Security and Privacy Failures in Popular 2FA Apps


Table 1: Overview of the backup mechanisms supported in each app. Y* indicates that there is a serious security flaw in the
implementation and/or usage of cryptography (see Section 5.3). Y^ indicates support for multiple types of encrypted file exports
(see Section 5.3.4). Values in parentheses were obtained from documentation and observation only (see Section 6.4).

Aegis seems to score the best out of all TOTP apps.


Whwre is ente, bitwarden, aithenticator pro??

If you mean Bitwarden’s premium TOTP feature, they excluded TOTP in password managers. If you mean the Bitwarden Authenticator app that was released recently, it was released after they had searched for 2FA apps. The same with Ente Auth as that was released in December 2022, a year after they searched for 2FA apps.

Some of the problems that were mentioned have already been fixed. For example, the “Y*” problem for 2FAS has already been fixed.