I would like to showcase Chronos Authenticator, developed to provide the open-source and privacy community with an alternative iOS 2FA app.
Chronos Authenticator aims to provide robust security and reliable backup features, supporting both time-based (TOTP) and counter-based (HOTP) authentication methods.
Secure: Encrypts all token data on device and in iCloud (optional)
No unencrypted data leaves your devices
Data are only unencrypted in memory
Backup & Sync: Effortlessly backup and sync your data with Apple iCloud.
Export: Easily export your tokens for backup or transfer
Encrypted zip archive
Plaintext
HTML
Import:
Chronos
Aegis
Raivo
Google Authenticator
LastPass Authenticator
More services will be added
Anonymous: No telemetry and app account required
Upcoming Features
Swipe to show token QR code(available in v6.0)
Password reminder prompt(available in v6.0)
Service Icons
Tap to reveal tokens(available in v6.0)
Screenshot prevention
Export to HTML with QR codes(available in v7.2)
Allow for import via scanning to other authenticator without Chronos as an import option
More import options
Security & Encryption Q&A
What cipher string (master key) is used for data encryption?
A 256-bit (32 bytes) array of cryptographically secure random bytes is generated on the device using SecRandomCopyBytes. It functions as the the master key used for data encryption.
What is my password created during onboarding used for?
The password is used to derive an encryption key using scrypt. This derived key is then used to wrap the master key with XChaCha20-Poly1305 cipher, effectively encrypting it. This process allows for the secure storage and transmission of the encrypted master key on the device and, if enabled, in iCloud.
Thats great news, iOS definitely needs a solid offline 2FA app after the
Raivo sell out.
EDIT: After using it i love the simplicity, reminded me of Tofu but with the extra necessary security fuctions. This is my goto iOS 2FA app from now on
Thank you for putting the effort for this app.
May I humbly ask why you decide to develop an 2FA app while there is ente auth or 2FAS. Is there a difference with regard to the feature parity, or something you did not like?
Hey! Great question. As a pervious user of Raivo, I wanted to develop a 2FA app that offers similar features to Raivo and to provide an iOS offering that rivals Aegis’s feature set.
Chronos was developed with the following must-have features in mind:
Encrypted iCloud backup
Sync should be simple
No vendor lock-in
Backup files must be easily readable (JSON format)
QR code included in export (will be available in v7.0)
No app account
To answer your question, I wanted an app that is fully end-to-end encrypted with iCloud for syncing between multiple devices.
How are you syncing the data to iCloud? Do you use any of CloudKit’s encryption tools to protect user data, or is the only encryption happening within the app with the master password that’s set?
Encryption is performed using the master key generated when the vault is created.
The models used for iCloud syncing, implemented with SwiftData, can be found here. Token data is encrypted in the EncryptedToken.encryptedTokenCiper field.
I’ve thought of this app having payed around with it.
Here’s why I wouldn’t use it:
The sync is through iCloud. That keeps me kinda locked in with my devices and OS. I use all kinds of devices including Linux. I would prefer full freedom and flexibility to still get my 2FA codes while not being tied down to any device.
Here’s why: if I lose all my devices and data, I still want to be able to get to my accounts on a new device I buy without needing to buy an iPhone to get back my access to accounts. Also, I don’t trust iCloud so the encrypted sync comes mean much.
This is subjective but it’s how it is with me. But if you can make it such that I’m also able to use the web to log into my account and get my 2FAs - I would consider leaving Ente if you also add the option to add seed tokens on the web itself. This would enable me to give up my smartphone and move to my preferred dumb phone.
Hey! Thanks for the feedback. I understand where you’re coming from. This is where the safekeeping of backups is crucial for any authenticator app you use.
Chronos allows you to export your tokens in JSON and HTML (available in v7.2) formats in a zip archive. Encrypted archives secured with a strong password can be stored in ProtonDrive, iCloud, or any other cloud storage for future use. If you want an offline backup, the HTML export can be printed out and stored in a safe location.
And its not like I dislike the app; its just that it doesn’t work for me the way another does given my priority of not being locked into any OS or device and having the freedom to get to my codes even in the worst case scenario of having losing all my electronic devices.
I hope this additional flexibility I have explained in my comments thus far are taken into consideration for future updates and features you may want to provide your users.
is it possible to have it backup to something other than icloud? Also how do you plan to monetize the app? Generally speaking people don’t build and maintain apps from the goodness of their heart I’d rather have a clear idea how you plan to make money rather than offering a free product to generate usage and then sell it to a 3rd party like Raivo did.
Hey, iCloud is only required if you want automatic data sync between multiple devices. Chronos can be set up with an offline Vault, and exports can be made and backed up anywhere you want.
A very very good question. I have no way to prove this to you, but honestly, I am not planning to make any revenue from creating this app. While donations on GitHub are welcome, they are not necessary. I was a user, donor, and contributor (albeit just a few service icons) of R, and after what happened, I wanted to offer the community an alternative. Chronos is my way of giving back.
That being said, you should not trust me, anyone, or any company with your important data. Always create, save and test your backups!
