but I assume Android folks would also be interested.)
[+] [-] jeanofthedead|1 year ago|reply
[+] [-] smcleod|1 year ago|reply
[+] [-] lelandbatey|1 year ago|reply
[+] [-] jerrygoyal|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] mikepollard_dev|1 year ago|reply
I will also never forgive Authy for removing desktop support with near immediate deprecation and no way to export off their platform.
I will never use another Twilio product again after that.
[+] [-] secstate|1 year ago|reply
[+] [-] xp84|1 year ago|reply
SMS is cancer to security and I won’t use any system that forces me to accept something so easy to exploit as proof of my consent.
[+] [-] ezekg|1 year ago|reply
[+] [-] remuskaos|1 year ago|reply
[+] [-] wesapien|1 year ago|reply
[+] [-] 1oooqooq|1 year ago|reply
you will be crying for them to let you go back to authy and sms.
[+] [-] csdreamer7|1 year ago|reply
[+] [-] jamesralph8555|1 year ago|reply
[+] [-] brewdad|1 year ago|reply
[+] [-] jacooper|1 year ago|reply
[+] [-] nicpottier|1 year ago|reply
One note as I signed up for an account is that the email verification went to gmails spam. Probably nothing to be done about that but mentioning it.
I would also add an "authy" option when importing that just goes to an explanation of why it isn't possible and steps you can take to create new tokens etc.
In any case, well done and thank you!
[+] [-] vishnumohandas|1 year ago|reply
Apps like Auth are a great fit for Flutter, where desktop support is nice to have. We're also using Flutter for our Photos[1] app, and it has served us well so far. Wherever necessary (cryptography, ML, transcoding, ...), we use a bridge to communicate with the native layer, and Flutter becomes a presentation layer of sorts.
Reg. Gmail marking our verification emails going to spam, we aren't sure what the issue is. We migrated from Zoho to SES recently hoping to fix this, but that has not helped. If anyone here understands email deliverability, please do share your thoughts, we'd be grateful!
We've a migration guide from Authy here[2]. They make it difficult, but it's possible.
[1]: https://ente.io
[2]: https://help.ente.io/auth/migration-guides/authy/
[+] [-] evolve2k|1 year ago|reply
2FAS — the Internet’s favorite open-source two-factor authenticator
https://2fas.com
[+] [-] moontear|1 year ago|reply
2FAS does not have a desktop app and and doesn’t offer self hosting. The browser extension is fine, but was clunky at times. I started disliking using a browser extension as my main thing to manage 2FA. I feel a lot better with the Ente Auth desktop app and mobile apps.
You can actually import stuff to 2FAS as well as Ente Auth, so no problem in trying out both.
[+] [-] DavideNL|1 year ago|reply
[+] [-] robxorb|1 year ago|reply
[...]
> 2FAS works offline.
> 2FAS doesn't store any passwords or metadata.
Eh?
[+] [-] r0ckarong|1 year ago|reply
[+] [-] NelsonMinar|1 year ago|reply
[+] [-] neop1x|1 year ago|reply
[+] [-] okkdev|1 year ago|reply
[+] [-] mrbluecoat|1 year ago|reply
[+] [-] ploum|1 year ago|reply
It is far from perfect but already very usable. There’s also a Linux desktop client that allows me to sync all my photos on my computer.
I really recommend them (nice team)
[+] [-] ackyshake|1 year ago|reply
And the news about the Authy leak yesterday validated my move, if anything.
I don't really care for ente; it's more complicated than what I need from a password manager. And the fact that pass is so much more customizable (being as it's only 700 or so lines of shell script), I don't feel like I need anything more _personally_.
[1]: https://www.passwordstore.org/
[+] [-] Loranubi|1 year ago|reply
It's just a one day project so far. But it has some nice features like taking a screenshot and reading qr codes from it and storing everything in a single enrypted file (which you can easily put on a cloud drive if you want to sync, otherwise it's completely offline)
It only supports the standard RFC 6238 TOTP so far.
[+] [-] UberFly|1 year ago|reply
[+] [-] benbristow|1 year ago|reply
Is there a better alternative? Authy is fine for this use, the rest of my 2FA tokens are in 1Password itself.
[+] [-] 9dev|1 year ago|reply
[+] [-] dotancohen|1 year ago|reply
[+] [-] neoecos|1 year ago|reply
[+] [-] BonusPlay|1 year ago|reply
Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.
1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.
2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.
Ability to synchronize encrypted backup is a different story.
[+] [-] xrd|1 year ago|reply
[+] [-] SparkyMcUnicorn|1 year ago|reply
[+] [-] memset|1 year ago|reply
[+] [-] andrei-akopian|1 year ago|reply
Ente has free backups and it's own encrypted export format, which sounds promissing.
[+] [-] DavideNL|1 year ago|reply
https://github.com/ente-io/ente/issues/182
[+] [-] LorenzoGood|1 year ago|reply
You cant easily export your codes into a different format using this app, meaning that it is difficult to migrate away once you have already moved your codes over.
Other than the (hopefully temporary) lock-in, this is a great app.
[+] [-] charlietango592|1 year ago|reply
Owky is short for “Own your keys”. Therefore the user owns the data - can easily be exported, and there’s no server sync (on purpose). No iCloud sync, nothing.
The app needs some love indeed, but it’s in a usable state.
[+] [-] pebblesun|1 year ago|reply
[+] [-] andrewmcwatters|1 year ago|reply
In Safari, right click on TOTP QR codes.
[+] [-] kernal|1 year ago|reply
BTW, there's a hack you can do to create an iOS Password app in iOS 17 and below by using Shortcuts to launch the deep linked setting directly.
[+] [-] andrewinardeer|1 year ago|reply