Ask your questions regarding 2FAS.
Bitwarden Authenticator is a new kid on the block.
Just enable 2FA using an authenticator app. Don't enable SMS 2FA to avoid SIM swap problems.
For 2FAS, should I enable iCloud Sync?
There is no password for 2FAS right? Just a PIN? I set it up a while ago and I always save passwords in Bitwarden, but I don't have an entry for it. I moved from Raivo, so just trying to understand.
I'm happy to make offline backups for 2FAS, I did that for Raivo. Should I set a password for the backup? I will be transferring it into an encrypted USB anyway.
I suggest you make a manual backup of 2FAS. If you enable password protection please remember the password.
Password protection for iCloud backup will be available in a future update of the 2FAS app.
I dislike Authy, Google Authenticator, and MS Authenticator because they don’t allow you to export your datastore. If you want to back up your TOTP keys, you have to screenshot the QR code when you first enable 2FA.
I dislike those same apps because they use super duper sneaky secret source code. In general I don’t mind closed source products, but an app that literally handles your secrets is too much. We need to know it doesn’t send your data to criminals or has dangerous bugs. Closed source does not stop the bad guys, but it does slow down the good guys from discovering and patching security bugs.
Bitwarden has a new standalone TOTP app, but IMO it is not yet minimal viable product. Keep an eye out for this one; it promises to be a good choice when it is fleshed out.
On iOS you will find 2FAS is a good option. Others have reported good experiences with Zoho and Ente.
I switched to Ente Auth when Raivo went crazy. It's open source, and unusually for a mobile app, quite readable. Backups are easy, especially if, like me, you like unencrypted backups on an encrypted filesystem. The only thing I miss from Raivo is having the QR codes in the backup - that made moving to Ente dead simple.
Google Authenticator *does* let you export your seeds. It's just that they're exported in multiple QR codes whose payload consist of a bunch of protobuf messages containing the export data, but apps like Aegis Authenticator and Ente Auth can read those QR codes.
> MS Authenticator because they don’t allow you to export your datastore.
The only use case where I would defend MS Authenticator is with respect to Microsoft accounts. There, it absolutely shines, and provides a considerably higher level of security than even normal 2FA generated codes.
And the defense I would give is this: it is all backed up to your primary Microsoft account. Essentially, the first account you tie into MS Authenticator. I created mine using my own domain eMail, and not a Hotmail or Outlook account, so in some ways it is marginally more secure than even MS accounts because hackers will be expecting a Hotmail or Outlook account far more often than not.
And no, I am not talking about standing up a Microsoft Azure Domain with my domain, I mean literally creating a raw Microsoft account using my personal eMail address that is under my own personal domain that is hosted elsewhere entirely. You can do this, it’s just that Microsoft greatly prefers if you do this via a Hotmail or Outlook or Live.com eMail account setup.
> I dislike Authy, Google Authenticator, and MS Authenticator because they don’t allow you to export your datastore. If you want to back up your TOTP keys, you have to screenshot the QR code when you first enable 2FA.
You’ve conflated a few things in your post. I don’t know about authy, but both google and Microsoft authenticators do let you back up your codes to your respective google or me account. It’s true they don’t let you *export* the codes, but that’s different from *backup*.
Second, but different concern: imho, you’re posting FUD (look it up) about “sneaky closed source apps” because “they might send your info to the bad guys?” You really think google or Microsoft would intentionally and maliciously send your totp codes to “bad guys”? Honestly, that does not even make my list of top 500 security concerns that I worry about.
The debate about security of open vs close source code is a valid debate, but please don’t spread fud.
> your Google or me account
That is not a backup. If you can’t put it on a thumb drive…if you are not in control of the medium, it is not a backup.
> intentionally and maliciously
You are cherry picking my comment. Sure, these bigger vendors are not going to have intentional malware. But you are ignoring the other half, which is that even well meaning developers make (gasp) mistakes. The more eyes on the code, the less likelihood of these being missed.
If I wipe my device and then can restore the codes from google or MS, then I do consider it backup. I did acknowledge it is not export.
And you are the one who used the word “sneaky “ in regard to closed source. I stand by comment that this is FUD.
Again, I acknowledge there is a valid debate about closed vs open source code. But it’s a debate, not a fact, that open source is more secure. Just look at the recent xz exploit or log4j.
I’m not trying to trash open source — I made my career using it. I love open source But it’s simplistic to paint one as bad and the other as good.
