Ente Auth: open-source Authy alternative for 2FA

Hello, one of the folks working on Ente Auth here. Thanks for putting us on the frontpage!

To give some context, we built Auth for ourselves because we wanted a product that was cross-platform, open source[1] and offered end-to-end encrypted backups[2].

Since launch[3], the product has undergone iterations[4][5].

Auth is now available on Android, iOS, Linux, Mac and Windows[6]. We also have a read-only companion app for the web[7].

Backups are end-to-end encrypted, optional and free. You can use all our apps (minus the web) without an account.

You can also self-host[8] if you wish.

Please let me know if you have any questions!

[1]: https://github.com/ente-io/ente

[2]: https://ente.io/architecture

[3]: https://ente.io/blog/auth/

[4]: https://ente.io/blog/auth-v2/

[5]: https://ente.io/blog/auth-v3/

[6]: https://github.com/ente-io/ente/releases?q=tag%3Aauth-v3

[7]: https://auth.ente.io

[8]: https://help.ente.io/self-hosting/

Security platforms should be open source by default. It provides assurance that nothing weird is occurring behind the covers and also shows confidence in the implementation and the cryptography behind it all.

I will also never forgive Authy for removing desktop support with near immediate deprecation and no way to export off their platform.

I will never use another Twilio product again after that.

I feel like this misses the problem with Authy. There are hundreds, possibly thousands of 2FA alternatives for Authy. But when my 401K provider requires Authy to login in without providing a generic 2FA option, THAT is the problem.

People complaining about an "Authy jail" and yet I have no issues with Aegis. Which is also open source, available in the f-droid store, and been around for years.

I’ve had a really poor experience with the (open source) 2FA app Raivo on ios. Developer got bought out. Ads got added, and a bug was introduced where users lost 2fa backup. Losing 2fa access was not as bad as I expected since I stored 2fa backup codes in bitwarden notes. A lot of sites also feature email recovery. I ended up migrating totp 2fa to bitwarden and its been very convenient.

This looks quite nice, thank you for releasing it open source. Also neat to see a real Flutter app in the wild, this seems like a great use case for it. Would love to read your experience building something polished across ios/android on Flutter.

One note as I signed up for an account is that the email verification went to gmails spam. Probably nothing to be done about that but mentioning it.

I would also add an "authy" option when importing that just goes to an explanation of why it isn't possible and steps you can take to create new tokens etc.

In any case, well done and thank you!

My hunt for an open source Authy took me to 2FAS, which has been fine. Any opinions on this offering?

2FAS — the Internet’s favorite open-source two-factor authenticator

https://2fas.com

I'm very happy with Aegis.

Ente Auth is awesome - I've been using it ever since Authy discontinued their desktop app: https://mrbluecoat.blogspot.com/2024/03/bah-authy-discontinu...

It should be highlighted that the flagship app from ente is not their 2FA but their wonderful encrypted photo app. It is a fully encrypted alternative to Google Photo.

It is far from perfect but already very usable. There’s also a Linux desktop client that allows me to sync all my photos on my computer.

I really recommend them (nice team)

Last week, I started to explore `pass`[1], to move away from my current Authy + iCloud Keychain ecosystems. It's pretty barebones but that's what I like about it. I like it so much that one week later, I've fully migrated away and couldn't be happier.

And the news about the Authy leak yesterday validated my move, if anything.

I don't really care for ente; it's more complicated than what I need from a password manager. And the fact that pass is so much more customizable (being as it's only 700 or so lines of shell script), I don't feel like I need anything more _personally_.

[1]: https://www.passwordstore.org/

Because I got fed up with all the existing 2FA apps (lack of backup, export, ...) I created a simple (desktop) CLI app which works for me: https://github.com/Dobatymo/otp-tool

It's just a one day project so far. But it has some nice features like taking a screenshot and reading qr codes from it and storing everything in a single enrypted file (which you can easily put on a cloud drive if you want to sync, otherwise it's completely offline)

It only supports the standard RFC 6238 TOTP so far.

I've been using Authy as a backup for 1Password (previously BitWarden/LastPass)'s 2FA since in a worst-case scenario I can get a replacement SIM card from my phone network's store and get back into my 1Password account via recovery. This has had to be tested once when my phone got pickpocketed in Amsterdam.

Is there a better alternative? Authy is fine for this use, the rest of my 2FA tokens are in 1Password itself.

This looks good, as I wanted to "escape" the Authy jail (you cannot easly move out with your secrets), but moving a lot of 2fa's to a "new thing". How to make sure they are a good project?

What's the point of having your 2FA codes synchronized across all your devices?

Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.

1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.

2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.

Ability to synchronize encrypted backup is a different story.

I'm worried that if my device fails I won't be able to recover all the sites I've registered on my phone. Does anyone know if this can enable backup quickly to another device in a secure way?

I'm waiting for bitwarden or aegis export capability before trying this out.

You cant easily export your codes into a different format using this app, meaning that it is difficult to migrate away once you have already moved your codes over.

Other than the (hopefully temporary) lock-in, this is a great app.

This makes me want to restart working on Owky - my 2FA open-source pet project.

Owky is short for “Own your keys”. Therefore the user owns the data - can easily be exported, and there’s no server sync (on purpose). No iCloud sync, nothing.

The app needs some love indeed, but it’s in a usable state.

Is there any problem using Password Manager's feature to get 2FA codes? I use 1Password and it has this feature built in and automatically fills after filling the password. Even iPhone's latest Password app also has this built in.

I don't see people mention this enough, but iCloud Keychain generates TOTPs. I've been migrating all of my accounts slowly to just use the built-in Apple Passwords functionality.

In Safari, right click on TOTP QR codes.

Anyone else confused with this name vs Microsoft Entra, the new name for Active Directory?

Is there any shared etymology between Ente and Entra? I'm curious where both come from.

Do any of the many TOTP options have the ability to organize, or put codes into vaults? One you have more than a couple of dozen saved, it starts to get tedious.

How does this compare to duo? Is there anything beyond being open source that differentiates it?

Somewhat related: I hope there will be more news coverage/attention on the whole Ravio situation. It totally seems like something that should be reported on. Raivo, marketed as open source, despite never being OSI-defined open source, created by a computer security professional & expert sold it (2fa app) to a shady & unknown guy from Morocco, who put people's codes behind a paywall. Crazy story. And we (probably) found out the guy behind it too.

Tangentially: I just got rid of Authy, it took me 2h to to migrate everything, moved to apple passwords (yea yea, still propriatary) which has a so far solid export feature.

I will never forgive Authy/Twillio for deliberately making exports impossible.

Isn't this the thing that fell victim to a hostile takeover a few weeks ago?

Or am I just confused?

I've developed a command-line password manager and authentication application in Rust. Here are the key features:

1. Uses KeePass file format for secure credential storage 2. Supports One-Time Passwords (OTP) for two-factor authentication (2FA) 3. Provides a convenient CLI interface for retrieving 2FA codes

The project, named Passlane, offers a streamlined approach to password management directly from the terminal. It's particularly satisfying to generate 2FA codes via command line!

For those interested in exploring the code or contributing, you can find the project on GitHub: https://github.com/anssip/passlane

I'd appreciate any feedback or suggestions for improvement.