2STP (3rd party Google Authenticator app) - have Watch version - safe to use?

I am pretty sure all of the data is stored locally on the phone/watch and doesn't upload the token anywhere but we would have to trust the Apple approval process for reviewing the code to ensure its not malicious. However, a developer would be more familiar with the code review process so perhaps they can chime in. Ultimately, you should trust the developers of the apps you choose to install. Also the token is just half of your login authentication and they would still need your password.

 

I'd recommend Authy. Very good and mature MFA app on iOS and has a good watch app.

 

Google Authenticator is just a TOTP which is standardized by the IETF. Therefore, anyone who followed the standard to develop their app would automatically be compatible with any service which also uses that standard, of which Google Authenticator is one of. It's also why Google Authenticator can be used for other sites like Github, Linode, Microsoft, etc.

 

Hi! I'm actually the developer of 2STP. I can help shed a little light on how two-step authentication works.

When you enable two-step authentication, you usually get a QR code to scan. That QR code contains a "shared secret key," along with some other information like the name of the website and a display name. It's called a "shared" secret key because it's known to both you and the website you're logging into.
Using that secret key, the current time, and some math, you can generate a two-step authentication code. The math and current time are publicly known, but because only you and the website know the shared secret, the two-step codes are secure and can't be guessed.

However, the process becomes less secure if the shared secret key is made available to anyone else besides you and the original website.
That's part of the reason I made 2STP. Google Authenticator, as you've noticed, lacks several convenient iOS-specific features. Authy is better, but because Authy uses an online account system, it's very easy to unintentionally hand them a copy of your shared secrets, which is less secure. I personally also don't like how the codes aren't all displayed on one screen.

2STP never connects to the internet without your permission. All data is encrypted and securely stored in the iOS Keychain, and is never shared with anyone without your direct permission. In fact, the only time it connects to the internet or shares account data is when you use the Import/Export Account feature, and even then it's technically not the app that connects to the internet, but iOS itself.
You'll have to take my word for it, since there's no easy way to verify it first-hand—but if it makes you feel better, know that there's no way I could afford the infrastructure needed to collect all these secret keys, which are useless without the corresponding username and password in any case.

Anyway, thanks for considering my app! I wrote it mainly for my own use, but I'm glad it's helpful to others as well.

(As a side note, I am almost 100% certain that the App Review process does not check for malicious code in this way. Since Apple only receives a binary, it would be prohibitively difficult and expensive to analyze the code in any meaningful way. App Review mainly just checks that the app appears to perform as advertised, doesn't have any really obvious bugs, and doesn't use private APIs.)

 

Thank you for this amazing app. Is it possible for the codes to be generated on the apple watch itself so that you could access the codes on the watch without the phone present? That would be a feature I would pay for in an in-app purchase or "pro" version. Anyway, thanks again, love the app!

 

Thanks for using my app! Unfortunately, it's not possible to run Watch apps independently from the iPhone in iOS 8 and the current version of the Apple Watch OS. The good news is that iOS 9 and watchOS 2, to be released later this fall, does support this!
I'm currently working on an update to 2STP which has a completely re-engineered Watch app that works independently from the iPhone and will be released alongside iOS 9. In fact, this feature is already completely implemented! I don't like in-app purchases in general, so this feature will be available for everyone with that upgrade.