2of3 by Ente

Sharing cause I know this is a solution lots of us are probably looking for.

Wow! This is really cool! Love it!

This gives me Scylla vibes from Prison Break.

This seems like a really cool project, thanks for sharing c:

Seems like a great little thing, but idk I’m starting to get a bad feeling about the direction that Ente is headed.

I just posted this the other day. Earlier this year someone at Ente wrote this and now in their blog post about this hackathon it says:

“I’m happy about the culture of hacking we’re building at Ente. It was heartwarming to see folks who have never written a line of code deploy products that are fun and functional.” [emphasis added]

I still trust that people at Ente have good judgement on how to approach these AI things, especially on their main products, but I’m seriously starting to consider moving my photos somewhere else before it gets too vibey over there…

This is a neat UI, but this is just Shamir’s Secret Sharing which has existed since 1979 and there are many similar implementations (I am not necessarily vouching for these, just pointing out they exist). It’s not really anything technically groundbreaking.

This is very unfortunate for a developer that already has a similar product that he has been working on, for several years …

Agreed. I’m sure they are aware other implementations exist, but it doesnt hurt to make it more accessible.

Aside from the intent of this tool, it would be pretty cool to make a bunch of these as a party game, stash them around an area, and have people find the right combos to reveal the secret.

Question is: why give an important passphrase of mine away via web to a more or less untrusted project when I can achieve the same on my local system using ssss?

From the site:

A fully offline HTML recovery page is included when you use “Download all cards”. Open that file locally, add any two matching cards, and recover without needing the site. 2of3 is also open source, so the format is inspectable and recovery is not locked to one hosted service

However I can’t verify this since the download all button seems to only download the first card for some reason. Idk if it’s my browser that’s the issue or something on the website’s end.

Still, I agree that you shouldn’t go entering sensitive details using this tool regardless, its bad opsec.

I can definitely see myself using this not just as a recovery method for myself, but a way to share password or any important information with people on the internet. Especially when those people don’t use E2EE platforms.

With all that being said, as a recovery method for myself, I can’t see myself using this for anything other than the master password of my password manager. I think having recovery cards for multiple accounts is risky. I wouldn’t want to mix up recovery cards for different accounts.

The reality is, you don’t want to ever have to need them. But for people who are not good at remembering their passwords it’s extremely useful. However, IMHO, only as long as they use it for ONE acciybt, which should be their password manager’s password.

For those who intend to use this for their own accounts, do you plan to use it for more than one account? If so, which accounts, and why?

For me, it displayed 4 separate save file dialogs: one for each card and one for the HTML website. I would have preferred them to let us download a ZIP file instead of individual files though.

Oh this is fairly well-designed!

I prefer Banana split – it adds a passphrase to the decryption process for an extra layer of security and requires that the user be offline in order to use it. That may be overkill in some use cases, though.

The page appears to be fully offline, so you can run it without needing to be connected to the internet, similar to ssss. On firefox → File → “Save Page as”

I do appreciate that this is a webpage I think I could gain access to quicker than ssss if I was not near my workstation(s). I also like its native qr code support.

I’m still annoyed Tails removed ssss back in 2019.

I know this is just Samir’s secret sharing and that there are lots of options (I’ve written a few implementations of it over the years as one of my default simple practice things that lets me get a quick feel for a new language) but the UI is slick and the QR code output is smart.
Banana split is good as well (similar but less polished looking, maybe I am just use to dark mode stuff) but it’s a little more heavy handed and requires a passphrase - ideal for some cases but not others.

I still not get how this works / what is the reason for this?

Okay maybe it’s my own background tainting my experience but I see a lot of people here asking “what’s this for?” and “this is just Shamir’s Secret” (btw this thread is the first time I’ve ever heard of that) or “why would I trust some random website?” and I think a lot of people here are overlooking the most obvious scenario: what if you get hit by a bus tomorrow?

