F-droid team marked Proton Authenticator as one that fingerprints users
Full discussion here
Should we be concerned?
1 Like
While the discussion can go on, for those reading and wanting to know of an alternative - Ente Auth is fantastic choice for your 2FA needs.
As for this Proton Auth, more technically adept people/developers will need to objectively evaluate what Proton is saying and why to then conclude whether it is justified or not and what its intended or unintended consequences may be for users.
1 Like
if i already use proton pass and have my 2fa codes in there, is there a major reason to start using a separate 2fa app? i understand it adds an additional layer of protection if one of the accounts is hacked, but i guess i’m trying to get a feel for what people tend to do with this choice. my accounts are already hard enough to log into with 2fa, and i’m worried that adding another app to open each time i want to log in would be extra laborious.
Absolutely NOT! F-Droid has long been known for marking packages they don’t like as malicious/fingerprinting/what not.
Ente? Never heard they offer auth app also. I’ve always though they are gallery app.
1 Like
Any more information? What do you mean “do not like”? Examples?
This is a bit weird. If people don’t sync, why does Proton need anti-abuse protection?
1 Like
Just because most people don’t do something does not mean all of them don’t.There are people who abuse Proton free tier for their shady tactics.
What type of abuse can happen if user NOT USES online feature and uses only LOCAL one?
1 Like
OFC none. But I wasn’t talking about this.
What I was talking about is a scenario in which people (scammers?) set up multiple accounts (under free tier) and start spamming random people with their nonsense/adverts.
F-Droid has long been known for marking packages they don’t like as malicious/fingerprinting/what not.
Proton Pass connects to the Proton API storing logs about every session once you open the app.
In my opinion is this a reason to be concerned, as those logs provide a bunch of data and even more if you are signed in. Additionally, those requests are simply made without the user’s consent.
This surely doesn’t look like F-Droid „just doesn’t like it“.
2 Likes
What type of abuse can happen if user NOT USES online feature and uses only LOCAL one?
None. That’s the reason we should be concerned. Proton Pass connects to an API without any reason if sync is turned off. This compromises your security and could leak sensitive data besides them logging your sessions.
1 Like
Can you explain how exactly in more detail?
Below one possible scenario.
The connection timestamp as well as other parameters are exposed to someone performing a traffic analysis on your network. This means the attacker would know the destination address and the timestamp when you opened the app.
Storing those information over a long period could be used against you in the following ways
- Pattern analysis The attacker may analyze when you opened the app and use this against you, for example, when the attacker can predict your next time of access
- Targeted phishing Based on the app usage pattern, attackers may attempt personalized phishing attacks