• the_swagmaster@lemmy.zip
    link
    fedilink
    English
    arrow-up
    102
    ·
    3 months ago

    Fantastic, wish they prioritised stuff like this instead of AI but at least it’s here now. Now please make a dedicated contacts app so I can stop using Google contacts too!

    • Shady_Shiroe@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      3 months ago

      Yeah, I also was disappointed that proton wallet was for crypto and not credit cards. Unless someone can recommend an alternative to Google wallet, preferably from F-Droid

      • DefederateLemmyMl@feddit.nl
        link
        fedilink
        English
        arrow-up
        15
        ·
        3 months ago

        Google Wallet is not so much a “wallet” for your cards but a way to link your cards to their own payment service, Google Pay.

        Both Apple and Google had a lot of problems convincing banks to accept their respective services, and even then many stores still don’t support this payment method. A company with the clout and size of Proton has no chance to get their own service widely accepted.

      • kadu@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        The FSF (and RMS himself) wanted an alternative for online payments for ages, without crypto. An anonymous buffer layer between your payment method, like a credit card, and the vendor. I believe something was eventually released but it never took off, because unlike something like a NFC Wallet, vendors would have to natively support GNU’s version.

      • HereIAm@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        I started using Curve since I swapped to Graphene. Upsides: it’s not google and it works fine. Downsides: it’s a free as in beer app that (I assume) is selling my data.

        I’ve read that Monzo used to have their own NFC payment app, but it looks like that isn’t around anymore and they just integrate with Google Pay now. If anyone knows more about it I would love to hear it.

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        3 months ago

        How? BitWarden has great 2FA, but is also a password manager with good integrations, group sharing, etc. Plus when you log in with it, it auto-copies the 2fa to clipboard.

        Assuming you’ve used both, so what does Aegis bring to the table? Wondering if I should try it.

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          13
          ·
          3 months ago

          For the same reason you usually shouldnt store 2FA in the passwordmanager.
          Besides that Aegis has some features like automated (encrypted) backups when accounts are removed/added.
          Also can use multiple different 2FA protocols (even Steam when your phone has root).

    • Schlemmy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      7
      ·
      edit-2
      3 months ago

      2fa only for paying customers, no? I mean, I pay because it’s dirt cheap for the convenience they offer but still no free 2fa

  • commander@lemmy.world
    link
    fedilink
    English
    arrow-up
    45
    arrow-down
    1
    ·
    3 months ago

    Been using Aegis on android and managing my own backups but maybe switch or use for things I care less for just for simplicity

        • commander@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          ·
          3 months ago

          The sync is the main thing for me. I already back up my Aegis library and upload that to proton drive. Difference in security for me is pretty much zero between Aegis and a proton authenticator app

  • Soapbox@lemmy.zip
    link
    fedilink
    English
    arrow-up
    43
    arrow-down
    2
    ·
    edit-2
    3 months ago

    This is a more welcome addition than that stupid AI chatbot slop machine.

    But I would still like to see them release Proton Drive for Linux already.

    • kadu@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 months ago

      I wouldn’t mind not having a native Linux drive client if they didn’t block rsync, which used to work, and now does not. What a stupid decision.

  • artyom@piefed.social
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    edit-2
    3 months ago

    Ehhhh but they already have this in Proton Pass?

    E: found this in the FAQ

    Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.

    If you already use Proton Pass, I think I’d recommend Ente Auth instead. That’s what I use.

    • BlameTheAntifa@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      3 months ago

      You really should not keep your MFA codes in the same place as your passwords, especially if you are syncing those passwords between devices and/or a cloud service.

      • artyom@piefed.social
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        3 months ago

        Yes that’s why I said:

        If you already use Proton Pass, I think I’d recommend Ente Auth instead

        • BlameTheAntifa@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          3 months ago

          Aha. Sorry, I misunderstood. I saw the first line about Proton Pass already supporting MFA and I wasn’t familiar with Ente Auth. I did just look it up and I can’t believe I’ve never heard of it before. It’s even AGPL-3.0, be still my beating heart! Thank you for pointing it out!

          https://ente.io/ for anyone curious.

