Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox

GrapheneOS, a security-focused custom Android operating system, faces challenges after the popular two-factor authentication tool Authy became incompatible with its platform. Shawn Wilden, a tech lead for Android's hardware-backed security, explained that custom operating systems like GrapheneOS are often viewed as insecure due to their inability to meet Google's Play Integrity requirements. This system verifies whether devices adhere to Google's security model, which is difficult for custom ROMs that do not include Google Play Services by default. While GrapheneOS allows users to install a sandboxed version of Play Services, it does not guarantee compliance with Google's standards. Wilden mentioned ongoing discussions with high-quality ROM developers to establish trust and compatibility, but acknowledged the complexity of the process. GrapheneOS criticized Google's Play Integrity API, claiming that many certified Android devices do not meet the necessary compatibility standards. The project has indicated potential legal action against Google if it remains excluded from the Play Integrity API, asserting that regulators are interested in the matter. The situation highlights a broader issue regarding the perception of security in custom ROMs, as GrapheneOS argues that not all alternative operating systems compromise security. The future of GrapheneOS and its relationship with Google remains uncertain, with no clear resolution in sight unless significant changes are made by either party.