I have a very distinct memory of her saying right before they put her under “Nate knows the password my Bitwarden account.” I swear I question my own sanity because it seems so weird of a detail to care about but I remember it because it was so weird and also because I remember thinking “…I do? Whatever, now’s not the time to worry about that.” Needless to say though, I clearly should’ve asked lol. We never were able to get into her Bitwarden, and because my mom was relatively young (not even 60 yet) we had never gotten around to “hey mom, you should really set up a legacy contact for Bitwarden.” We always thought we’d have more time. (Which is weird cause death was never an off-limits topic in my family.)

Anyways, all that to say that 2of3 - or whatever similar tool you can find - is perfect for this exact scenario. We’re all gonna die someday, and not all of us will have the luxury of going “welp, I’m getting up there in years, I guess I should start putting my affairs in order.”

A common concern with planning for this stuff is “how can I make it so that my loved ones have access to all my stuff but I don’t have to worry about them taking advantage of it while I’m still here?” Some people hire lawyers and safe deposit boxes and stuff. Sure, that’s fine, but I don’t have that kind of money. Some people use the legacy contact in Bitwarden, 1Password, or Proton Pass. That’s also great. But what if you prefer KeePass? Or what if you have other things that a person would need that aren’t covered by the legacy feature? Or honestly, what if you just don’t want that person to have to wait a whole-ass week? A week is a long time when it comes to this kind of stuff. Usually the funeral is about a week after the death. I don’t want my wife to have to wait a whole week to get access to funds, insurance, paying bills, etc.

I know others have made similar tools and there’s more than one way to skin a cat, but for a lot of people with lower threat models this is quick, free, and user-friendly. That was my first thought when I saw this. Again, probably informed by my own experiences.

I’m very sorry for the loss of your mom. I watch SR, and I guess I missed that episode.
Thank you for sharing valuable insight informed by real life tragedy. I’m currently helping someone set up their new iPhone, and they are not the kind of person that remember their password manager’s master password, so I think this tool would be extremely valuable to them and myself.

How do you use 2of3 in this specific context. Do you give one card to your loved one, and the 2nd and 3rd to a lawyer and a trusted friend?

Saving a important passphrase or other secret pretty safe.

In my specific case, I’d probably give one each to wife, sister, and stepdad. All three live within a few hours of me, all three are on Signal, all three know how to use a QR code, and I know at least two of them (wife & sister) would be able to figure out how to take a picture of the code and send it to the other person if they needed to combine 2 of them on a moment’s notice for whatever reason (as in “there’s no time to physically meet up”).

So personal preachy opinion: I think tools like this should be less about “who do I trust” and more about decentralizing/mitigating risk. I hope that everyone reading this as at least one person in their life that they trust completely. I personally don’t think something like 2of3 can be used to remove risk completely from an untrusted person or persons. What’s to stop them from colluding? If they hate each other too much to collude, why would they come together when needed? (I guess if you really want to overcomplicate it you could give one QR code to a mutual friend who gets along with both of them and they only need one QR code from either person, but that’s a lot of game theory and what if they have a falling out or something? I’ve had a lot of caffeine and not a lot of sleep.)

I would honestly give my wife my unlocked phone and let her walk into the other room with it to do whatever she wants. I have nothing to hide from her (and honestly she’d probably be pretty bored anyways. Mostly just chats about privacy and podcasts about true crime). I hope that everyone here has at least one person like that in their life. Even in that case, there’s still a use for things like 2of3. For me, 2of3 or Legacy Access would be less about making sure that she doesn’t screw me over and more about making sure that there can’t be unintended third-party compromise. For example, my wife doesn’t regularly use my devices. She has her own. So there’s no reason for her to remember any of my passwords. We could write them down and store them somewhere safe but what if we get robbed and that password gets physically stolen? Likewise, we could just save my Bitwarden passphrase in her Bitwarden vault, but then she also still needs my Yubikey (whereas Legacy Access - I assume - bypasses all that crap).

Things like 2of3 decentralizes that risk. It’s not that I don’t trust my wife to have all 3 QR codes, it’s that it offloads her needing to remember things she doesn’t use regularly while also reducing risk.

I don’t know if any of that made any sense. I’ve rewritten this like, a dozen times. The caffeine is only doing so much lol