AppBITS: Proton Authenticator Takes on 2FA Apps

Originally published at: AppBITS: Proton Authenticator Takes on 2FA Apps - TidBITS

In “Two-Factor Authentication, Two-Step Verification, and 1Password” (10 July 2023), I explained that for true two-factor authentication, you needed to acquire your time-based one-time password (TOTP) from a device other than the one on which you’re logging in. By having 1Password automatically enter those automatically generated six-digit codes for me, I’m instead using two-step verification. That’s much more secure than plain passwords, but not as strong as two-factor authentication because an attacker could compromise 1Password to access both the password and the verification code.

I’m willing to accept that slightly reduced level of security in return for a vastly better user experience, but if you’re not, the Swiss company Proton, best known for the security-focused ProtonMail service and Proton VPN (see “Do You Use It? VPN Use Is Widespread,” 26 May 2025), has introduced a new standalone app for generating two-factor authentication codes. The free and open source Proton Authenticator works like Google Authenticator and Authy, enabling you to add accounts that support two-factor authentication and display the six-digit codes they generate.

What sets Proton Authenticator apart from Google Authenticator and Authy is that it runs on more platforms—iOS, macOS, Windows, Android, and Linux—and can sync its accounts between them. Authy used to support both iOS and macOS and sync accounts between them but dropped its Mac support over a year ago (see “Authy Desktop to Reach End-of-Life on 19 March 2024,” 14 February 2024). In fact, Proton Authenticator’s “Mac app” is actually an iPad app, meaning that it doesn’t really look like a Mac app and runs only on Macs with Apple silicon. There also seems to be no way to update accounts using the Mac version; I can’t figure out how to simulate the iPhone version’s touch and hold on the Mac.

Proton Authenticator claims that it can import existing accounts from itself and Proton’s password manager, Proton Pass (which features the same two-step verification capability as 1Password), plus other two-factor systems, including 2FAS, Aegis Authenticator, Authy, Bitwarden Authenticator, Ente Auth, Google Authenticator, LastPass Authenticator app, and Microsoft Authenticator.

However, for Authy and Microsoft Authenticator, Proton Authenticator indicates that they don’t offer export options, so there’s no way to import from them. Why include them in the interface when there’s no chance they could work?

Missing from the import list are 1Password and Apple’s Passwords. 1Password seems like an understandable omission, since I see no way of extracting the two-factor authentication seed. However, Apple’s Passwords does allow copying of a setup URL that contains a secret attribute you can paste in when manually creating a Proton Authenticator account.

otpauth://totp/Example%3A%20ace%40tidbits.com?secret=h62c5sy3kq3fs4rdsdlh3yje&issuer=Example

When creating manual accounts, Proton Authenticator allows you to configure the number of digits it will display and how often they will rotate. For the algorithm, you can choose from SHA1, SHA256, and SHA512, and for the type, between TOTP and STEAM. I honestly have no idea when those might be necessary, but Thag the Security-Conscious Caveman approves.

Other nice touches include:

• When used within the Apple ecosystem, Proton Authenticator lets you sync accounts via iCloud, which is easier than Authy’s separate account. A Proton account is necessary if you want to sync across non-Apple platforms.
• To boost security, Proton Authenticator can restrict access using Face ID on the iPhone and Touch ID on the iPad and Mac. However, it does not allow you to set a separate PIN for access, meaning that if someone learns your passcode or password, they can use that even if they fail biometric authentication. An independent access PIN would be an easy and important thing to add.
• It displays both the current code and the next one (and lets you copy either on the Mac from the contextual menu). This feature is particularly helpful when the current code is about to expire—instead of having to wait for the new code to generate, you can use the next code that’s already displayed.
• An option to hide codes ensures that no one can shoulder-surf your codes after you’ve unlocked the app. (Tap or click one to copy it.) Even though the codes are good for only 30 seconds—1 minute if you display the next code—that still provides a window in which a spy movie hacker could get in.

Overall, Proton Authenticator looks like a solid entry in the burgeoning category for two-factor authentication apps, which—based on a quick App Store search—is flooded with approximately 31,742 entries from aspiring developers who pasted a TOTP library from GitHub into an Xcode project.

All that said, I’m sticking with 1Password.

Many of the subsequent comments actually predate this article—I’m moving them here to centralize discussion of Proton Authenticator.

Introducing Proton Authenticator – secure 2FA, your way

Proton Authenticator protects your accounts with best-in-class security for free, whether you have a Proton Account or not. You can sign in to your Proton Account or use iCloud sync if you want to sync your codes between multiple devices, or you can keep your codes locally on one device. It’s a greater level of flexibility than many other 2FA apps available.