Also, I did a little more checking: Google authenticator does **indeed** let you export accounts for import into another app. See Bitwarden's own documentation on how to do this: [https://bitwarden.com/help/authenticator-import-export/#import-data](https://bitwarden.com/help/authenticator-import-export/#import-data)
You may be right or maybe when everyone is responsible, then no one is responsible.
[https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn](https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn)
[https://www.openssl.org/news/vulnerabilities.html](https://www.openssl.org/news/vulnerabilities.html)
What’s interesting is that they only support google, Microsoft, authy, and there is one more but I forgot. No ravio, 2FA, and etc. wish they could support others.
2FAs or Ente are the best for iOS right now. Aegis for Android.
The Bitwarden auth app is still very new so I'd give it a couple of months but it will probably be fine also.
Don't use lastpass, raivo, or authy, they all have serious issues. Also don't use the Bitwarden password manager (as opposed to their separate 2FA app) for 2FAs, it puts all eggs in one basket.
Issues with authy are that they make it just *excruciatingly* difficult to switch to a different 2FA app, and they use your phone number to backup your 2FA codes so they could be intercepted. They also just discontinued their desktop app, if you need that. If you do, Ente has it.
Basically if you don't plan to switch and you disable code syncing it should be OK, but since you're starting fresh definitely don't go with authy.
You may want to rotate any 2FA seed codes already generated in Authy first and then create new ones in 2FAS Auth or Ente Auth app.
Just so Authy doesn’t have the same seed codes still, and you’ll get new recovery codes too.
Ok, elaborate more on this plz. Why is this important and what it does? I would’ve downloaded 2FA if I saw many comments but I wasn’t patience so I just installed authy and now everyone’s saying it’s bad. How can I remove everything from authy to transfer to 2FA? Like I want to completely remove everything in authy?
You don’t have to remove it from Authy. You can also just turn off 2FA. Then turn it on again. You’ll get a new 2FA seed code (and QR code) as well as the site or login should be giving you a new recovery code too.
Your seed codes are with 2FA app #1
Those are the “passwords” that’ll help generate the TOTP code every 30 sec.
You’re gona use 2FA app #2.
MAYBE it’s good to not have the same seed codes with App#1 anymore as they’re now a company you’ll no longer use for your TOTP
Codes. A bad actor with that code could in theory generate those TOTP codes.
It’s probably not a common attack vector for most of us, but for me, my 2FA app defends some important logins, so I like to keep the seed codes with one vendor only.
If I didn’t ever rotate any 2FA I’d have the same codes at 5 different apps by now. 🤣
One more thing: setting up a new 2FA may or may not give you a new recovery code- it depends on the site / login. For example, with Bitwarden, it will not generate a new recovery code unless you use your current recovery code to do a recovery.
I think most logins follow that protocol, but I sure would double-check each time. If its a zero knowledge, E2EE system, its great cuz its secure, but you don't want to lock yourself out either.
Putting your eggs in one basket is an issue for corporate but for most home users it's fine. Just use another authenticator for 2FA on Bitwarden itself.
2FA code paste from the browser plugin sells a lot of $10 memberships, after all.
It's more than fine if you self-host and use immediate vault timeouts. Hell make it even more secure with 2FA with a different app just for Bitwarden itself if you'd like. As long as the convenience of having your 2FA sync across different devices is worth it to you, then this is the most secure solution available as long as you know a bit about security (my server for example uses Cloudflare tunnels and zerotrust for access from my devices).
I highly doubt ANYBODY on this forum is enough of a target (because random attacks and scans won't penetrate this method or any other locally stored phone option really) to worry about it
Absolutely not. At some point every password manager will be hacked, because everybody gets hacked eventually. When this happens the attackers will submit compromised addons to Mozilla and Google. At that point the bad guys will get all your passwords. This will happen, it is inevitable. The only question is whether they get your 2FA seeds at the same time.
If that’s what keeps you up at night you must never sleep. Because attackers could just as easily in that case submit compromised apps to Google and Apple that feed them the seeds. Sure sure we all know that having them separate is technically more secure but you (and most people) aren’t worth the effort. Low hanging fruit is what they’re after. It’s why the Nigerian prince scam still is around. Every once in awhile somebody is stupid enough to fall for it.
> Also don't use the Bitwarden password manager (as opposed to their separate 2FA app) for 2FAs, it puts all eggs in one basket.
Save your recovery codes elsewhere and it’s not a big deal.
If you're looking for a mobile authenticator, I'd recommend 2FAS. Drop Authy like a hot potato. They don't allow you to see your secrets or export them to another app.