    • DZZ@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Thank you for your comment. I was also confused initially before reading properly. I thought, ‘What? But isn’t the Proton 2FA thing paid? What do they gain by making it free?’ It seems that most people are not willing to use this new app, though. Ente, Aegis, whatever the alternative is, there doesn’t seem to be a reason to use this new authenticator from Proton instead. I wonder what their goal is here. Is it simply to expand their app ‘ecosystem’?

    • pulsewidth@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      3 months ago

      It is very wise to store your 2FA codes separately from your general login credentials. If one is breached, the other protects it (hence, two factor). If both are breeched, your account is hosed.

      Same deal when setting up 2FA on an account and they provide some ‘one time use’ 2FA codes, they generally say ‘do not store these with your standard password credentials - keep them secure and separate’.

      • artyom@piefed.social
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        2
        ·
        3 months ago

        Correct. However it’s worth noting that passwords are almost always compromised server-side. So 2FA is far more a mitigation of data breaches from the provider, rather than your password manager being breached.

        • pulsewidth@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          Feels like everyone has forgotten when LastPass was breached, and that was barely three years ago.

          Any affected LastPass users storing their 2FA backup codes in with the rest of their login data got a rude awakening.

          Anyone who had them separate was at least able to rescue those accounts. But hey do what you like people, I know convenience usually trumps security.

          • artyom@piefed.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            As far as I know, passwords and TOTP keys were never leaked by LastPass. Regardless, I did say almost always.

            • pulsewidth@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              3 months ago

              That’s just scratching the surface. Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. So that ‘almost always’ ain’t right regardless.

              The goal of 2FA is to be ‘something you have’ like an authenticator device or auth app on your phone, working as a secondary verifier that you are who you say you are to the ‘something you know’ being your password. So if you store 2FA codes with your password then you just have two sets of ‘something you know’ which is far less secure - and leaves you more vulnerable.

              Of course, it doesn’t matter much with stuff like a low value forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It defeats the purpose.

  • IllNess@infosec.pub
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    5
    ·
    3 months ago

    Hmm… I’m not sure about having an authenticator app on a desktop computer.

    Like you are putting all your eggs in one basket. Password managers, and your emails already go to one place for authentication. Adding an authenticator means if your computer is compromised, a person can have access to more accounts.

    I always figured this is why desktop authenticator apps aren’t a thing.

    • Pika@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      3 months ago

      The alternative for people who want a convenience factor is putting it all in the same location. For example, the only thing Authy for desktop closing did for me was make it so I no longer had an isolated app for both 2FA and passwords, because now it’s just all in my password manager.

      I don’t always have my phone on me 24x7, so the inability to access things on my desktop is a massive nope for me.

      The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

      This application might make me go back into having the two isolated systems, because it removes the massive inconvenience factor

      • RoadTrain@lemdro.id
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 months ago

        So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

        I think that argument was rooted in the assumption that the phone was a separate and smaller attack surface. The assumption is reasonable if you use your credentials mostly on desktop and only have a few apps on your phone, which was indeed the case for a lot of people in the past.

        But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.

        And, of course, 2FA, even in the same password manager, is still better than none. Your first factor can be stolen in more ways than just compromising your machine, for example through data breaches.

        • IllNess@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.

          This makes sense and puts holes in my statement. I also feel like more people are willing to install shady stuff on their phones than their desktop now. I have no sources for this though.

        • Pika@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          That makes sense. I hadn’t really looked at it from the angle of most apps are going on devices anyway. Mine was just because of the fact that it’s super annoying having to have my phone on me at all times for two-factor authentication. Especially considering that most 2FA apps require you to sign in in order to use them anyway.

          Also, yeah, that was my ideology when I threw them into my password manager. That if they can manage to breach a device, find my private key that’s used to lock the database and figure out the password for the database. Something far worse has gone wrong and losing my passwords is the least of my issues.

      • IllNess@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 months ago

        The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

        That is true. And more phones are stolen now than computers. Computers can have the same security and encryption if properly configured.

        Even though you make a logical point, something in my gut doesn’t feel right.

        • FrederikNJS@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          These are great points, but there is something more that phones have going for them.

          All modern phones are full-disk encrypted by default, and can be remote wiped. I think this is only the case for Mac laptops, but not for Linux and Windows.

