Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apps 2STP (3rd party Google Authenticator app) - have Watch version - safe to use?

S

striders

macrumors 6502
Original poster
Mar 11, 2009
406
24
I use Google Authenticator to provide 2 factor authentication (2FA) for almost all of my online accounts. However, Google doesn't offer the app in Watch version.

A 3rd party developer created an app called 2STP that does have the watch version.

https://itunes.apple.com/us/app/2stp-2-step-authenticator/id954311670?mt=8

But, is is safe to use 3rd party app in this way? Can the developer make copies of the barcode, account name, etc?
 
I am pretty sure all of the data is stored locally on the phone/watch and doesn't upload the token anywhere but we would have to trust the Apple approval process for reviewing the code to ensure its not malicious. However, a developer would be more familiar with the code review process so perhaps they can chime in. Ultimately, you should trust the developers of the apps you choose to install. Also the token is just half of your login authentication and they would still need your password.
 
mbhforum said:
Also the token is just half of your login authentication and they would still need your password.
Click to expand...

Ah, you're right on that part.

I was not being paranoid, but with all the hacking going on in the last a couple of years, I am just being extra careful on to who and where my data is going.

I am curious how can a lone app developer make a copy of a functional Google Authenticator...
 
striders said:
I am curious how can a lone app developer make a copy of a functional Google Authenticator...
Click to expand...

Google Authenticator is just a TOTP which is standardized by the IETF. Therefore, anyone who followed the standard to develop their app would automatically be compatible with any service which also uses that standard, of which Google Authenticator is one of. It's also why Google Authenticator can be used for other sites like Github, Linode, Microsoft, etc.
 
vladzaharia said:
Google Authenticator is just a TOTP which is standardized by the IETF. Therefore, anyone who followed the standard to develop their app would automatically be compatible with any service which also uses that standard, of which Google Authenticator is one of. It's also why Google Authenticator can be used for other sites like Github, Linode, Microsoft, etc.
Click to expand...


Thanks for the information!

Out of my curiosity, is it possible for someone to build a 2FA apps for GAuthenticator but then sneak some "feature" to copy the information so that the developer can replicate the 2FA in their own Google Authenticator? I understand they will still need to know the user password, but looking at how many company got hack nowadays, it won't be long before they got the password (credential stuffings, etc.).

2FA is supposed to make the account more secure (though not completely_, so if that's compromised through the above... well.. not good.

BTW, not slamming on 3rd party Google Authenticator developer, just want to get more information.
 
Hi! I'm actually the developer of 2STP. I can help shed a little light on how two-step authentication works.

When you enable two-step authentication, you usually get a QR code to scan. That QR code contains a "shared secret key," along with some other information like the name of the website and a display name. It's called a "shared" secret key because it's known to both you and the website you're logging into.
Using that secret key, the current time, and some math, you can generate a two-step authentication code. The math and current time are publicly known, but because only you and the website know the shared secret, the two-step codes are secure and can't be guessed.

However, the process becomes less secure if the shared secret key is made available to anyone else besides you and the original website.
That's part of the reason I made 2STP. Google Authenticator, as you've noticed, lacks several convenient iOS-specific features. Authy is better, but because Authy uses an online account system, it's very easy to unintentionally hand them a copy of your shared secrets, which is less secure. I personally also don't like how the codes aren't all displayed on one screen.

2STP never connects to the internet without your permission. All data is encrypted and securely stored in the iOS Keychain, and is never shared with anyone without your direct permission. In fact, the only time it connects to the internet or shares account data is when you use the Import/Export Account feature, and even then it's technically not the app that connects to the internet, but iOS itself.
You'll have to take my word for it, since there's no easy way to verify it first-hand—but if it makes you feel better, know that there's no way I could afford the infrastructure needed to collect all these secret keys, which are useless without the corresponding username and password in any case.

Anyway, thanks for considering my app! I wrote it mainly for my own use, but I'm glad it's helpful to others as well.

(As a side note, I am almost 100% certain that the App Review process does not check for malicious code in this way. Since Apple only receives a binary, it would be prohibitively difficult and expensive to analyze the code in any meaningful way. App Review mainly just checks that the app appears to perform as advertised, doesn't have any really obvious bugs, and doesn't use private APIs.)
 
Last edited:
  • Like
Reactions: msephton, DavidLynch and aDRock1154
Hi Thomas!

Thank you for the detailed explanation. It's always great when the developer is active in the Apple community and answer the questions/concern from the users.
 
Thank you for this amazing app. Is it possible for the codes to be generated on the apple watch itself so that you could access the codes on the watch without the phone present? That would be a feature I would pay for in an in-app purchase or "pro" version. Anyway, thanks again, love the app!
 
spamdumpster said:
Thank you for this amazing app. Is it possible for the codes to be generated on the apple watch itself so that you could access the codes on the watch without the phone present? That would be a feature I would pay for in an in-app purchase or "pro" version. Anyway, thanks again, love the app!
Click to expand...

Thanks for using my app! Unfortunately, it's not possible to run Watch apps independently from the iPhone in iOS 8 and the current version of the Apple Watch OS. The good news is that iOS 9 and watchOS 2, to be released later this fall, does support this!
I'm currently working on an update to 2STP which has a completely re-engineered Watch app that works independently from the iPhone and will be released alongside iOS 9. In fact, this feature is already completely implemented! I don't like in-app purchases in general, so this feature will be available for everyone with that upgrade.
 
  • Like
Reactions: DavidLynch
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back