cross-posted from: https://piefed.zip/post/289079
BitWarden is F(antastic)OSS.
Proton releases a new app for two-factor authentication
Submitted 3 weeks ago by RmDebArc_5@piefed.zip to technology@lemmy.world
https://techcrunch.com/2025/07/31/proton-releases-a-new-app-for-two-factor-authentication/
Comments
fmstrat@lemmy.nowsci.com 3 weeks ago
Appoxo@lemmy.dbzer0.com 3 weeks ago
Aegis ia even better
fmstrat@lemmy.nowsci.com 3 weeks ago
How? BitWarden has great 2FA, but is also a password manager with good integrations, group sharing, etc. Plus when you log in with it, it auto-copies the 2fa to clipboard.
Assuming you’ve used both, so what does Aegis bring to the table? Wondering if I should try it.
Schlemmy@lemmy.ml 3 weeks ago
2fa only for paying customers, no? I mean, I pay because it’s dirt cheap for tge convenience they offer but still no free 2fa
SpaceCadet@feddit.nl 3 weeks ago
Bitwarden authenticator is free for non-paying customers too.
commander@lemmy.world 3 weeks ago
Been using Aegis on android and managing my own backups but maybe switch or use for things I care less for just for simplicity
blinfabian@feddit.nl 3 weeks ago
yes Aegis is awesome
tias@discuss.tchncs.de 3 weeks ago
Did anyone catch what the Proton app adds over all the already existing apps?
MangoPenguin@lemmy.blahaj.zone 3 weeks ago
Looks like it has encrypted sync and desktop apps too, so that’s nice if you need stuff on multiple devices.
Soapbox@lemmy.zip 3 weeks ago
This is a more welcome addition that a stupid AI chatbot slop machine.
But I would still like to see them release Proton Drive for Linux already.
kadup@lemmy.world 3 weeks ago
I wouldn’t mind not having a native Linux drive client if they didn’t block rsync, which used to work, and now does not. What a stupid decision.
cookie019@lemmy.dbzer0.com 3 weeks ago
Why its not available as apk or aab or on fdroid?
Promoting play store?
underline960@sh.itjust.works 3 weeks ago
What’s more, they talk up how it’s open source and then don’t link to the repo.
Here it is, BTW:
cookie019@lemmy.dbzer0.com 3 weeks ago
I saw it, of cource they didnt publish no apk or aab. I dont think a lot of people will compile from the source code, maybe like 0.05% of users
artyom@piefed.social 3 weeks ago
Ehhhh by they already have this in Proton Pass?
BlameTheAntifa@lemmy.world 3 weeks ago
You really should not keep your MFA codes in the same place as your passwords, especially if you are syncing those passwords between devices and/or a cloud service.
artyom@piefed.social 3 weeks ago
Yes that's why I said:
If you already use Proton Pass, I think I'd recommend Ente Auth instead
AncientConnection@lemmy.ml 3 weeks ago
Thank you for your comment. I was also confused initially before reading properly. I thought, ‘What? But isn’t the Proton 2FA thing paid? What do they gain by making it free?’ It seems that most people are not willing to use this new app, though. Ente, Aegis, whatever the alternative is, there doesn’t seem to be a reason to use this new authenticator from Proton instead. I wonder what their goal is here. Is it simply to expand their app ‘ecosystem’?
artyom@piefed.social 3 weeks ago
There are ads in the app for Proton Pass, so that's my best guess.
pulsewidth@lemmy.world 3 weeks ago
It is very wise to store your 2FA codes separately from your general login credentials. If one is breached, the other protects it (hence, two factor). If both are breeched, your account is hosed.
Same deal when setting up 2FA on an account and they provide some ‘one time use’ 2FA codes, they generally say ‘do not store these with your standard password credentials - keep them secure and separate’.
artyom@piefed.social 3 weeks ago
Correct. However it's worth noting that passwords are almost always compromised server-side. So 2FA is far more a mitigation of data breaches from the provider, rather than your password manager being breached.
IllNess@infosec.pub 3 weeks ago
Hmm… I’m not sure about having an authenticator app on a desktop computer.
Like you are putting all your eggs in one basket. Password managers, and your emails already go to one place for authentication. Adding an authenticator means if your computer is compromised, a person can have access to more accounts.
I always figured this is why desktop authenticator apps aren’t a thing.
Pika@sh.itjust.works 3 weeks ago
The alternative for people who want a convenience factor is putting it all in the same location. For example, the only thing Authy for desktop closing did for me was make it so I no longer had an isolated app for both 2FA and passwords, because now it’s just all in my password manager.
I don’t always have my phone on me 24x7, so the inability to access things on my desktop is a massive nope for me.
