You presumably had a working 2fa app already, but off the cuff decide to switch to new unvetted variant X; basically unknown auth system after reading a few paragraphs of text in an afternoon?
Does this seem sound?
You presumably had a working 2fa app already, but off the cuff decide to switch to new unvetted variant X; basically unknown auth system after reading a few paragraphs of text in an afternoon?
Does this seem sound?
Ente is extremely well known in the privacy circles, so this is not just some random company with a random app out of nowhere. Check PrivacyGuides for example.
Ok I checked privacyguides.
Here’s where it was added to PrivacyGuides - https://github.com/privacyguides/privacyguides.org/issues/36.... The person opening the issue is the CEO of ente. So the CEO of ente gets his company mentioned in PrivacyGuides back when it was new and that makes it more legit?
PrivacyGuides goes through their own process of vetting (whether you would agree with their process or not that’s another topic) so I think the discussion to add Ente Photos is the more relevant link https://discuss.privacyguides.net/t/ente-photo-management/11...
> PrivacyGuides goes through their own process of vetting ... so I think the discussion
The discussion is not all that relevant as PrivacyGuides does not rely solely on community input. The core team pretty much generates content and lists recommendations based on (what they claim is) their own research (which isn't saying much).
https://discuss.privacyguides.net/t/32774While I would have the same reaction, in this case I think it is a sane decision. Ente is cornering the privacy market and I think they're doing a great job. They have a lot to lose (trust) and it would be stupid if they did something shady with the data entered in the 2FA app.
Not knowing them, how could OP trust them instantly? Whether they really have that trust or not, you have to know them for a while and from many different trustable sources. The story is a bit strange.
There are the issues of competence and track record, not only intent.
> cornering the privacy market
this seems self-contradictory
Sorry, English is not my first language and I tried to look clever.
I ended up picking them because they were the only open source one that worked on all my devices IIRC.
https://en.wikipedia.org/wiki/Comparison_of_OTP_applications
What's the risk?
They just store tokens, without other FA at "worst" you get locked of your account but nobody else has access either. You're also supposed to, as good practice, not be limited to token generation and typically have a dozen or so of recovery tokens. Also if they were somewhat not working at doing the 1 task they should do, namely generate tokens, then you won't be able to use them so it won't even be added.
So... I might be missing something, can you please explain what worries you and why I should thus worry too?
> new unvetted variant X; basically unknown auth system
Valid concerns. In the case of Ente Auth though, it is used by folks working at CERN [0], who also sponsored a recent security audit: https://ente.com/blog/cern-audit/
[0] https://cern.service-now.com/service-portal?id=kb_article&n=... / https://auth.docs.cern.ch/trouble-shooting/2fa-tips/
if it helps, I've used ente for a year and I really like it.
Not saying they’re a paid promoter. But if I paid someone to speak about my newly launched product, they’d say something exactly like that. “Never heard of these guys before, but I loved their other product you’ve never heard of. I’m super excited to try this one!”