Raivo OTP is not open source

Let’s figure out if this affects our recommendation, or if we should lower the criteria to “source available” :slight_smile:

I haven’t looked at the iOS TOTP space in a while, if there’s a good one that’s also open source I’m happy to replace Raivo with it, if there isn’t I’m happy to change the criteria, but either way the current listing is inaccurate.

Replacements we could consider:

There’s also GitHub - ente-io/auth: Authenticator app for storing your 2FA secrets and https://2fas.com/ which should probably be separate threads since they’re not iOS specific.

What’s the reason for “Open Source” as a requirement on this case? Is it is transparency and the ability for people to audit the code? In that case, it being " Source-available" is good enough for me.

If we keep it, should we weight if recommending their MacOS receiver: GitHub - raivo-otp/macos-receiver: A MacOS TabBar (StatusBar) application that securely receives one-time passwords (OTPs) that you tapped in Raivo for iOS.

Well being open source in general is not a hard requirement. That said, if there are viable opensource alternatives with about the same level of usability, then we will list those above the closed source variants in general.

Also that said, Ive been setting my sights on 2fas as well lately as a authy replacement, but i havent been able to play with it personally just yet because of time constraints.

It is for this category, hence the need for some sort of change, for what it’s worth.

Thats what I mean’t with “in general” ;p.

GitHub - X1nto/Mauth: A Material You Two-factor Authentication app is a nice one for android. For ios i use otp-auth which also isn’t open source, but works offline.

Both ente-io/auth and 2fas fail to meet the minimum requirements, which are:

These requirements include:

  • Must not require internet connectivity.
  • Must not sync to a third-party cloud sync/backup service.

We have two options to consider. Firstly, we can relax the requirements, or secondly, we can stick to the current recommendations. However, if we choose the latter, we won’t have a good alternative for Authy, which is far from ideal due to its weak privacy and lack of data-portability.

Edit: Bitwarden can be a decent alternative to Authy for a good number of people.

Raivo has always been OSS, not FOSS.

This meets the criteria of being open source, no? The license just prohibits redistribution or modification.

No, the term “open source” is defined. The correct term for Raivo is source-available software.

1 Like

The first point of the Open Source Definition is Free redistribution, so if the license “just” prohibits redistribution it can’t be open source at all.

Thank you, that makes sense.

In that case, since I believe Raivo is definitely worth keeping as a recommended option, the best way to go about it IMO is to update the recommendation requirements to ‘open source or source available’.

I’d assume the open source requirement was originally added more for the ability to inspect and verify the code and its security, rather than for the code’s freedom of redistributability.

This would be a good compromise and middle ground to have against popular (and also great, but closed source) options like Authy and Duo.

1 Like

Status: In Progress → Done