I’m looking for a TOTP authenticator that meets the following criteria:
- Is FOSS
- Is cross-platform: available on Android and desktop (Windows and Linux, or as a browser extension)
- Supports password/biometric locking of the application
- Supports encrypted exports
- Automatically syncs across devices
- Has been audited by a reputable third-party relatively recently
Before anyone mentions it, I’m fully aware that what I’m looking for isn’t the most secure TOTP solution. But I think this is probably the best solution for me as it’s a nice middle ground between security/privacy and usability. I wouldn’t need to avoid MFA or use SMS MFA, but I also wouldn’t need to manually update my authenticators every time I add a new account. Manually updating authenticators like Aegis and Authenticator.cc that are offline (or only offer backing up to proprietary or privacy-invasive services) is more trouble than it’s worth in my opinion.
Perhaps the best candidate I’ve found is 2FAS. It seems the only criterion 2FAS fails to meet is the third-party audit. After looking through their website, I don’t see any audits mentioned anywhere. I’m also not sure how much I should trust them since I only heard of them recently.
I also came across ente Authenticator but I also have issues/concerns about them, which I’ll go over below.
Unlike 2FAS, they’ve at least undergone an audit of some sort. I’ve only skimmed through it but it looks like Cure53 and Symbolic Software audited their implementation of cryptography. However I’m not sure to what degree this proves the reliability or safety of their authenticator. I couldn’t find any mentions of their authenticator in the Cure53 report so I assume they didn’t audit the authenticator entirely, but rather just the underlying cryptography used by the company for their products.
They don’t support encrypted exports.
They don’t mention support for password/biometric locking of the application.
They don’t support desktop at the moment. The only option on desktop would be to use their web app, which isn’t ideal.
Rather than simply syncing across devices, they also store a back up on their servers. I might not mind this feature if it was from people who I knew/trusted and if they were thoroughly audited, but I haven’t heard of ente until recently and again, I’m not entirely sure if the audit proves its reliability as it seemed to be limited.