Google's authenticator is proprietary, and FreeOTP, which is mentioned once in the UI, strings is no longer maintained, even though it could probably still be functional on current Androids.
Perhaps the main recommendation and in-line examples should be of FOSS OTP tools, such as andOTP or FreeOTP, by using their names in the user's directions, with Google's as a secondary recommendation, if at all.
When advising users in similar situation, I recommend FOSS whenever possible. This is even more relevant in contexts of security and privacy.
FreeOTP still work as of Nougat, I see activity this month here: https://github.com/freeotp/freeotp-android/commits/master What exactly isn't maintained anymore? andOTP mentioned that they're doing this now as a side project. I like your suggestion.
Google's authenticator is proprietary
I did not realize that. There is a Free Software version of Google Authenticator but it explicitly says the Android app is not Free Software. Does anyone know more about that ?
If it is confirmed to be a proprietary blob I second your proposal.
FreeOTP [...] is no longer maintained
@agharbeia Citation? I agree with @KwadroNaut: there's still activity on the GitHub repo. Have you seen an announcement by the maintainers that the project is deprecated?
Big fan of recommending FreeOTP. We're already doing that (see 476223f26 via #1746), but happy to give it priority. We apparently only recommend FreeOTP in comparatively few locations:
$ grep -riPo '(freeotp|google(\s+auth\w+))' docs | cut -d: -f2 | sort | uniq -c
1 freeotp
3 FreeOTP
18 Google Authenticator
Would gladly review a PR that mentions FOSS alternatives first and Google Authenticator second. Unclear to me what FOSS alternatives should be for iOS users鈥攂oth FreeOTP and andOTP mentioned above appear to be Android-only.
You are right, @KwadroNaut and @conorsch. it seems FreeOTP is still alive after all.
I should have rechecked before claiming that. The last time I had, a couple of months ago, it seemed to me to have been dormant for some time.
I have concerns. I definitely agree 100% that we should use FOSS in every case that we can. However, many large news organizations have security requirements that the organization requires a specific 2FA application (perhaps by Symantec or others). We should keep that in mind.
Sure, some orgs mandate use of a specific 2FA application (e.g. Duo or Authy). As long as it's TOTP, it should work just fine. Worth pointing out that the TOTP use case is general and not specific to any one application over others.
Google Authenticator has permissions to access internet and camera according to exodus. That plus the fact that it's proprietary does not look too good.
I did not realize that. There is a Free Software version of Google Authenticator but it explicitly says the Android app is not Free Software. Does anyone know more about that ?
@dachary you're not linking to the google-authenticator-android project. It used to be open (Apache license), but like many pieces of Android that Google maintains and develops it is now only available under a closed license. See https://github.com/google/google-authenticator-android
This project is an older fork of the one on the Play store. It's an older version that doesn't get changes synced to it from the Play store version.
@b-meson there will always be a discrepancy between that what's suggested and that what's being used. There are some missing features/bugs with Duo and FreeOTP (ie, no u2f), but all the basic stuff (TOTP) works fine. @conorsch idea to point out that TOTP is the magic keyword here, regardless of app, is a good one.
@dachary permissions camera: scan a qr-code, internet: not sure.
you're not linking to the google-authenticator-android project.
Ah, right. So it's confirmed that Google Authenticator as found in the app store is indeed a proprietary blob ?
permissions camera: scan a qr-code, internet: not sure.
Yes, indeed :-)
Worth mentioning that on iOS, FreeOTP hasn't been updated in the App Store for over three years. Thankfully, it is 64-bit, and so runs on iOS 11 (which dropped support for 32-bit apps).
The current version available in the App Store doesn't properly support iPhone 6 and 6 Plus-class devices, let alone the newer iPhone X class. But, their freeotp-ios project has seen a PR get merged recently, about three weeks ago. And it looks like they are making progress on their move to Swift 4 and Xcode 9.
tl;dr iOS app works on the latest iOS; it's not pretty on anything newer than iPhone 5s/SE. However, we can expect an app update soon hopefully.
thanks for documenting this research ! I'll link it from the original issue so we have a better chance to find it at a later time.
@kushaldas you mentionned being involved with FreeOTP in the past, do you maybe have more information about the maintenance on iOS ?
AFAIK Google Authenticator for iOS does not require or use internet access, just the camera but I could be wrong.
FreeOTP looks good so far, but in the future it would be excellent if folks on the training team could be tagged in these discussions (@harlo @olivemartini or myself) when they happen. We support using Free software where possible, but we'll need to update other materials on our end and also make sure the software is usable/not too buggy so we don't run into surprises during trainings.
I don't see discussion of this option, but perhaps it would've been
beneficial to have recommended FreeOTP or Google Authenticator rather
than in lieu of.
I don't see discussion of this option, but perhaps it would've been beneficial to have recommended FreeOTP or Google Authenticator rather than in lieu of.
IMHO it would be really difficult to consistently maintain such an alternative. However, it would be worth maintaining a list of alternatives, in the documentation, including Google Authenticator. And we could link to this list where relevant. What do you think @edenemmanuel ?
we'll need to update other materials on our end and also make sure the software is usable/not too buggy so we don't run into surprises during trainings.
@huertanix absolutely: that was my primary concern before proposing this change. Maybe there is an online service where we can try and see how FreeOTP behaves on the most recent iOS ? @edenemmanuel pointed out it may not look nice.
@dachary I'm not sure if there's an online service that emulates iOS devices, but I have a production iPhone 8 with the latest stable iOS. I suppose I can take screenshots of it (for documentation purposes if need be).
If people feel strongly about FreeOTP (having free software, even on an iOS device is a plus), I'd probably feel comfortable about a brief note or a list of alternatives, like Google Authenticator. Hopefully, such a change wouldn't clutter documentation.
I'd probably feel comfortable about a brief note or a list of alternatives, like Google Authenticator.
I'll do that first thing in the morning.
You're the best! Happy to review. :)
@edenemmanuel a file listing known and tested OTP generator was added and is included as a tip in each page where the OTP app is mentionned. Having the list in a centralized file will hopefully help keeping it up to date.
What do you think ?
@huertanix I apologize for not pinging you about this, my mistake. I'm ready to make amends and assist in updating the training material for you. I'll do better next time.
@dachary I have met the developer before, I will try to pull him into this discussion.
Just tried FreeOTP with an iPhone 7 running iOS 11 and it looks good.
@dachary No worries, just want to make sure our training matches our documentation. :)