Proton Releases Free Two-Factor Authentication App

[onenorth]

The desktop app is very nice to have, and I like Proton's iOS interface better than Google Authenticator. One thing this app doesn't do though is local exports/backups, so the only way to save your code accounts is to use the iCloud feature.

I may be paranoid but I feel safer having my TOTP codes connected to nothing, only accessible on my devices which are protected by physical proximity and Face ID. So unfortunately Proton won't work for me.

I have been using Microsoft Authenticator for years for TOTP only; passwords and passkeys are in Chrome and Apple Passwords. Microsoft Authenticator backs up to iCloud so it's easy to recover if necessary. I only have it installed on my iPhone.

I don't think it is paranoia - Microsoft is discontinuing passwords in Authenticator anyway. I would love to see passwords go away for good (including at work) but unfortunately too few services will let me use passkeys. (I set up Yubikeys for a few but discovered they were a pain to set up and use.)

Having all of my TOTP codes in one app is just easier for me. Downside is that if I lose access to my phone, I can't access my TOTP codes either. That is the only thing that bothers me about Microsoft Authenticator because my iPhone is my only mobile device and it's no longer supported on Apple Watch.

 

[CharlesShaw]

SMS 2FA is better than no 2FA, but it's still not very secure. SIM jacking attacks, and the general lack of security with SMS means it's not great for protecting accounts.

I forgot to mention earlier that I use my carrier's SIM lock feature, so someone would have to gain access to that account to turn it off and move my phone number.

Is there something inherently problematic about the SMS 2FA codes if they are intercepted? I mean, what good is the code gleaned from the cellular signal without knowing the context for its existence?

 

[matsan]

Good to have options. My current app hasn’t been updated in years.

 

[Mac_tech]

Good to have options. My current app hasn’t been updated in years.

What do you use for your current application?

 

[Siriosys]

Yeah but who actually uses Apple Passwords lol. It's so barebones and behind every other password manager.

I do. Apple Passwords functions exactly as it says on the tin and is pretty reliable.

As a long time user of 1Password, moving to Apple Passwords wasn’t a decision I was about to take lightly. With over 350 unique logins for both personal and multiple business systems, I consider myself to be a relatively experienced user. This excludes the sites where I’m required to use some corporate standardized tools such as Google Authenticator for the Google Workspaces.

Sure, the interface does feel a tad sparse, but it’s simplicity is what makes Apple Passwords easy to use - and fast too. On an average day I would use it about 30 times across a similar number of systems and have yet to have any major problems with it.

The one exception that I have found frustrating was a lack of password history, but this is being resolved in OS26.

What’s more, it was able to succcessfully import every one of my 1Password logins which is why I no longer need to use 1Password.

 

[Roars]

Am I the only one that likes the simplicity of the Apple Passwords app? Syncs over my devices, is, hopefully, secure, does 2fa and password gen... Can someone tell my why I'd want to use a 3rd party app for any of this?

 

[yyzguy]

They’re a bit late to the game. There are several other open source projects that do the same thing

 

[WarmWinterHat]

Am I the only one that likes the simplicity of the Apple Passwords app? Syncs over my devices, is, hopefully, secure, does 2fa and password gen... Can someone tell my why I'd want to use a 3rd party app for any of this?

You're entire password-protected life is locked down by your Apple ID/lockscreen password. If your phone is compromised, so is everything else.

It's why I don't keep my Apple, Google or banking logins saved in there. As I said before, Apple really, really, REALLY, needs to allow for setting a completely independent password for the Passwords App.

 

[piccolamela]

Am I the only one that likes the simplicity of the Apple Passwords app? Syncs over my devices, is, hopefully, secure, does 2fa and password gen... Can someone tell my why I'd want to use a 3rd party app for any of this?

if you are only using Apple devices, their Passwords app is decent solution.

This Proton 2FA App and most Proton services are available on all major desktop and mobile platforms.

Security wise there's trade off of convenience and security. Having the 2 FA Codes or even Passwords and Passkeys themselves in a separate App/service and requiring another PW/unlock method versus simply directly on your iDevices (Apple ID account and it's security measures).

Edit: @WarmWinterHat explained is in a good way, while I was writing this.

