ComradeRamen
commented
12 months ago Closed shuvashish76 closed 11 months ago
ComradeRamen
commented
12 months ago 
shuvashish76
commented
12 months ago Please investigate properly before commenting. Check the Playstore link last "Updated on Jun 14, 2021" and the project has been archived in "Jun 14, 2022", F-Droid already moved it to their archive repository.
ComradeRamen
commented
12 months ago To clarify I was simply quoting the site: https://lichess.org/account/twofactor and not making any claims as to the legitimacy of the archival of andOTP.
ComradeRamen
commented
12 months ago 
superuser-does
commented
11 months ago Very good commit in #13969 in taking care to edit existing translations for twoFactorApp.
This string was on my list to raise at the end of my string review, but it is better to do it now given today's commit.
In the past we were hesitant to recommend Google Authenticator because it didn't offer cross-device sync (so more support requests), but since this April that is covered. I didn't know this and was testing alternatives for this string just yesterday, as it happens!
I have two remaining concerns with Google Authenticator:
My suggestion for this guidance was to introduce an altogether new string that doesn't give a specific example, and then having a non-translateable ul for Android and iOS respectively.
I have a shortlist of credible alternatives on each platform and I have personally tested each one. Here is what that could look like:
Get an app for two-factor authentication. We recommend the following apps: (translateable string ends here) - Android - [2FAS](https://2fas.com/) - [Authenticator Pro](https://authenticatorpro.jmh.me/) - [Aegis Authenticator](https://getaegis.app/) - iOS - [2FAS](https://2fas.com/)
The list of apps would be entirely outside of translations, so we could easily update them as needed.
➡️ Would you be interested in a pull request rewording the strings along these lines please @ornicar?
As a bonus, the ones I cited all feature a Lichess icon and are FOSS. They also all have 100,000+ users and importantly, they support backing up to an encrypted file and not just iCloud keychain/Google Account. One of the reasons that file backup is important is that the likes of LastPass have now started locking down, even though the secret is just a string of text. It also means former andOTP users like I were able to migrate to other 2FA software.
shuvashish76
commented
11 months ago There are many authenticator apps but none of them are as good as Aegis.
2FAS - It has Google MLKit tracker. ~5 times extra size than Aegis. Authenticator Pro - Again includes MLKit. It has non-free dependencies to support WearOS. ~7 times heavier than Aegis.
It took a real security expert to discover MLKit to be a tracker. https://www.kuketz-blog.de/reaktion-der-gematik-auf-e-rezept-app-pruefung/ Quoting the relevant part:
Diese Kommunikation findet durch das Google ML Kit statt. Diese Kommunikation ist ohne Anlass; wir nutzen das ML Kit für das Lesen des Data Matrix Codes. Warum das ML Kit überhaupt mit Firebase Analytics kommuniziert, ist uns unbekannt. Auf jeden Fall ist es nicht durch uns initiiert.
Translation:
This communication takes place through the Google ML Kit. This communication is without cause; we use the ML Kit to read the Data Matrix code. Why the ML Kit is communicating with Firebase Analytics at all is unknown to us. In any case, it is not initiated by us.
@ornicar I really don't see a reason to suggest other alternatives when we've Aegis as a better privacy friendly solution exist.
superuser-does
commented
11 months ago @shuvashish76 The analysis is out of date. 2FAS no longer uses Firebase Analytics, only Crashlytics. You can confirm as much from the exodus report. Not sure on ML Kit use beyond that.
Authenticator Pro has a non-ML Kit version for F-Droid per this discussion, but I'll grant it's still used for barcode scanning in the Play Store version (I found some code referencing those libraries but not sure on the extent of use). I take no issue with the proprietary dependencies for Wear OS support, which I imagine are unavoidable. If it gets more people to use 2FA, that is a benefit. It is no surprise it is larger than Aegis as it ships with hundreds of icons out of the box, and I wouldn't take that as disqualifying anyway.
shuvashish76
commented
11 months ago com.google.mlkit.common.internal.MlKitComponentDiscoveryService
com.google.mlkit.common.internal.MlKitInitProvider
com.google.mlkit.common.internal.MlKitComponentDiscoveryService
AppManager scanner report of both apps PlayStore latest version.
Authenticator Pro has a non-ML Kit version for F-Droid per this discussion, but I'll grant it's still used for barcode scanning in the Play Store version.
Most people will use PlayStore version anyway.
M-DinhHoangViet
commented
11 months ago Hello people who suggest adding apps. However, Aegis is just a replacement for andOTP in Lichess example, so others can find and use other similar applications themselves.
shuvashish76
commented
11 months ago I agree there is no point in suggesting all the alternatives exist in the wild. Just suggest one good app to users & that's it. In this case I've mentioned why Aegis is better (for android). I'll not argue more about others.
superuser-does
commented
11 months ago I've explained above why I think it is good to give multiple options and why I don't hesitate to recommend these. It's worth noting MLKit can and does work wholly offline for barcode scanning, but it is ultimately Google software on a tracker-filled system, so I don't doubt that some data is being passed here and there.
Like you say, most people will use Play Store and we have a responsibility to protect their data, but I also very much doubt that users are at any actual security risk at all. I would not mind recommending a strong user experience in this realm (coupled with good security practice), over a pure FOSS piece of software personally.
As a concrete example, I think the Aegis user experience isn't quite as friendly (though it is strong). Though I cannot prove it, I think its backup prompt (after the first code is added) is probably less effective than 2FAS's which asks the user upfront. For Wear OS watch users, the functionality Authenticator Pro provides could add a lot of value. I take a bit of issue with some of the wording used by 2FAS which isn't strictly accurate, but it is a very popular and easy to use program which I'd struggle to fault it for.
The above, and the fact andOTP seemed healthy but then disappeared is why I think it's good to have a few options available. I've been an Aegis user myself since andOTP was retired but I'm also conscious I don't represent the norm and I don't see these options as especially harmful.
As a last note, this string would not help anyone who already has andOTP, because you don't see the string when you already have 2FA set up. However, it could help thousands of Lichess users in future which is why it was worth thinking through our suggestions. Ultimately these are nitpicks and I'm glad we didn't just go for the standard choice of Google/Microsoft Authenticator, or putting in a password manager (which defeats half its purpose).
https://lichess.org/account/twofactor
Sadly the project has been archived, see the announcement here.
Request to replace andOTP recommendation with Aegis. Reasons:
Please use F-Droid link so that everyone including degoogled/playstore not available countries could use it. Thanks.