          So if your phone is stolen, it’s not really a risk of the thief having your password manager and your 2FA at the same time, but rather can they get in to your phone and then password manager and 2FA before you can trigger the remote wipe.

          Unless the attacker is sophisticated enough to mirror the whole disk and attack it offline.

          • IllNess@infosec.pub
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            Yeah. You have great points. A lot easier to wipe a device that is actively connected. Laptops don’t usually have that luxury. It is a lot easier to take apart a laptop. It is easier to plug in a USB HID for brute forcing or to constantly move a pointer to prevent it from going to sleep.

            I guess that’s the feeling in my gut.

            Thank you for your input.

    • MangoPenguin@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 months ago

      Well hopefully the 2FA data is encrypted and the app requires a pin or password to access.

      Plus my password manager also needs a pin after it times out, and my computers all have their drives encrypted too.

      It’s plenty to stop casual thieves and such.

    • pulsewidth@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      Absolutely. 2FA codes (and 2FA ‘single use codes’ / recovery codes) should not be stored in the same system that manages your usernames and passwords - it defeats the purpose of 2FA.

      But most people will just breeze past advice and do whatever is most convenient.

      • theherk@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        I don’t view it as simply compromised or not. How a password is compromised is relevant. The vast majority of issues aren’t somebody gaining access to your logged in machine. Passwords are nearly always compromised from a server mishandling data.

        That means in most cases 2FA near a password is not likely to be an issue. I’m not saying I recommend it, but it does change the risk evaluation.

        • pulsewidth@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          Peoples credentials are increasingly captured by information stealer malware, including attacks on Keepass. It’s not just services mishandling their data that people should consider as likely vectors.

          I do agree about evaluation - it doesn’t matter much with stuff like a forum account that has 2FA, but I certainly wouldn’t put any of my banking or key account 2FA backup codes or credentials in a password manager or central account/password storage service. It weakens your protection if something does go wrong.

      • youmaynotknow@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        I am (was?) one of those. Working on eliminating or changing the passwords and emails of my 550+ accounts. I’m creating a simplelogin email for each of the ones I’m keeping, setting up a randomly generated password for each as well (24+ characters long with every possible character available), trying to delete the accounts of services I don’t want/need anymore, and then setting up 2fa on Aegis if they don’t accept a hardware tokens.

        But it’s an intense and long process, though absolutely worth it. With work and personal life, I’m guessing I can be done in a couple of weeks.

  • BombOmOm@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 months ago

    I’ve been meaning to get rid of Google Authenticator. Think I’m gunna go do that today. :)

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      38
      arrow-down
      2
      ·
      3 months ago

      It’s legit. The negative comments are because the CEO supports US Republican politicians which is a red flag, but there haven’t been any operational reasons to not trust them that I’m aware of.

      • neons@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        1
        ·
        3 months ago

        Doesn’t support republican politicians. Congratulated the anti-big-tech appointment by a republican politician (Trump).

        • sem@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          3 months ago

          Definitely supported the Republicans. It was a red flag to hold opinions like this:

          Here is our official response, also available on the Mastodon post in the screenshot: Corporate capture of Dems is real. In 2022, we campaigned extensively in the US for anti-trust legislation. Two bills were ready, with bipartisan support. Chuck Schumer (who coincidently has two daughters working as big tech lobbyists) refused to bring the bills for a vote. At a 2024 event covering antitrust remedies, out of all the invited senators, just a single one showed up- JD Vance. By working on the front lines of many policy issues, we have seen the shift between Dems and Republicans over the past decade first hand. Dems had a choice between the progressive wing (Bernie Sanders, etc), versus corporate Dems, but in the end money won and constituents lost. Until corporate Dems are thrown out, the reality is that Republicans remain more likely to tackle Big Tech abuses.

          He’s not wrong about the Democrat party choosing the establishment over the progressive wing, but the idea that he supports the Republicans as being more likely to reign in tech companies is so laughable it’s not even funny, and makes you wonder why Andy Yen believes it.

          What other commenters have said before though is true: aside from this incident with the CEO, Proton has been careful to stay politically neutral and on message… It damaged their public trust but didn’t destroy it.