 

[letsGoOn2]

Am I the only one that likes the simplicity of the Apple Passwords app? Syncs over my devices, is, hopefully, secure, does 2fa and password gen... Can someone tell my why I'd want to use a 3rd party app for any of this?

Apple Passwords has a lot going for it to be sure. Everything is in one place, auto-filled codes, synced across devices automatically. There are probably other advantages.

The one reason I don't use Apple Passwords for TOTP codes is my perhaps paranoid aversion to using the same service for my passwords and TOTP codes. To me, using the same service for both removes one factor of the multi-factor authentication sequence.

 

[applefan8254]

Can proton make a chat platform? Essentially a clone of Microsoft teams, but improve where teams stagnates. For example, the cross platform, forever editing abilities in teams help to make it an industry leader in terms of accessibility. I think a hypothetical proton chat would be wise to follow those footsteps and allow unlimited multiple devices and unlimited messages editing like teams allows.

There's really only "little issues" with teams. The following items could be added to proton chat to give it a leg up.

1. Proton chat should make it's voice message button *tap and release* to record. Microsoft teams chats' voice message button doesn't work across all devices because it's right next to the edge, it's tiny, and it requires the user to hold down while recording. This doesn't work across devices because inconsistencies with regards to how smooth glass touchscreens work. So tap and release is preferable.

2. Usernames - it would be nice if proton chat would allow us to setup editable usernames if we want. Like telegram, it's not required, but we can if we want. This makes it more approachable for sharing with friends, colleagues, etc. With teams, currently you'd have to write our your email or number. But if you want others to *specifically reach out to you via the chat platform* it makes more sense to say "message me on [chat platform @ username1234" rather than "message me on teams at username@email.com or phone number.

 

[scoony]

Apple passwords does this too...

I believe so, though it’s always not a bad thing to had certain aspects of our lives held somewhere independently and completely cross OSs. Proton is a good service and more features have to mail, calendar etc. I hope this continues. More sort options in mail would be great. Especially in the new newsletter section.

 

[switz]

A manual sure would be useful for the Proton product. After installing, no more info could be found.

 

[matsan]

What do you use for your current application?

For a non profit organization: mOTP 🫣
high value systems: OTP Auth
Rest: 1Password

OTP Auth still works but more than a year since updated for iOS 17.

 

[canadianpj]

I still use 1Password 7 for 2FA codes until it's not possible. Does anyone know if 1P 7 still works under iOS26/MacOS26?

I would just move on your using an end of life product. Pick anything.

 

[TNman]

what about existing passwords via apple?

 

[bluecoast]

Regarding adoption of passkeys, I think people in general don’t like passkeys that much, because while in principle more secure, they are a bit of a black box. Entering a password or time-based code is something that everyone can intuitively grasp on some level. The mechanism of passkeys is more opaque and a bit inscrutable.

I’d add

Regarding adoption of passkeys, I think people in general don’t like passkeys that much, because while in principle more secure, they are a bit of a black box. Entering a password or time-based code is something that everyone can intuitively grasp on some level. The mechanism of passkeys is more opaque and a bit inscrutable.

I’d add that as soon as passkeys launched, google and apple used them to help with ecosystem lock in.

And as you say it’s all a bit opaque so it’s no wonder that people are suspicious.

 

[srbNYC]

Yeah but who actually uses Apple Passwords lol. It's so barebones and behind every other password manager.

Barebones in the best way. No bloat. Just works. (Remember that?)

 

[Black_Mage]

I'm surprised Apple hasn't made an authenticator app.

 

[Six Mac Abs]

You only need an account if you want to sync the codes to another device, otherwise it's not necessary.

It has an "import" option but (obviously) relies on your existing app having an export option. I use Authy, which doesn't.

The only advantage I can see to this app over Authy is its desktop app. However, I'm not sure I even want 2FA codes available on my desktop.

Any other reason to move from Authy? I know Proton is open-source whereas Authy isn't, but that doesn't bother me.

Just downloaded the Proton-App to give it a try, and you don’t even need a Proton Account to sync - its done via iCloud.


Also the leak last year might be a good reason to move from Authy.

Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user...

www.macrumors.com

It backs up to iCloud, but according to their FAQ you need to create an account to sync across devices.