Very interesting. I’ve been happy with Authy, though I’ve had some worries about Twilio’s commitment to the tool. I’ll be investigating Proton as an alternative.

I’m thinking about switching from OTP Auth, which also syncs across iCloud (perfect for me) to Proton now that it’s here. I’ll likely be checking it out later today.

I have a few authentication tokens in 1Password and the Apple Passwords app, but those are for accounts I don’t care about all that much, and which tend to bug me a lot more than I’d like for the 2FA - having to go to a separate app can be a pain.

I hope they add Watch support.

Kevin

There is an Apple Watch version. I haven’t tried it yet, but it is available.

[edit - I have it installed. It works just fine. Unlike the iOS version, it shows only the current 2FA code and not the next one.]

I didn’t see the  Watch mentioned in their web page, but it was mentioned in the description in the App Store, so thank you for the tip.

Proton Authenticator’s product page says:

Easily import your existing codes

Does anyone know which authenticators are supported by Proton Authenticator’s import capability?

Thank you.

It can import from:

2FAS
Aegis Authenticator
Bitwarden Authenticator
Ente Auth
Google Authenticator
Lastpass Authenticator
And, weirdly, Proton Authenticator
Proton Pass

There are also import icons for Authy and Microsoft Authenticator but with yellow caution signs that say these apps don’t support exporting data from their app and suggests contacting the developer to add that support.

I’ve set it up. It’s nice - it shows the next code coming in the iOS app (not the watchOS app though) and the codes are large and take up a lot of space - I can see 5 in my iPhone screen at a time, but there is an option to make the search bar (by default on the bottom) activated by default when you start the app.

If you have a Proton account it will sync between devices, plus it optionally backs up to iCloud.

My understanding is that Watch support has happened already, but I can’t find verification.

The IOS App Store listing for Proton Authenticator shows an Apple Watch app.

As always, I should remember to maybe wait a few releases before installing a new app, particularly when it deals with securing important secrets.

(WOW, horrible mistake)

Please correct me if I have misunderstood this…
If I install this authenticator on my desktop am I not cancelling out the benefit of two factor authentication? To reassert that protection I can switch on 2FA access in the desktop version of Proton Authenticator which forces me to use my phone before I can access codes on the desktop. But in that case why not just use the phone version alone?
For those with multiple phones or laptops with cellular connections there may be a real benefit here.

A commonly held belief. And actually early on, 2FA was often advertised that way. But truth is, you don’t need to rely on two separate devices. It’s usually a pain, too. The security benefit of 2FA comes from requiring something you know (password) with something you have (authenticated device). If you eavesdrop on the secret, you still don’t have the device. Conversely, if you steal the device, you still don’t learn the secret. But there is no actual requirement that these two items have to originate from separate devices. Obviously, this breaks down if your device security is poor, i.e. anybody can use your device to generate authentication codes (which is also why most auth apps offer a password/TouchID option). Or you write down your device password on a sticky note attached to or around the device.

This is the bit from that article that is most concerning, IMO if it is true.

if the attacker has access to your device to access the local logs, they will anyways be able to obtain the secrets, and there is nothing Proton (or any 2FA app) can do to prevent that

Thank you!

Absolutely true. Because all of these 2FA apps have mechanisms to backup/restore/transfer credentials.

For instance, in Google Authenticator, I can tell it to export all my keys. It will generate a QR code containing them all, which I can scan using Google Authenticator on another phone, importing them all.

The way to protect against it is to make sure you have security on your device. In my particular case, the phone is locked with FaceID, and Google Authenticator (like many other secure apps) requires another Face ID authentication when the app is launched. But if someone gets my device passcode, that security goes away. So it is really important to keep that code secret.

I suppose an authenticator app could be designed such that there is no way to export/transfer keys to another device, but I don’t think many people would want to use it, since you’d need to generate new keys every time you get a new phone. And it may be a challenge to do that if your old phone is lost/stolen/broken.

Apple (sort of) solves this problem by keeping the keys used by Apple’s 2FA in iCloud. They are automatically sync’ed to devices that are logged in to your Apple ID. Someone who gets your Apple ID credentials can therefore generate codes used by Apple’s 2FA system. You can lock out an attacker by changing your password, but you’d better do it before the attacker does it to you.

So yeah, if someone gets the login credentials to your authentication device, you’re in for a world of hurt.

The iOS/iPadOS version of Google Authenticator was like that until just a couple of years ago! That made setting up a new phone or tablet a major pain (unless one did something incredibly insecure: keeping printouts of the QR codes used to synch Authenticator with a website).