Ente Auth: open-source Authy alternative for 2FA

Original Article ↗ Hacker News Discussion ↗

Overview of Ente Auth

  • Presented as an open‑source, cross‑platform alternative to Authy with optional end‑to‑end encrypted (E2EE) backups.
  • Apps exist for Android, iOS, Linux, macOS, Windows, plus a read‑only web companion.
  • Works fully offline; accounts and backups are optional. Self‑hosting is supported.

Migration, Exports, and Lock‑in

  • Major motivation is escaping “Authy jail” where users can’t easily export secrets, especially after desktop support and related APIs were removed.
  • Ente provides bulk export to plaintext or encrypted files (newline‑separated otpauth:// URIs), and per‑entry QR export.
  • Guides exist for migrating from Authy and others, but some methods relying on Authy desktop/API are now broken.
  • One user reports Raivo‑to‑Ente import crashing; import robustness is seen as a weak spot.

Security Model and Backups

  • E2EE backups are free and optional; recovery is via email + password/recovery key.
  • Debate over syncing: some see cross‑device sync as an anti‑feature that dilutes “two factor”; others argue usability and backup safety outweigh that, especially vs SMS.
  • Ente intentionally avoids iCloud Keychain backup on iOS to prevent hidden cloud dependencies; this complicates zero‑effort phone upgrades, which worries people supporting non‑technical users.

Comparisons to Alternatives

  • Alternatives mentioned: Aegis, 2FAS, Bitwarden Authenticator, FreeOTP, OTP Auth, KeePassXC/CLI tools, Apple Passwords/iCloud Keychain, password‑store (pass) + OTP plugins.
  • Aegis praised for Android and export/backup but is mobile‑only; some users moved from Aegis (bugs) or Raivo (ownership change, paywall issues) to Ente.
  • Some prefer simple, entirely offline tools or hardware‑backed solutions over any syncing service.

2FA Design Debates

  • Strong criticism of SMS 2FA (SIM swap, SS7, social engineering), yet acknowledgement that it raises the bar vs password‑only attacks and is attractive to large services for ubiquity.
  • Ongoing debate about storing TOTP in the same password manager as passwords:
    • More convenient and better than no 2FA.
    • Less secure if the single vault is compromised; some mitigate with hardware keys for vault access.

Implementation & UX Notes

  • Ente Auth uses Flutter; some like the cross‑platform polish, others feel the UI is subtly “off” vs native.
  • Gmail often flags Ente verification emails as spam; suggestions include richer branding and metadata in emails to improve deliverability.
  • Tagging and pinning are available for organizing codes.
  • Name similarity with “Entra” (Microsoft) is noted; “Ente” is explained as meaning “mine” in Malayalam.