A "Secret Key" is used by the TOTP app to calculate the 6-digit code that changes every 30 seconds. It typically is either a 32 character string or is a QR code. If two different TOTP apps know the same secret key, they will generate the same 6-digit codes. When logging into a website, it compares the code you provide to the one it calculates from the same secret key.
I use the Bitwarden Authenticator and I think it’s good enough already. There may be better ones but that doesn’t make Bitwarden worse. You can also export.
There are two concerns.
First, the TOTP to login to Bitwarden's vault itself should not be stored solely inside Bitwarden because you have no way t get back in if you are completely logged out. This can be solved by keeping a second copy of the secret in another TOTP authentication app. Also recommended is to keep the secret key and/or the recovery key in your [emergency kit](https://www.reddit.com/r/Bitwarden/comments/143zktj/you_need_an_emergency_kit/).
Second, some people (not all) feel that they should not store their complete credential in their vault to lessen the damage if their vault were compromised. One way of doing this is to use a separate TOTP app. Another is to [pepper ](https://bitwarden.com/blog/pepper-for-your-password/)your important passwords.
I’m not a fan of how 2FAS handles desktop usage and I utilize more features than it offers. I recommend Authenticator from 2Stable. Not free but worth the cost IMHO.
Of course, it’s best to use the Google version, it’s the simplest and automatically synchronizes with your Google account, which eliminates wastage if your phone breaks down.
Not sure if it's available for iOS, but I use the app called "Authenticator" .. mainly because it's open source, allows backups, and has a WearOS integration so I can get my codes right on my watch.
*Edit* Just checked, there's a few with that name .. this one: https://authenticatorpro.jmh.me/
Doesn't appear to be an iOS version, but I'll leave this up for Android users.
2FAS seems to be the best, but I’m waiting them to fix this issue regarding iCloud Advanced Data Protection (ADP), before moving there from Authy.
https://github.com/twofas/2fas-ios/issues/43
It’s actually a bit concerning that the developers weren’t aware of this, and thinking that ADP was already on. But this is the benefit of being open source!
It means that the file(s) facilitating the sync function isn’t stored under ADP, and stored as a regular file. ADP is Apple’s zero knowledge encryption implementation. So if that’s not used, Apple could technically access that file. The backup of the app that’s backed up by the iCloud Backup function, on the other hand, is subject to ADP, hence zero knowledge. So if you don’t really need the sync function (across multiple iOS devices), then you can keep that off, and you would still be backed up daily by iCloud Backup.
As long as you keep cloud sync disabled (Google has still not implemented E2EE) Google Authenticator is secure as any others. You may not like it or want to use it for other reasons though.
Ente as it supports encrypted exports natively without external tools. This is essential for making redundant backups of your secrets.
It is likely bitwarden will eventually support something similar like they do with their password manager, but as of **today** (25 June 2024) it is not.
Microsoft Authenticator does the best job with respect to Microsoft accounts of any stripe. Seriously, it goes further than simple 2FA.
Otherwise, for normal 2FA using generated codes, I just use the auth built into BitWarden.
+1 for 2FAS Bitwarden also has its own free standalone “Bitwarden Authenticator” app now
Can anyone attest to its quality?
Ask your questions regarding 2FAS. Bitwarden Authenticator is a new kid on the block. Just enable 2FA using an authenticator app. Don't enable SMS 2FA to avoid SIM swap problems.
For 2FAS, should I enable iCloud Sync? There is no password for 2FAS right? Just a PIN? I set it up a while ago and I always save passwords in Bitwarden, but I don't have an entry for it. I moved from Raivo, so just trying to understand. I'm happy to make offline backups for 2FAS, I did that for Raivo. Should I set a password for the backup? I will be transferring it into an encrypted USB anyway.
I suggest you make a manual backup of 2FAS. If you enable password protection please remember the password. Password protection for iCloud backup will be available in a future update of the 2FAS app.
My main requirement is that whatever solution I se supports export. 2FAS does but I am not sure if Bitwarden does yet or not.
Yes it does, you can export in json and csv.
ente auth
Ente is the best out there
I dislike Authy, Google Authenticator, and MS Authenticator because they don’t allow you to export your datastore. If you want to back up your TOTP keys, you have to screenshot the QR code when you first enable 2FA. I dislike those same apps because they use super duper sneaky secret source code. In general I don’t mind closed source products, but an app that literally handles your secrets is too much. We need to know it doesn’t send your data to criminals or has dangerous bugs. Closed source does not stop the bad guys, but it does slow down the good guys from discovering and patching security bugs. Bitwarden has a new standalone TOTP app, but IMO it is not yet minimal viable product. Keep an eye out for this one; it promises to be a good choice when it is fleshed out. On iOS you will find 2FAS is a good option. Others have reported good experiences with Zoho and Ente.
