Do MFA apps with a cloud sync increase your attack surface?

I decided to give Ente Auth a try, primarily because I have one or two iOS devices I use for work, and it’s nice to have it on whatever phone I have on me at the time (I always have my personal android on me though).

I like the simplicity of signing in and having my codes there. But as I was thinking about it, this either means I need to delete my Ente password from Bitwarden, or somehow disable the online sync, right? If somebody somehow got into my Bitwarden account, they would have all the passwords and the 2FA would only be a single step away. Or, if they got into my Ente without Bitwarden somehow, they’d have all the codes right then and there.

Is it wiser to just use Aegis and syncthing the file across my two android devices with an encrypted backup on a flash drive in our safe?

I am using 1Password for everything, and got backups on Bitwarden. If someone manages to get into your main password manager, then you have more serious problems than thinking about Ente :slight_smile:

I feel like if you’re at the point where storing the keys to your auth app with your passwords (downgrading it from 2-factor to simply 2-step auth, which is certainly valid for some people but should be kept in mind) is an acceptable risk, you may as well just store the codes directly in 1Password and reap the benefits of their 2FA autofill feature. The logic of “if someone breaks into your PW manager you have bigger issues” holds equally for both IMO.

When you add the Ente app to your device, it asks for a permission via email, right? If so, then your email account and your email’s 2FA would be a 2FA for a remote login for Ente, preventing access by just somehow knowing your password.

But you are absolutely right, if I were you, I probably would put the password somewhere else. Syncing seemlessly across platform seems to be the major point of using Ente.

I had forgotten what my initial worry was when I had made the post. I remember seeing that Authy was breached at some point and people were recommending that people reset their 2FA for all accounts they used with Authy. I’m not as worried about somebody getting into Bitwarden. What if Ente Auth is breached and they steal my codes that way?


Since Ente’s backups are end-to-end encrypted, it’s pretty much exactly like Bitwarden, where even if they suffer a breach, attackers can’t actually decrypt the data they’ve stolen without your password. Therefore, the most likely (though not necessarily likely at all) attack you have to consider with your current setup is breaking into Bitwarden (which if your password isn’t easily guessable such as a random 5+ word passphrase, would likely involve a malware attack on one of the devices you use Bitwarden on to grab the data after you’ve decrypted it yourself), then using your Ente login in Bitwarden to get to your codes, assuming they also get past Ente’s email confirmation at this point. Like @Bhaelros suggested, a situation like this is likely game over for many reasons other than just a compromise of your 2FA codes, but having your Ente app on just your phone where a malware attack is less likely and storing the password/recovery code offline (like a USB drive or piece of paper) would indeed mitigate such an attack as far as the security of your 2FA codes if it’s within your threat model.

Authy was supposed to end-to-end encrypt your TOTP secrets/keys (but not other info like emails, etc.), but the hackers were able to use employees’ credentials to add devices to the existing accounts and generates codes from them, with no details released of how. This sounds fishy.

Ente is different for being open-sourced and hence more transparent about how the end-to-end encryption is done. If they have it independently audited too, that would be more reassuring. All in all, though, it depends on how much you trust the company to keep your secrets in the cloud. If you don’t, maybe using Aegis would be better.

This is why many people choose to use Bitwarden to generate 2FA codes, locking down their accounts using only FIDO2 2FA, and nailing down habits that would result in malware on their systems. They trust Bitwarden and themselves enough to keep all the eggs in one basket.

1 Like

I’d like to think they’d do a great job. Either way, it’s a bunch of work moving them back and forth to test stuff out, and I’m not having a great time with it…Authy’s UI was definitely the best of all of them, but they seem to have had a rough go of it.