GPLv3
Cross Platform
Well Designed
Zero Access
Cloud Sync
Transparent Team
Easy Export & Import Options
What more do you need?
They do collect some data via Google Crashlytics although I don’t think this is a major issue as they don’t require account creation and they have an opt out option in app.
I would also suggest Raivo be removed as a recommendation as this seems to be a much better alternative due to its superior import/export options and cross platform functionality.
They have a browser extension that works on MacOS. Additionally shared clipboard can be used via iCloud. This was likely done intentionally for security purposes.
I like 2FAS, I think their biggest plus is that their importing tools supports migrating from Google Authenticator. But their browser extension doesn’t work as smooth as Raivo’s MacOS client, and both apps still have the issue of not allowing automatic sync to other cloud providers aside of iCloud.
Aegis is on FDroid and doesn’t use Google services. That might be useful to some people’s threat models.
I agree. Although, I would suggest using shared clipboard instead. Faster than both methods.
TLDR: The cloud provider issue is an Apple limitation (kinda).
They would have to add every cloud provider manually and since there are no private standardized cloud providers other than iCloud, then which providers would they add? Proton and other E2EE clouds are still in their early stages and I’m not sure if they allow developers to integrate with them directly. I would like to see a self hosted option though as that would be easier to implement or a syncing solution similar to Brave sync.
Raivo sync would mean you would have to download another app on your computer. Regardless, I mainly wanted 2FAS to be added to Privacy Guides because it’s a good app and then have Raivo possibly reconsidered afterwards since it lacks imports.
Still waiting for the explanation of the former Raivo dev how this is supposed to work out … but if the answer is unsatisfactory I will probably switch to 2FAS as well.
It would definitely be good to have the take of more privacy experts in regards to 2FAS. Everything they say seems to tick all boxes. I had moved to Raivo based on this site’s suggestions too.
Tested 2FAS and it seems very nice.
The only thing I found missing is a proper export function for import into other apps.
Say 2FAS stops getting maintained in the future, how do you get your 2FA codes into the next app?
Ravio OTP can create a QR code for each item that you can scan, if the new app doesn’t support importing directly.
There is a copy token, so it is possible to copy the token, then paste into another app or a text document and get the codes that way. However it is one token at a time so will be painfully slow if you have a larger number of tokens.
I have a second (old) phone I keep as a backup and not having a way to display QR codes so I can easily add a new token to my backup is a deal breaker for me.
I have noticed some concern with 2FAS making connections to Google owned domains (example from a different thread):
I tried to see for myself what domains the app connects to, so I opened the built-in iOS App Privacy Report feature and this is what I got (I excluded the iCloud backup and the 2FAS domains):
After turning off analytics in the 2FAS settings (and restarting the app), it stopped contacting all but one Google domain – specifically firebaselogging-pa.googleapis.com.
A Github issue has been already opened about the problem and thus the developer is looking into it.
EDIT: Here is a Github issue that mentions all the domains that the app connects to.
Something else to note here, 2FAS enables iCloud Sync by default on iOS, without any password protection. Not sure if it does something similar on Android? I’m not a fan of that.
TLDR: Cloud backup is by default. Cannot set cloud backup password. Support for different cloud providers unlikely. Exports are .json format.
I could see the point being made that it is more user-friendly, while also bringing more convenience (which might appeal more to an average user, but at the expense of security) and allowing for less user error to occur (loss of data).
With that being said, the masses (afaik) do not use E2EE cloud storage by default, like Apple’s Advanced Data Protection for iCloud (is there even such an option on Android?), so this might be a concern. Not your (encryption) keys, not your data. That is simple.
If this is not an option already, I would like to see a toggle for cloud / offline backup during the app onboarding process (so the user has a clear choice). I have noticed on their Github that people are requesting different cloud backup options, but according to the developers it would require implementing the SDK of each cloud service. Thus, it is safe to assume this will not be happening any time soon.
Going back to the cloud backup option, specifically iCloud, the secrets are stored using CloudKit and they can be accessed only using the 2FAS app. However, you cannot encrypt 2FAS files with your own password (yet, possible release in Q3/Q4 of 2023).
One last thing, regarding export options – apparently exported files are stored in a .json format, for those concerned.
Advanced Data Protection does not protect CloudKit keys which are not marked as “encrypted” by the developers (emphasis mine):
When you turn on Advanced Data Protection, third-party app data stored in iCloud Backup and CloudKit encrypted fields and assets are end-to-end encrypted.
Now I’m no Apple developer, but my understanding here is that data has to be marked with the encryptedValues property to be end-to-end encrypted in CloudKit, and a cursory glance at 2FAS’ iOS code suggests that may not be the case. The GitHub Issue you linked seems to imply it is encrypted though, but the 2FAS contributor there also seems to confuse access controls with encryption a lot, so I’m not super convinced by just the statements there. I definitely want clarification on this.
Edit: Actually, even fields stored with encryptedValuesare not E2EE when Advanced Data Protection is disabled. The first part I said still applies though, if 2FAS is not using encrypted fields in CloudKit in the first place, then even enabling Advanced Data Protection will not protect your data in this case.
In the FAQ it says that 2FAS does “not collect any private and personal data”.
In the Privacy Policy under the GDPR section it says that the data collected will comprise “Device ID (including brand, model, unique ID, operating system info, and storage state), cookies and analytics.”
However, there’s a difference between the “2FAS Service” and “only download and use the 2FAS Application.” What does the "“2FAS Service” actually entail, then?