Ente Authenticator (2FA)

vishnukvmd · September 13, 2023, 5:27pm

Hey everyone, here’s the complete changelog for v2.0: Auth v2

@jonah if there’s anything you’d like us to improve further, do let us know!

avv3lenato · September 15, 2023, 2:16pm

First of all thx for v2.0. A suggestion can be the possibility to group the codes like in 2FAS

Dillot · September 25, 2023, 10:12am

Blocking screenshot and hide from recent app thumbnail would be very cool.

Dillot · September 25, 2023, 12:11pm

Also Tab-to-reveal, Minimize-on-copy, etc features like in Aegis help upgrading user privacy and security much, so please consider adding them in ente Authenticator.

vishnukvmd · September 25, 2023, 6:23pm

Hey, thanks for sharing your feedback, here are our roadmap entries:

Add support for groups · Issue #8 · ente-io/auth · GitHub
iOS - Hide the contents in recent apps when lockscreen is set · Issue #47 · ente-io/auth · GitHub
Hiding OTPs with dots on Home Screen, like Aegis does · Issue #152 · ente-io/auth · GitHub
Provide a setting to minimize the app once a code has been copied to clipboard · Issue #264 · ente-io/auth · GitHub

Will prioritize these in our next sprint

Nostradamus · October 10, 2023, 5:53am

This is (now?) optional

ph00lt0 · October 10, 2023, 5:03pm

Was already mentioned

Nostradamus · October 10, 2023, 11:09pm

This makes the best alternative to RaivoOTP I had seen so far

anon5233878 · October 13, 2023, 11:06pm

Is it recommended to avoid creating an account and using offline mode on one device in order to avoid increasing the attack surface? Or is Ente Authenticator’s sync solution secure enough that it is not that much of a risk to access your tokens on the web for example?

Nostradamus · October 14, 2023, 12:08am

IMO and many will disagree, it is probably fine, 2FA codes aren’t useful by themself and in the case that the codes do get leaked you will be fine as long as you are using good password hygiene. That is the point of 2FA.

anon5233878 · October 14, 2023, 9:53am

That is true. Come to think of it, I haven’t actually read someone be against cross-platform 2FA apps. I read that using Signal across two devices in not recommended due to increased attack surface and incorrectly assumed the same can be said for 2FA apps. If anyone is actually against cross-platform 2FA, would you mind mentioning why that is?

jonah · October 16, 2023, 7:03pm

github.com/privacyguides/privacyguides.org

Add "ente Auth" TOTP app

privacyguides:main ← privacyguides:jonaharagon/ente-auth

opened 07:03PM - 16 Oct 23 UTC

jonaharagon

+21 -1

Changes proposed in this PR: - Recommend ente Auth I'm creating this PR to… speed things up slightly, because the lack of iOS MFA apps on the site is unfortunate, but two team members other than myself need to review, approve, and merge this PR for the same reason as https://github.com/privacyguides/privacyguides.org/pull/2102#issuecomment-1747401016.  - [x] I have disclosed any relevant conflicts of interest in my post. (see https://github.com/privacyguides/privacyguides.org/pull/2102#issuecomment-1747401016) - [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. - [x] I am the sole author of this work. - [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

Polymer7229 · October 19, 2023, 12:17pm

Hi Vishnu,

I’d suggest adding PIN, limiting the attempts to some number (5, 3, whatever) before falling back to entering the password.

One use case is when the user gets robbed and was forced to hand the device PIN over. So, if the user uses a different PIN for ente, then it’s most likely the adversaries can’t get to all the 2FA tokens. With biometrics/device PIN backup access, they can export the entire database.

This would be in line with what some password manager, like Bitwarden, does: allowing PIN access, falling back to the password after some attempts.

Banter8905 · October 22, 2023, 12:58pm

@Polymer7229 Would this work similar to a duress pin? As used by the strongbox password manager.

Polymer7229 · October 22, 2023, 8:35pm

No, I wasn’t even thinking that far ahead, though I did misunderstand a bit how things worked a few days ago.

Some Android apps use biometric authentication, but allow the device PIN to unlock them. This is no good if you’re forced to hand over the device PIN. Strongbox duress PIN is a step further. Nice.
Some apps authenticate primarily by PIN, but these could be vulnerable to keyboard simulator attacks. It would be better for security apps to fall back on a password after too many PIN attempts.
Some people may not trust their biometric hardware, and an app PIN seems like a reasonable third factor (albeit password-backed) for getting into a security app.

jonah · October 22, 2023, 10:03pm

ente Auth will be added to the site in 8f565e6, so I’m locking this discussion as completed

@Polymer7229 Feature requests for ente Auth can be posted to their GitHub issues page. Otherwise they’re off topic here on this forum unless one of the ente Auth developers opens a thread in Project Showcase, because otherwise we have no way of knowing that the developers will see posts here.

Obviously if anyone has feedback to add about ente Auth that would change our recommendation then feel free to open another thread.

jonah · October 22, 2023, 10:03pm

Topic		Replies	Views
OTP Auth for iOS Tool Suggestions	10	1094	July 28, 2023
Are there any trustworthy TOTP authenticators which meet my criteria? Questions software	0	676	August 1, 2023
2Fa : Keyring and Authentificator Pro Tool Suggestions	3	620	August 22, 2023
What cross platform 2FA service? Questions software	11	1439	July 15, 2023
Add TOFU (MFA) Tool Suggestions	6	1366	September 13, 2023

Ente Authenticator (2FA)

Related Topics