      • DreamlandLividity@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        3 months ago

        There are no very clear reasons to distrust proton, but is it just me that finds them releasing a 2FA app kinda disturbing? Like, why waste the resources? What could they do better than Aegis, which is already FOSS and privacy preserving? If there is no reason, than I have to wonder if the hidden reason is to get more data into their ecosystem. Which a privacy focused company shouldn’t care about.

        I am probably just paranoid but I don’t trust Proton.

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          edit-2
          3 months ago

          Yes it’s just you. They released a 2FA app because it complements their existing password manager and because Google has one. Since Proton is positioned as a privacy-first alternative to Google, it makes sense they’d launch competing versions of any given app or program Google does. A 2FA app also wouldn’t capture any kind of personal data.

          What could they do better than Aegis, which is already FOSS and privacy preserving?

          Have an iOS app for one.

          But also like what could they do better than Tutanota mail, Which is already privacy preserving? By your logic Proton shouldn’t exist at all. Is it your opinion that non-privacy respecting software should have lots of competition and options but privacy respecting ones should not? Can’t say I agree with that.

        • Zombie-Mantis@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          3 months ago

          Why release this? Because they’re building their own ecosystem. They’re trying to build an alternative to the big players, which means they need to have an alternative to all their major products. Maps and YouTube are probably off the table for now, just because of the sheer scale needed for those, but something like this is achievable.

          Is Aegis better? Maybe, but that’s not really the point, it’s part of a family of apps.

      • altphoto@lemmy.today
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        11
        ·
        3 months ago

        Just like Tesla. Its AOKAY to jump into a new company even if the CEO is a crazy racist.

    • Shady_Shiroe@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      3 months ago

      It works, has minor quirks, but it has replaced a lot of things for me, switched from Google gmail, drive, and calendar to Protons and it has been good. (Though the whole Lumo AI release move confused me) Oh yeah VPN too, well for other countries, still use my wireguard vpn when traveling.

      But personally, I’mma continue sticking to Aegis as my authenticator app. (Can’t recommend it enough)

      • Lka1988@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        Aegis is my go-to. But I also have two phones - my personal Pixel and a work-issued iPhone. I need 2FA on my work phone, but Aegis doesn’t support iOS. Proton came through here. It’s open-source, too.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    3 months ago

    I guess it’s kinda nice. They already had this in Proton Pass, but I guess not all accounts have access to that as a bundle maybe?

    • Ulrich@feddit.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.

      Seems like basically an ad platform/gateway to Pass.

    • Psiczar@aussie.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      Why? What’s wrong with Authy? I use it, Proton and Bitwarden. I could consolidate everything into Proton, but I’m concerned about having everything with one vendor.

      • Humanius@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        Not op, but for me the main problem with Authy is that it is owned by an American company.

        It’s not the worst offender, but any American company is subject to the whims of the current administration. As an example, we’re currently seeing how American sanctions lock people out of their Microsoft accounts at the International Court.

        I’ve slowly been moving over my 2FA codes to Aegis.

      • ikt@aussie.zone
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        3 months ago

        as above trying to get away from american services, it’s really, youtube, google maps and iphone are only things im stuck with

        • Humanius@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          3 months ago

          I wish there was a good alternative to YouTube. I’ve been meaning to host a Peertube instance but that process is really not as straightforward as it should be if they want the platform to gain widespread adoption

          Google Maps has pretty decent alternatives though:

          • For simply browsing the map I use OpenStreetMaps on desktop, and Organic Maps on mobile.
          • For navigation (by car) I used to use Waze (which is also owned by Google), but I’ve switched back to good ol’ TomTom

          As for iPhone… personally I have a Google Pixel which I’m going to keep using till I can’t anymore. After that I’m probably switching to Fairphone. They’re a European company and their phones are right up my alley

  • akilou@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    3 months ago

    I currently have all of my 2FA codes in Pass except for my Proton account itself, which I have in Aegis, backing up to my home server.

    It looks like you can easily export from Aegis to Proton Authenticator and you can use PA without a Proton account, which I think I might do. I don’t want to use my PA app with my Proton account to hold my Proton account 2FA code. I’ll end up locked out of the house with the keys inside.