Hi everyone,
I’m currently deciding which 2FA app to use and I’ve run into some unclear points in the documentation regarding local backup protection.
Here’s my understanding so far:
Proton Authenticator: it creates automatic, periodic local backups — but I can’t find a clear statement on whether those backups are encrypted. Manual exports, on the other hand, don’t seem to be encrypted by default (so the user has to protect them).
Ente Auth: as far as I can tell, it doesn’t create automatic local backups. It only allows manual exports, which are encrypted — but you need the Ente app/account to access them, so you can’t really keep an independent, offline-accessible backup.
The key questions I’d like clarified:
Is it correct that Proton’s manual export is not encrypted by default?
Are Proton’s automatic local backups actually encrypted or not?
Does Ente really not offer automatic local backups, only manual exports?
Is it true that Ente’s export, while encrypted, still requires access to the app/account to decrypt it?
What I’m looking for: a way to keep a secure, encrypted local backup that I can still use even if the app/service is unavailable or I’m offline (similar to Bitwarden, where the export can be protected with a password I set at the time of export, and can still be accessed independently of the app).
If my understanding is correct, I’d lean toward Proton: even if I have to manually encrypt the exports myself, at least I’d have a file I can securely store and access independently in a worst-case scenario.
Can anyone confirm these points one by one? Sources (docs, FAQ, GitHub) or practical tests would be really helpful.
I don’t use either actively so don’t know about the specific questions you’re asking about.
Why don’t you give it a shot with one code saved and see for yourself or test it out? In my experience, that’s always the best way to see how they work and what the tool/functionality looks like.
I know what you’re looking for is not what I am about to ask but I ask still out of idle curiosity - why not let your TOTP codes sync? They both have E2EE sync.
I’m using end-to-end encrypted sync between devices — I agree it’s very convenient and secure. At the same time, I’d also like to occasionally create and keep a separate local backup, just to have it available in every situation and protect it myself (kind of like an extra layer of resilience).
I’ve done some quick tests already, but it’s still not 100% clear to me. For example, with Proton it’s hard to verify whether the automatic local backups are encrypted or not. As far as I can tell (I’ll double-check), those backups don’t get stored in a normal folder you can inspect, but rather in a hidden app directory — which makes it tricky to check directly.
I plan to run some additional tests and will update with further details once I have more information.
Correct, no automatic backup. The backups have to be started manually, and can be encrypted or plain text or plain html.
I’m trying Ente without an Ente online account on Android so this is what I see.
You didn’t mention which phone type you have. If you have Android, you may want to consider Aegis. It has encrypted Android backup integration and can put encrypted files into a directory for your other off phone syncing.
You had another question about the usability of the Ente encrypted backups. I don’t think those can be used for anything other an Ente.
I’m using ente, and as far as I know you don’t need an account to export and import encrypted backups. I made a manual backup and sent to Proton Drive encrypted.
I understand, and yes, I’m aware that Ente does not do automatic backups — only manual export, encrypted or plaintext/HTML.
I’m using Android, but I need multi-device sync, including Windows, so Aegis isn’t an option for me.
I’ll keep exploring and testing Ente and Proton further, especially how the backups and exports work, and I plan to post a detailed summary soon to gather more insights from the community.
Yes, I understand that you can export and import encrypted backups without an Ente account.
The point I’m trying to make is that you still need the Ente client app to decrypt the encrypted export. So the backup isn’t independently accessible outside the app.
I’ve done some practical tests with Ente Auth and Proton 2FA and wanted to share my findings along with a few questions for the community.
Proton 2FA
Allows automatic local backups (daily, weekly, monthly).
Backups are encrypted, with a password set specifically for them.
Backups are saved in a folder chosen by the user, but they can only be decrypted via the Proton app client — not independently.
Manual export is always encrypted, same limitation: it’s not independently usable without the Proton client.
I also tested this on Android: the /data folder is visible from PC but empty, probably protected by the system and accessible only through the app.
Ente Auth
Does not create automatic local backups, at least as far as I can see.
Provides manual export, where the user can choose:
encrypted (requires access to the app to decrypt)
plaintext (can be stored independently and protected manually by the user)
Automatic local backups in Ente: I know Ente does not offer automatic local backups as a visible feature, but I want to ask if anyone knows whether it might create backups behind the scenes in a hidden folder, which would add an extra layer of security. I’d also like to hear your thoughts on whether having automatic local backups in this way is useful or not.
So:
Even though Ente does not have automatic local backups (unless it does behind the scenes), I prefer it because it lets me decide when and how to export my 2FA codes.
I plan to occasionally do manual plaintext exports, so I can encrypt and store them myself and access them independently whenever I want.
Proton provides automatic backups, which is great, but they are always tied to the client, so I can’t maintain independent copies easily.
Test with Discord
I also did a test using Discord: I used the same QR code simultaneously to set up 2FA on both Ente and Proton.
The TOTP codes generated were different in each app.
I haven’t tried logging in with these codes yet — the Discord passkey bypasses 2FA — but I wanted to ask if it is expected that the TOTP codes are different when using the same QR code.
Open Questions
Does Ente really create any automatic local backups behind the scenes, even in a hidden folder?
Is it normal that TOTP codes differ between Ente and Proton when using the same QR code for the same account?
Any thoughts on the trade-offs between automatic client-bound backups (Proton) and manual, user-controlled exports (Ente)?
I hope someone can help me, if they know about this or can do some tests.
Ah, multi-device sync and Windows. Close to what I’m doing.
I have KeepassXC running on my Linux computers with syncthing, and Syncthing-Fork on Android with KeepassDX or Keepass2Android. Syncthing keeps a TOTP only database between the three. On the computers, I can use the KeepssXC plugin and keystrokes to automate entry on most sites.
I haven’t settled on a cloud solution yet and exploring free Bitwarden. I’ll need something in a couple years for my family.
After doing more thorough testing (as I mentioned in my last update), I realized that the backups are indeed encrypted — which is great.
The manual exports are also encrypted. However, I haven’t found a way to generate a clear text export in Proton Auth, which would be useful for independent access.
I still have a couple of questions:
Can you confirm that the only way to decrypt and access the encrypted backups is through the Proton Auth app? Or is it possible to use external tools if the password is known?
Is there (or will there be) any option to create a clear text export, so that users can manually protect and store it for independent access?
Not at all, we don’t want to keep user data hostage. We use argon2id to derive the key from the backup password (parameters can be retrieved from the source code or we can just tell you which ones) and with that key one can decrypt the backup using AES-GCM, decrypting into a JSON with the data. Both of these tools are industry standard.
Yes, plaintext is available on iOS and Android, and we are going to allow this export to happen on desktop also.
Manual export is always encrypted, same limitation: it’s not independently usable without the Proton client.
I wanted to note that there is an option in Proton Auth to export without a password (unencrypted) to a specific local folder, and I can confirm that Aegis can import from that unencrypted export without issue. Ente cannot import from Proton Auth exports yet, but it can from Aegis exports so if you need to convert from Proton Auth to Ente that’s how to do it. Also, Proton Auth can import directly from an unencrypted Ente export.