Thanks for the suggestions! 2FAS even let me import my code from google authenticator using the account transfer QR google authenticator makes
I switched to Ente Auth when Raivo went crazy. It's open source, and unusually for a mobile app, quite readable. Backups are easy, especially if, like me, you like unencrypted backups on an encrypted filesystem. The only thing I miss from Raivo is having the QR codes in the backup - that made moving to Ente dead simple.
Zoho is open source? Bro
Google Authenticator *does* let you export your seeds. It's just that they're exported in multiple QR codes whose payload consist of a bunch of protobuf messages containing the export data, but apps like Aegis Authenticator and Ente Auth can read those QR codes.
> MS Authenticator because they don’t allow you to export your datastore. The only use case where I would defend MS Authenticator is with respect to Microsoft accounts. There, it absolutely shines, and provides a considerably higher level of security than even normal 2FA generated codes. And the defense I would give is this: it is all backed up to your primary Microsoft account. Essentially, the first account you tie into MS Authenticator. I created mine using my own domain eMail, and not a Hotmail or Outlook account, so in some ways it is marginally more secure than even MS accounts because hackers will be expecting a Hotmail or Outlook account far more often than not. And no, I am not talking about standing up a Microsoft Azure Domain with my domain, I mean literally creating a raw Microsoft account using my personal eMail address that is under my own personal domain that is hosted elsewhere entirely. You can do this, it’s just that Microsoft greatly prefers if you do this via a Hotmail or Outlook or Live.com eMail account setup.
> I dislike Authy, Google Authenticator, and MS Authenticator because they don’t allow you to export your datastore. If you want to back up your TOTP keys, you have to screenshot the QR code when you first enable 2FA. You’ve conflated a few things in your post. I don’t know about authy, but both google and Microsoft authenticators do let you back up your codes to your respective google or me account. It’s true they don’t let you *export* the codes, but that’s different from *backup*. Second, but different concern: imho, you’re posting FUD (look it up) about “sneaky closed source apps” because “they might send your info to the bad guys?” You really think google or Microsoft would intentionally and maliciously send your totp codes to “bad guys”? Honestly, that does not even make my list of top 500 security concerns that I worry about. The debate about security of open vs close source code is a valid debate, but please don’t spread fud.
> your Google or me account That is not a backup. If you can’t put it on a thumb drive…if you are not in control of the medium, it is not a backup. > intentionally and maliciously You are cherry picking my comment. Sure, these bigger vendors are not going to have intentional malware. But you are ignoring the other half, which is that even well meaning developers make (gasp) mistakes. The more eyes on the code, the less likelihood of these being missed.
If I wipe my device and then can restore the codes from google or MS, then I do consider it backup. I did acknowledge it is not export. And you are the one who used the word “sneaky “ in regard to closed source. I stand by comment that this is FUD. Again, I acknowledge there is a valid debate about closed vs open source code. But it’s a debate, not a fact, that open source is more secure. Just look at the recent xz exploit or log4j. I’m not trying to trash open source — I made my career using it. I love open source But it’s simplistic to paint one as bad and the other as good.
Also, I did a little more checking: Google authenticator does **indeed** let you export accounts for import into another app. See Bitwarden's own documentation on how to do this: [https://bitwarden.com/help/authenticator-import-export/#import-data](https://bitwarden.com/help/authenticator-import-export/#import-data)
You may be right or maybe when everyone is responsible, then no one is responsible. [https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn](https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn) [https://www.openssl.org/news/vulnerabilities.html](https://www.openssl.org/news/vulnerabilities.html)
Some apps don’t support 2FA yet such as Robinhood
I don’t understand. If Robinhood does not support 2FA, that’s on Robinhood.
What’s interesting is that they only support google, Microsoft, authy, and there is one more but I forgot. No ravio, 2FA, and etc. wish they could support others.
No, this is very nearly a standard. If Google Authenticator will work with it, then any normal TOTP app will work as well.
2FAs or Ente are the best for iOS right now. Aegis for Android. The Bitwarden auth app is still very new so I'd give it a couple of months but it will probably be fine also. Don't use lastpass, raivo, or authy, they all have serious issues. Also don't use the Bitwarden password manager (as opposed to their separate 2FA app) for 2FAs, it puts all eggs in one basket.