View attachment 2533173

It should probably be made clearer that an account is only required if you want to sync across devices on different platforms, sync across Android and iOS devices, for example. As stated by Reimulo though, it syncs across all Apple devices signed into iCloud without the need for a Proton account!! (Guess that could also be true for Google platform devices too?)

I was super happy to hear news of this release today, because after the security fluff up by Authy ages ago and the fact they pulled desktop support too, I moved over to Bitwarden authenticator and have been waiting for them to deliver the cross-device sync which has been on their roadmap for what feels like an absolute eternity now. Bitwarden just released an update that allows users to sync auth codes between the Bitwarden password and authenticator apps, though tbh I have no idea what the use case for that is?? Now their Auth app has prompts to download the full Bitwarden app to take advantage of sync!? What? I didn't want upsell notifications in my app and I don't want to sync my authenticator codes with my Password manager, I'd just save them directly in the Password manager if I wanted them there. I'm very puzzled with their efforts here, unless there is something I'm having a complete brain fart on, I just don't / didn't get it 🤷🏻‍♂️.

I also had a couple of grumbles about the implementation of the Bitwarden Authenticator app which seemed like a backward step from Authy in a few ways, though also an improvement in others, I wasn't fully convinced Bitwarden would be the provider I'd settle with after being with Authy since, forever. I also didn't trust solo / small team devs enough to try some of the many Authenticator apps which are popping up since the Authy fiasco.

SO...This release announcement was an unexpected and very pleasant surprise for me today, a company that is about as trustworthy as you can get when it comes to data privacy and protection (and Swiss-based), releasing an app that seemingly has all my TOTP prayers answered. I just downloaded Proton Authenticator, transferred my codes from Bitwarden auth, which took all of 30 seconds, and IMHO they've absolutely nailed the UI and implementation. It fixes every single grumble I had with Bitwarden Authenticator / Authy so I'm super happy right now!! Happy like a sun-king 😁

Come on, congratulate me! 🤗😂💪🏽

 

[artifex]

Yes. SMS. [Edit: My carrier has the SIM lock feature, and I've locked it, so what other risks are there with SMS 2FA?]

Could be in a situation where you don't have cell service but do have wifi. It's usually the other way around, but maybe you're traveling in a foreign country, or maybe your credit card in your cell phone account expired and you didn't notice, or both, and you're at a coffee shop with wifi.
More options are good.

 

[JackNL]

I do. It stores my passwords, fills them when I need them and wow it can even generate 2FA codes. What more do you need? (genuine question)

I like Apple Passwords too, but I keep my 2FA codes separate, just in case iCloud gets hacked and someone gets full access to my accounts.

 

[ItchyRat2160]

This looks great. I wish the iOS Passwords App did 2FA codes better. Currently you have to set up each individual website manually. I've got dozens of codes set up in Google Authenticator and can't be bothered to go through all of them and re-set them up in iOS. I wish you could import them in bulk. The autofill and iCloud sync feature is killer but if the setup is a ball-ache I'm not bothering.

 

[madrag]

There are so many options for TOTP authenticators, it's good to have another one.

I agree that having the same app store the pasword and the 2FA codes is a mistake, if a hacker gains access to it, then all is lost!

I'd like to add that for my particular case, where I have the time not synchronized and the clock is slightly ahead (on purpose, it's something I started doing many decades ago), TOTP as we know it wouldn't work for me, since it relies on synchronized time. So I made my own TOTP authenticator with the help of chatGPT, Claude and my own coding knowledge, and now I have a working web app that only stores the secret locally at the browser and I can define if it uses local time or a synchronized time (and I can export and import it).

In the past the auth apps could have a time shift/drift correction, but now (at least one year ago) they removed that. So this is the only way for people that don't have (and don't want to have) their time synchronized to be able to use 2FA.

One final note, AWS (Amazon Web Services) uses the local time of the device where it is being accessed for its 2FA, so in my case, if I accessed AWS at my desktop with the unsychronized time and used an authenticator app at my mobile and it had the synchronized time, it would fail.

In conclusion, for the (I presume) few that don't have synchronized time, make your own TOTP authenticator, it's fairly simple with Claude.

 

[cupcakes2000]

I'm surprised Apple hasn't made an authenticator app.

Are you? They have only just added it to keychain after years and years of it being a thing. They have only just put keychain in to a separate app even. I’m not in the least bit surprised they haven’t made an app just for 2fa.