Proton releases a new app for two-factor authentication
Technology
101
Beiträge
56
Kommentatoren
13
Aufrufe
-
No, Proton specifically has no confirmed association, I agree. So I trust them? No.
I see too many signs, too many people recommending it online, too many all-connected services. For me, this is a recipe for disaster and I’m not here to be lied to my face again.Not the first time for the very neutral state
According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying".
On a related note, we have also had people ask us about Proton Mail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality
I don’t know about you guys but this
is enough for me.Not the first time for the very neutral state
According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying".
If your concern is that the CIA owns Crypto AG you should take into consideration what their focus is on, are they focused on child predators and gangs or people torrenting movies and music?
Crypto AG and Proton have clashed in the past resulting in this article from Proton;
Is Proton Mail trustworthy? Our thoughts on email trust - Proton Mail Blog | Proton
It’s important to trust your email provider because they safeguard some of your most sensitive data. Should you trust Proton Mail?
Proton (proton.me)
Transparency: You know who runs the company, where they run it from, how they run it, what data they have, how they interact with law enforcement, and much more.
Business model: Their business model (how they make money) is simply having paid users that pay for the service. If they were to breach that trust, then they would no longer be able to sustain themselves.
Competence: They have a team of highly competent people. Most people in their management level have Ph. Ds and they are trusted by many users with heightened security needs. These users include
, Bellingcat etc.
Verified By Third Parties: Proton is still in the process of getting all their apps audited and open sourced. Currently, the ProtonMail iOS app, OpenPGP.js, GoOpenPGP and all the ProtonVPN apps have been audited by Cure53 or SEC Consult and the reports publically available with the source code on github with android and bridge on the way. Furthermore, they have been checked over by the EU and given a 2 million euros of funding that can be used on anything to further their mission with no other obligations.
Legal guarantees: Proton is based in Switzerland, a country with strong privacy protections, and outside the 14 eyes surveillance network. Under Swiss law, they are only permitted to reveal user data if served with a binding legal order from the Swiss government. Sharing data without a legal order is a criminal offense under Article 271 of the Swiss Criminal Code.
Track record: ProtonMail’s creation by scientists who met at CERN (the European Organization for Nuclear Research) is well documented, including on the CERN website. The scientific background of their leadership team can be easily verified by looking at their academic careers and scientific publications.
More info
On a related note, we have also had people ask us about Proton Mail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality
In the header of this article you seemed to have glossed over:
UPDATE April 3, 2020: The information in this article is outdated. As of last year, we no longer have any contract with Radware.
-
There are no very clear reasons to distrust proton, but is it just me that finds them releasing a 2FA app kinda disturbing? Like, why waste the resources? What could they do better than Aegis, which is already FOSS and privacy preserving? If there is no reason, than I have to wonder if the hidden reason is to get more data into their ecosystem. Which a privacy focused company shouldn't care about.
I am probably just paranoid but I don't trust Proton.
Why release this? Because they're building their own ecosystem. They're trying to build an alternative to the big players, which means they need to have an alternative to all their major products. Maps and YouTube are probably off the table for now, just because of the sheer scale needed for those, but something like this is achievable.
Is Aegis better? Maybe, but that's not really the point, it's part of a family of apps.
-
There are no very clear reasons to distrust proton, but is it just me that finds them releasing a 2FA app kinda disturbing? Like, why waste the resources? What could they do better than Aegis, which is already FOSS and privacy preserving? If there is no reason, than I have to wonder if the hidden reason is to get more data into their ecosystem. Which a privacy focused company shouldn't care about.
I am probably just paranoid but I don't trust Proton.
Yes it’s just you. They released a 2FA app because it complements their existing password manager and because Google has one. Since Proton is positioned as a privacy-first alternative to Google, it makes sense they’d launch competing versions of any given app or program Google does. A 2FA app also wouldn’t capture any kind of personal data.
What could they do better than Aegis, which is already FOSS and privacy preserving?
Have an iOS app for one.
But also like what could they do better than Tutanota mail, Which is already privacy preserving? By your logic Proton shouldn’t exist at all. Is it your opinion that non-privacy respecting software should have lots of competition and options but privacy respecting ones should not? Can’t say I agree with that.
-
Feels like everyone has forgotten when LastPass was breached, and that was barely three years ago.
Any affected LastPass users storing their 2FA backup codes in with the rest of their login data got a rude awakening.
Anyone who had them separate was at least able to rescue those accounts. But hey do what you like people, I know convenience usually trumps security.
As far as I know, passwords and TOTP keys were never leaked by LastPass. Regardless, I did say almost always.
-
Not the first time for the very neutral state
According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying".
If your concern is that the CIA owns Crypto AG you should take into consideration what their focus is on, are they focused on child predators and gangs or people torrenting movies and music?