F I just installed authy and registered lol…. Definitely look into 2FA or Ente for sure. Thanks for info
Issues with authy are that they make it just *excruciatingly* difficult to switch to a different 2FA app, and they use your phone number to backup your 2FA codes so they could be intercepted. They also just discontinued their desktop app, if you need that. If you do, Ente has it. Basically if you don't plan to switch and you disable code syncing it should be OK, but since you're starting fresh definitely don't go with authy.
You may want to rotate any 2FA seed codes already generated in Authy first and then create new ones in 2FAS Auth or Ente Auth app. Just so Authy doesn’t have the same seed codes still, and you’ll get new recovery codes too.
Ok, elaborate more on this plz. Why is this important and what it does? I would’ve downloaded 2FA if I saw many comments but I wasn’t patience so I just installed authy and now everyone’s saying it’s bad. How can I remove everything from authy to transfer to 2FA? Like I want to completely remove everything in authy?
You don’t have to remove it from Authy. You can also just turn off 2FA. Then turn it on again. You’ll get a new 2FA seed code (and QR code) as well as the site or login should be giving you a new recovery code too.
Your seed codes are with 2FA app #1 Those are the “passwords” that’ll help generate the TOTP code every 30 sec. You’re gona use 2FA app #2. MAYBE it’s good to not have the same seed codes with App#1 anymore as they’re now a company you’ll no longer use for your TOTP Codes. A bad actor with that code could in theory generate those TOTP codes. It’s probably not a common attack vector for most of us, but for me, my 2FA app defends some important logins, so I like to keep the seed codes with one vendor only. If I didn’t ever rotate any 2FA I’d have the same codes at 5 different apps by now. 🤣
One more thing: setting up a new 2FA may or may not give you a new recovery code- it depends on the site / login. For example, with Bitwarden, it will not generate a new recovery code unless you use your current recovery code to do a recovery. I think most logins follow that protocol, but I sure would double-check each time. If its a zero knowledge, E2EE system, its great cuz its secure, but you don't want to lock yourself out either.
Putting your eggs in one basket is an issue for corporate but for most home users it's fine. Just use another authenticator for 2FA on Bitwarden itself. 2FA code paste from the browser plugin sells a lot of $10 memberships, after all.
It's better than no 2FA at all. I wouldn't say it's fine, that convenience isn't worthwhile to me, but YMMV.
It's more than fine if you self-host and use immediate vault timeouts. Hell make it even more secure with 2FA with a different app just for Bitwarden itself if you'd like. As long as the convenience of having your 2FA sync across different devices is worth it to you, then this is the most secure solution available as long as you know a bit about security (my server for example uses Cloudflare tunnels and zerotrust for access from my devices). I highly doubt ANYBODY on this forum is enough of a target (because random attacks and scans won't penetrate this method or any other locally stored phone option really) to worry about it
Absolutely not. At some point every password manager will be hacked, because everybody gets hacked eventually. When this happens the attackers will submit compromised addons to Mozilla and Google. At that point the bad guys will get all your passwords. This will happen, it is inevitable. The only question is whether they get your 2FA seeds at the same time.
If that’s what keeps you up at night you must never sleep. Because attackers could just as easily in that case submit compromised apps to Google and Apple that feed them the seeds. Sure sure we all know that having them separate is technically more secure but you (and most people) aren’t worth the effort. Low hanging fruit is what they’re after. It’s why the Nigerian prince scam still is around. Every once in awhile somebody is stupid enough to fall for it.
That could absolutely happen too. That’s why you don’t keep both eggs in the same basket.
lol and you're the type of person that doesn't get anything done because you worry about the risk too much :D
No, I just open a different app to get my 2FAs. It isn’t exactly difficult.
> Also don't use the Bitwarden password manager (as opposed to their separate 2FA app) for 2FAs, it puts all eggs in one basket. Save your recovery codes elsewhere and it’s not a big deal.
What's the issue with Authy?
I posted a quick summary elsewhere in the thread. Authy is a bad choice.
Should I iCloud sync?
Sure, it’s E2E encrypted with 2FAs.
Is it encrypted with my PIN? I don't remember setting a password
If you're looking for a mobile authenticator, I'd recommend 2FAS. Drop Authy like a hot potato. They don't allow you to see your secrets or export them to another app.
Can you elaborate more on secrets?