The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
RoadTrain@lemdro.id 3 weeks ago
So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
I think that argument was rooted in the assumption that the phone was a separate and smaller attack surface. The assumption is reasonable if you use your credentials mostly on desktop and only have a few apps on your phone, which was indeed the case for a lot of people in the past.
But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.
And, of course, 2FA, even in the same password manager, is still better than none. Your first factor can be stolen in more ways than just compromising your machine, for example through data breaches.
IllNess@infosec.pub 3 weeks ago
The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.
That is true. And more phones are stolen now than computers. Computers can have the same security and encryption if properly configured.
Even though you make a logical point, something in my gut doesn’t feel right.
MangoPenguin@lemmy.blahaj.zone 3 weeks ago
Well hopefully the 2FA data is encrypted and the app requires a pin or password to access.
Plus my password manager also needs a pin after it times out, and my computers all have their drives encrypted too.
pulsewidth@lemmy.world 3 weeks ago
Absolutely. 2FA codes (and 2FA ‘single use codes’ / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.
But most people will just breeze past advice and do whatever is most convenient.
theherk@lemmy.world 3 weeks ago
I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.
That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.
jjlinux@lemmy.zip 3 weeks ago
I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I’m creating a simplelogin email for each of the ones I’m keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don’t want/need anymore, and then setting up 2fa on Aegis if they don’t accept a hardware tokens.
But it’s an intense and long process, though absolutely worth it. With work and personal life, I’m guessing I can be done in a couple of weeks.
Appoxo@lemmy.dbzer0.com 3 weeks ago
No company phone = Me using a desktop app for work related 2FA.
Not my problem.
BombOmOm@lemmy.world 3 weeks ago
I’ve been meaning to get rid of Google Authenticator. Think I’m gunna go do that today. :)
Dremor@lemmy.world 3 weeks ago
Consider Aegis if you want an offline and secure alternative.
Schlemmy@lemmy.ml 3 weeks ago
Aren’t all 2FA apps offline compatible?
just_another_person@lemmy.world 3 weeks ago
I guess it’s kinda nice. They already had this in Proton Pass, but I guess not all accounts have access to that as a bundle maybe?
Ulrich@feddit.org 3 weeks ago
Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.
Seems like basically an ad platform/gateway to Pass.
ABetterTomorrow@sh.itjust.works 3 weeks ago
Is proton legit? I always see mix comments about them.
EncryptKeeper@lemmy.world 3 weeks ago
It’s legit. The negative comments are because the CEO supports US Republican politicians which is a red flag, but there haven’t been any operational reasons to not trust them that I’m aware of.
neons@lemmy.dbzer0.com 3 weeks ago
Doesn’t support republican politicians. Congratulated the anti-big-tech appointment by a republican politician (Trump).
DreamlandLividity@lemmy.world 3 weeks ago
There are no very clear reasons to distrust proton, but is it just me that finds them releasing a 2FA app kinda disturbing? Like, why waste the resources? What could they do better than Aegis? If there is no reason, than I have to wonder if it is to get more data into their ecosystem.
altphoto@lemmy.today 3 weeks ago
Just like Tesla. Its AOKAY to jump into a new company even if the CEO is a crazy racist.
Shady_Shiroe@lemmy.world 3 weeks ago
It works, has minor quirks, but it has replaced a lot of things for me, switched from Google gmail, drive, and calendar to Protons and it has been good. (Though the whole Lumo AI release move confused me) Oh yeah VPN too, well for other countries, still use my wireguard vpn when traveling.
But personally, I’mma continue sticking to Aegis as my authenticator app. (Can’t recommend it enough)
lka1988@lemmy.dbzer0.com 3 weeks ago
Aegis is my go-to. But I also have two phones - my personal Pixel and a work-issued iPhone - and I need 2FA on my work phone, too. Proton came through here.
Eyekaytee@aussie.zone 3 weeks ago
fuck yeah, goodbye authy
Psiczar@aussie.zone 3 weeks ago
Why? What’s wrong with Authy? I use it, Proton and Bitwarden. I could consolidate everything into Proton, but I’m concerned about having everything with one vendor.
Eyekaytee@aussie.zone 3 weeks ago
as above trying to get away from american services, it’s really, youtube, google maps and iphone are only things im stuck with
Humanius@lemmy.world 3 weeks ago
Not op, but for me the main problem with Authy is that it is owned by an American company.
It’s not the worst offender, but any American company is subject to the whims of the current administration. As an example, we’re currently seeing how Americam sanctions lock people out of their Microsoft accounts at the International Court.
I’ve slowly been moving over my 2FA codes to Aegis.