Crypto AG and Proton have clashed in the past resulting in this article from Proton;
Is Proton Mail trustworthy? Our thoughts on email trust - Proton Mail Blog | Proton
It’s important to trust your email provider because they safeguard some of your most sensitive data. Should you trust Proton Mail?
Proton (proton.me)
Transparency: You know who runs the company, where they run it from, how they run it, what data they have, how they interact with law enforcement, and much more.
Business model: Their business model (how they make money) is simply having paid users that pay for the service. If they were to breach that trust, then they would no longer be able to sustain themselves.
Competence: They have a team of highly competent people. Most people in their management level have Ph. Ds and they are trusted by many users with heightened security needs. These users include
, Bellingcat etc.
Verified By Third Parties: Proton is still in the process of getting all their apps audited and open sourced. Currently, the ProtonMail iOS app, OpenPGP.js, GoOpenPGP and all the ProtonVPN apps have been audited by Cure53 or SEC Consult and the reports publically available with the source code on github with android and bridge on the way. Furthermore, they have been checked over by the EU and given a 2 million euros of funding that can be used on anything to further their mission with no other obligations.
Legal guarantees: Proton is based in Switzerland, a country with strong privacy protections, and outside the 14 eyes surveillance network. Under Swiss law, they are only permitted to reveal user data if served with a binding legal order from the Swiss government. Sharing data without a legal order is a criminal offense under Article 271 of the Swiss Criminal Code.
Track record: ProtonMail’s creation by scientists who met at CERN (the European Organization for Nuclear Research) is well documented, including on the CERN website. The scientific background of their leadership team can be easily verified by looking at their academic careers and scientific publications.
More info
On a related note, we have also had people ask us about Proton Mail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality
In the header of this article you seemed to have glossed over:
UPDATE April 3, 2020: The information in this article is outdated. As of last year, we no longer have any contract with Radware.
If your concern is that the CIA owns Crypto AG you should take into consideration what their focus is on, are they focused on child predators and gangs or people torrenting movies and music?
If I present my legitimate concerns about companies being tampered by CIA with the complicity of a “”neutral”” country (since it already happened) and your reply is “Chillax bro, even if they are what do you have to hide? They are not looking for you!”
you either:
- are terribly naive
- work for Proton.
I’m just saying, I don’t trust companies, nobody should, especially when everything seems too good. I think we should always challenge them and replace them at their first mistake. Don’t they follow the glorious free and competitive market? Let em fight.
-
It works, has minor quirks, but it has replaced a lot of things for me, switched from Google gmail, drive, and calendar to Protons and it has been good. (Though the whole Lumo AI release move confused me) Oh yeah VPN too, well for other countries, still use my wireguard vpn when traveling.
But personally, I'mma continue sticking to Aegis as my authenticator app. (Can't recommend it enough)
Aegis is my go-to. But I also have two phones - my personal Pixel and a work-issued iPhone. I need 2FA on my work phone, but Aegis doesn't support iOS. Proton came through here. It's open-source, too.
-
As far as I know, passwords and TOTP keys were never leaked by LastPass. Regardless, I did say almost always.
That's just scratching the surface. Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. So that 'almost always' ain't right regardless.
The goal of 2FA is to be 'something you have' like an authenticator device or auth app on your phone, working as a secondary verifier that you are who you say you are to the 'something you know' being your password. So if you store 2FA codes with your password then you just have two sets of 'something you know' which is far less secure - and leaves you more vulnerable.
Of course, it doesn't matter much with stuff like a low value forum account that has 2FA, but I certainly wouldn't put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It defeats the purpose.
-
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. It's not just services mishandling their data that people should consider as likely vectors.
I do agree about evaluation - it doesn't matter much with stuff like a forum account that has 2FA, but I certainly wouldn't put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It weakens your protection if something does go wrong.
-
Aegis is my go-to. But I also have two phones - my personal Pixel and a work-issued iPhone. I need 2FA on my work phone, but Aegis doesn't support iOS. Proton came through here. It's open-source, too.
Ente Auth is cross platform.
-
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I'm creating a simplelogin email for each of the ones I'm keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don't want/need anymore, and then setting up 2fa on Aegis if they don't accept a hardware tokens.
But it's an intense and long process, though absolutely worth it. With work and personal life, I'm guessing I can be done in a couple of weeks.
This is what I did.
-
-
Wi-Fi 8 won't be faster, but will be better - more details emerge just hours after Wi-Fi 7 protocols are officially ratified
Technology
1
-
Big tech has spent $155 billion on AI this year. It’s about to spend hundreds of billions more
Technology
1
-
The EU still wants to scan all your chats – and the rules could come into force by October 2025
Technology
1
-
-
-
-