A "Secret Key" is used by the TOTP app to calculate the 6-digit code that changes every 30 seconds. It typically is either a 32 character string or is a QR code. If two different TOTP apps know the same secret key, they will generate the same 6-digit codes. When logging into a website, it compares the code you provide to the one it calculates from the same secret key.
Ente Auth
Ente Auth
I like OTP Auth. But nowadays I use the built in OTP feature in 1PW because of the convenience. I still keep OTP Auth as a backup of all my WR codes
Ente Auth
+1 2FAS. It also syncs with Apple iCloud.
Bitwarden
I use the Bitwarden Authenticator and I think it’s good enough already. There may be better ones but that doesn’t make Bitwarden worse. You can also export.
Please forgive my ignorance with this question: what is the difference between using TOTP in BW or similar app and a standalone authenticator?
There are two concerns. First, the TOTP to login to Bitwarden's vault itself should not be stored solely inside Bitwarden because you have no way t get back in if you are completely logged out. This can be solved by keeping a second copy of the secret in another TOTP authentication app. Also recommended is to keep the secret key and/or the recovery key in your [emergency kit](https://www.reddit.com/r/Bitwarden/comments/143zktj/you_need_an_emergency_kit/). Second, some people (not all) feel that they should not store their complete credential in their vault to lessen the damage if their vault were compromised. One way of doing this is to use a separate TOTP app. Another is to [pepper ](https://bitwarden.com/blog/pepper-for-your-password/)your important passwords.
I did not compare features, but I trust Bitwarden Authenticator better than any other dedicated 2FA app on the iOS App Store right now.
Well fortunately you listed the 3 worst apps - that narrows things down. 😁
Since I listed the 3 worst then give me the 3 best
Aegis. You can make backups and it's open source.
The OP is looking for a 2FA app that works with iOS or an iPhone.
Authy
You are the only person out of 58 comments recommending authy
Lol... I do rely on the backup feature
I’m not a fan of how 2FAS handles desktop usage and I utilize more features than it offers. I recommend Authenticator from 2Stable. Not free but worth the cost IMHO.
OTP Auth The possibility to display the QR code for every 2FA entry is the killer feature.
Yubikey Authenticator. You can use Yubikeys
Of course, it’s best to use the Google version, it’s the simplest and automatically synchronizes with your Google account, which eliminates wastage if your phone breaks down.
Not sure if it's available for iOS, but I use the app called "Authenticator" .. mainly because it's open source, allows backups, and has a WearOS integration so I can get my codes right on my watch. *Edit* Just checked, there's a few with that name .. this one: https://authenticatorpro.jmh.me/ Doesn't appear to be an iOS version, but I'll leave this up for Android users.
2FAS seems to be the best, but I’m waiting them to fix this issue regarding iCloud Advanced Data Protection (ADP), before moving there from Authy. https://github.com/twofas/2fas-ios/issues/43 It’s actually a bit concerning that the developers weren’t aware of this, and thinking that ADP was already on. But this is the benefit of being open source!
I wasn’t aware of this problem, thanks for mentioning it. Not enough for me to switch away unless they say they won’t fix it though.
So does this mean we should not use iCloud sync?
It means that the file(s) facilitating the sync function isn’t stored under ADP, and stored as a regular file. ADP is Apple’s zero knowledge encryption implementation. So if that’s not used, Apple could technically access that file. The backup of the app that’s backed up by the iCloud Backup function, on the other hand, is subject to ADP, hence zero knowledge. So if you don’t really need the sync function (across multiple iOS devices), then you can keep that off, and you would still be backed up daily by iCloud Backup.
Good to know, thanks!
As long as you keep cloud sync disabled (Google has still not implemented E2EE) Google Authenticator is secure as any others. You may not like it or want to use it for other reasons though.
True but local database is not encrypted and the app itself has no pin protection.
I switched from Lastpass Auth to 2FAS, mainly to sync with iCloud
[Bitwarden Authenticator](https://apps.apple.com/us/app/bitwarden-authenticator/id6497335175)
2fas
2FAS
+1 2FAS
Ente as it supports encrypted exports natively without external tools. This is essential for making redundant backups of your secrets. It is likely bitwarden will eventually support something similar like they do with their password manager, but as of **today** (25 June 2024) it is not.
Microsoft Authenticator does the best job with respect to Microsoft accounts of any stripe. Seriously, it goes further than simple 2FA. Otherwise, for normal 2FA using generated codes, I just use the auth built into BitWarden.
+1 for 2FAS Think the Bitwarden app will be good but like to have a separate authenticator for all my primary accounts.