Proton releases a new app for two-factor authentication
Technology
101
Beiträge
56
Kommentatoren
31
Aufrufe
-
No, we don't know that. And neither do you.
Ehm… no i do.
-
Ehm… no i do.
Prove it
-
Looks like it has encrypted sync and desktop apps too, so that's nice if you need stuff on multiple devices.
The sync is the main thing for me. I already back up my Aegis library and upload that to proton drive. Difference in security for me is pretty much zero between Aegis and a proton authenticator app
-
Ehhhh but they already have this in Proton Pass?
E: found this in the FAQ
Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.
If you already use Proton Pass, I think I'd recommend Ente Auth instead. That's what I use.
It is very wise to store your 2FA codes separately from your general login credentials. If one is breached, the other protects it (hence, two factor). If both are breeched, your account is hosed.
Same deal when setting up 2FA on an account and they provide some 'one time use' 2FA codes, they generally say 'do not store these with your standard password credentials - keep them secure and separate'.
-
Hmm... I'm not sure about having an authenticator app on a desktop computer.
Like you are putting all your eggs in one basket. Password managers, and your emails already go to one place for authentication. Adding an authenticator means if your computer is compromised, a person can have access to more accounts.
I always figured this is why desktop authenticator apps aren't a thing.
Absolutely. 2FA codes (and 2FA 'single use codes' / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
-
It is very wise to store your 2FA codes separately from your general login credentials. If one is breached, the other protects it (hence, two factor). If both are breeched, your account is hosed.
Same deal when setting up 2FA on an account and they provide some 'one time use' 2FA codes, they generally say 'do not store these with your standard password credentials - keep them secure and separate'.
Correct. However it's worth noting that passwords are almost always compromised server-side. So 2FA is far more a mitigation of data breaches from the provider, rather than your password manager being breached.
-
cross-posted from: https://piefed.zip/post/289079
Why its not available as apk or aab or on fdroid?
Promoting play store?
-
Why its not available as apk or aab or on fdroid?
Promoting play store?
What's more, they talk up how it's open source and then don't link to the repo.
Here it is, BTW:
GitHub - protonpass/android-authenticator
Contribute to protonpass/android-authenticator development by creating an account on GitHub.
GitHub (github.com)
-
But few people know that a considerable chunk of that market—including three of the six most popular VPNs—is quietly operated by an Israeli-owned company with close connections to that country’s national security state,
But we're not gonna tell you which ones!
Yeah, not good of them to not share that information.
But for anyone who's wondering, here's a decent article that goes over the shady companies that discretely own most VPNs apps.
Amusingly, and kind of in counterpoint to the guy who you replied to, this article concludes that Proton is actually a solid VPN option that isn't beholden to one of those sketchy VPN-hoarding companies. Though they don't talk about any Israeli influence in Proton TBF. But still, on a general level (excluding the Israel/Palestine thing), Proton seems like one of the better options.
They also recommend Mullvad as a good option. I've never used them, but I've seen mentioned positively in other articles about VPNs.
ETA: Clarity.
-
Ehhhh but they already have this in Proton Pass?
E: found this in the FAQ
Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.
If you already use Proton Pass, I think I'd recommend Ente Auth instead. That's what I use.
You really should not keep your MFA codes in the same place as your passwords, especially if you are syncing those passwords between devices and/or a cloud service.
-
You really should not keep your MFA codes in the same place as your passwords, especially if you are syncing those passwords between devices and/or a cloud service.
Yes that's why I said:
If you already use Proton Pass, I think I'd recommend Ente Auth instead
-
Ehm… you guys know that behind
allmany major VPN companies there’s the isræli government right?its a shit article xD
i searched for a bit and even found a wiki article. the firm is kape technologies i guess?
"On September 13, 2021, Kape acquired ExpressVPN,[24][29] raising concerns based on Kape Technologies' predecessor Crossrider's history of making tools that were used for adware.[30][31][32][33]"
i try to not use israeli tech or noneuro tech anyway and wasnt affected, but interesting to know nonetheless. data sovernity is important.
-
Absolutely. 2FA codes (and 2FA 'single use codes' / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I'm creating a simplelogin email for each of the ones I'm keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don't want/need anymore, and then setting up 2fa on Aegis if they don't accept a hardware tokens.
But it's an intense and long process, though absolutely worth it. With work and personal life, I'm guessing I can be done in a couple of weeks.
-
cross-posted from: https://piefed.zip/post/289079
Wow an OTP app.
Maybe a QR creation app is next?
-
cross-posted from: https://piefed.zip/post/289079
This is a more welcome addition than that stupid AI chatbot slop machine.
But I would still like to see them release Proton Drive for Linux already.
-
Absolutely. 2FA codes (and 2FA 'single use codes' / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
-
Yes that's why I said:
If you already use Proton Pass, I think I'd recommend Ente Auth instead
Aha. Sorry, I misunderstood. I saw the first line about Proton Pass already supporting MFA and I wasn’t familiar with Ente Auth. I did just look it up and I can’t believe I’ve never heard of it before. It’s even AGPL-3.0, be still my beating heart! Thank you for pointing it out!
https://ente.io/ for anyone curious.
-
Aha. Sorry, I misunderstood. I saw the first line about Proton Pass already supporting MFA and I wasn’t familiar with Ente Auth. I did just look it up and I can’t believe I’ve never heard of it before. It’s even AGPL-3.0, be still my beating heart! Thank you for pointing it out!
https://ente.io/ for anyone curious.
Yes, the biggest difference is that Proton Auth seems to work without an account.
-
What's more, they talk up how it's open source and then don't link to the repo.
Here it is, BTW:
GitHub - protonpass/android-authenticator
Contribute to protonpass/android-authenticator development by creating an account on GitHub.
GitHub (github.com)
I saw it, of cource they didnt publish no apk or aab. I dont think a lot of people will compile from the source code, maybe like 0.05% of users
-
cross-posted from: https://piefed.zip/post/289079
I've been meaning to get rid of Google Authenticator. Think I'm gunna go do that today.
