Trying to wrap my head around 2FA... Any help?

1

Hi!

Sorry, I’ve been trying to understand this and… not quite there yet :sweat_smile:

So, I understand in my workplace with their devices, we have a device with a Google Account that serves as a “confirmation” that I am the actual person who has entered a password in the server. Even if someone else had my password and username, they wouldn’t have the secret pin in the other device to confirm it was me, and they would be rejected from accessing. I understand it works because Google is the owner of the service and takes the responsability of saying “yes, this account is validaded by Google and we validate the pin was the one to authorize access”.

But how to FLOSS apps work? Which services will send a pin for an app that is not associated with Google or Microsoft or some other big company, and trust that it was correctly communicated?
I ask this because I wanted to increase my Proton account security. I know Proton has its own 2FA app here in F-Droid, but:

  1. I would prefer an app that could be used with other services as well, if possible (?);

  2. I understand that their app has some anti-features others don’t, so if possible to avoid those it would be good;

Does anyone else here uses 2FA, in which services do F-Droid apps work and which one could be recommended (for Proton and others)? Thanks!

2

It’s not google that vouches for you, but some math. The QR code you scan when you setup 2FA sets a secret on your device. Based on that secret + time, some numbers are generated that you enter on the website to confirm that you hold the secret.

If you talk about “google device stuff” NOT based on QR then yes, that’s controlled by Google… BUT there are no FLOSS apps for that, afaik.

Eg. With QR: Install some app (F-Droid - Free and Open Source Android App Repository) and test on this test site: Check your 2FAS Auth app — QR code

1 Like
3

Thanks! That confirmed and clarified what I had been reading. Thanks!

Also, particular app you recommend? They all kinda seem pretty much the same, lol. I would use it in conjunction with Gnome Authenticator on my laptop, so…

This one seems recently updated enough?

4

I really like Ente Auth, because of its end-to-end encrypted sync (your codes are encrypted on-device before they ever touch the cloud, and only you hold the decryption key), it is well maintained (actively developed as part of the ente ecosystem, open-source with audited crypto, and regularly updated), and it’s 100 % FLOSS with a clean F-Droid build.