Regarding the last criterion on the MFA tools page

redoomed1 commented 3 weeks ago

Affected page

https://www.privacyguides.org/en/multi-factor-authentication/#criteria

Description

Another person on the PG Matrix pointed this out:

i just read https://www.privacyguides.org/en/multi-factor-authentication/ and it seems like Ente is not fit for the criteria?

 Auth provides end-to-end encrypted cloud backups so that you don't have to worry about losing your tokens.
 We use the same protocols Ente Photos uses to encrypt and preserve your data.

did this change recently?

not even optional is allowed, as per criteria

 Must not sync to a third-party cloud sync/backup service.

 Optional E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud.

their service is third party (that's why it needs a login)

Sources

https://apps.apple.com/app/id6444121398 (source for the first quote in plain text, which can be found under the "SECURE BACKUPS" heading in the app's description)
https://github.com/ente-io/ente/tree/main/auth#-architecture

Before submitting

[X] I am reporting something that is verifiably incorrect, not a suggestion or opinion.
[X] I agree to the Community Code of Conduct.

rollsicecream commented 3 weeks ago

The main word here in this criteria is : third-party

So, I think in the case of Ente Auth, it's totally okay since they use their own sync solution. I also think that criteria meant to say that 2FA apps shouldn't use 3rd party services like Google Drive, OneDrive and other services.

I'm not well familiar with Ente Auth, when they say that :

Auth provides end-to-end encrypted cloud backups so that you don't have to worry about losing your tokens.
We use the same protocols Ente Photos uses to encrypt and preserve your data.

They use iCloud (or another service), right?

I could have been wrong though.

redoomed1 commented 1 week ago

They use iCloud [...] right?

No, according to the second link listed above in the "Sources" section, Ente uses their own implementation. Moreover, a member of the Ente org states in the following comment that they do not have plans to support iCloud sync: https://github.com/ente-io/ente/issues/182#issuecomment-1670637674.

Anyway, I opened this issue because the person from the PG Matrix makes a good point and this criterion should probably be updated. I'll open a pull request to address this.

privacyguides / privacyguides.org