PastaCannon@lemmy.ml 3 weeks ago
Ehm… you guys know that behind all major VPN companies there’s the isræli government right?
akilou@sh.itjust.works 3 weeks ago
But few people know that a considerable chunk of that market—including three of the six most popular VPNs—is quietly operated by an Israeli-owned company with close connections to that country’s national security state,
But we’re not gonna tell you which ones!
ThePowerOfGeek@lemmy.world 3 weeks ago
Yeah, not good if them to not share that information.
But for anyone who’s wondering, here’s a decent article that goes over the shady companies that discretely own most VPNs apps.
Amusingly, and in counterpoint to the guy who you replied to, this article concludes that Proton is actually a solid VPN option that isn’t beholden to one of those sketchy VPN-hoarding companies.
They also recommend Mullvad as a good option. I’ve never used them, but I’ve seen mentioned positively in other articles about VPNs.
ohshit604@sh.itjust.works 3 weeks ago
Ehm… you guys know that behind all major VPN companies there’s the isræli government right?
Okay. proceeds to check article
Kape Technologies
This is why you research the VPN provider prior to making your purchase, read their privacy policies, their EULA, their TOS.
If it reads like a novel skip over it.
PastaCannon@lemmy.ml 3 weeks ago
No, Proton specifically has no confirmed association, I agree. So I trust them? No. I see too many signs, too many people recommending it online, too many all-connected services. For me, this is a recipe for disaster and I’m not here to be lied to my face again.
Not the first time for the very neutral state
According to a Swiss parliamentary investigation, “Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying”.
On a related note, we have also had people ask us about Proton Mail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality
I don’t know about you guys but this 👆 is enough for me.
Sarothazrom@lemmy.world 3 weeks ago
Justifiable concerns - luckily neither proton nor Mullvad are on that list.
PastaCannon@lemmy.ml 3 weeks ago
I trust Mullvad just because they have been raided. That is the only real proof they don’t keep logs. Deloitte reports are toilet paper.
Proton? We should trust Andy. Ooook
Goten@piefed.social 3 weeks ago
its a shit article xD
i searched for a bit and even found a wiki article. the firm is kape technologies i guess?
"On September 13, 2021, Kape acquired ExpressVPN,[24][29] raising concerns based on Kape Technologies' predecessor Crossrider's history of making tools that were used for adware.[30][31][32][33]"
homesweethomeMrL@lemmy.world 3 weeks ago
Wow an OTP app.
Maybe a QR creation app is next?
Bluebaloon@leminal.space 3 weeks ago
That’s amazing
Modest_Toxic@feddit.uk 3 weeks ago
Netflix doesn’t have 2FA
akilou@sh.itjust.works 3 weeks ago
I currently have all of my 2FA codes in Pass except for my Proton account itself, which I have in Aegis, backing up to my home server.
It looks like you can easily export from Aegis to Proton Authenticator and you can use PA without a Proton account, which I think I might do. I don’t want to use my PA app with my Proton account to hold my Proton account 2FA code. I’ll end up locked out of the house with the keys inside.
the_swagmaster@lemmy.zip 3 weeks ago
Fantastic, wish they prioritised stuff like this instead of AI but at least it’s here now. Now please make a dedicated contacts app so I can stop using Google contacts too!
Shady_Shiroe@lemmy.world 3 weeks ago
Yeah, I also was disappointed that proton wallet was for crypto and not credit cards. Unless someone can recommend an alternative to Google wallet, preferably from F-Droid
SpaceCadet@feddit.nl 3 weeks ago
Google Wallet is not so much a “wallet” for your cards but a way to link your cards to their own payment service, Google Pay.
Both Apple and Google had a lot of problems convincing banks to accept their respective services, and even then many stores still don’t support this payment method. A company with the clout and size of Proton has no chance to get their own service widely accepted.
kadup@lemmy.world 3 weeks ago
The FSF (and RMS himself) wanted an alternative for online payments for ages, without crypto. An anonymous buffer layer between your payment method, like a credit card, and the vendor. I believe something was eventually released but it never took off, because unlike something like a NFC Wallet, vendors would have to natively support GNU’s version.
the_swagmaster@lemmy.zip 3 weeks ago
Same, if they made a wallet for cards then I’d actually use my phone to pay for stuff
HereIAm@lemmy.world 3 weeks ago
I started using Curve since I swapped to Graphene. Upsides: it’s not google and it works fine. Downsides: it’s a free as in beer app that (I assume) is selling my data.
I’ve read that Monzo used to have their own NFC payment app, but it looks like that isn’t around anymore and they just integrate with Google Pay now. If anyone knows more about it I would love to hear it.