So I’ve decided to remove all the codes and then delete the app. It’s probably fine for most people, but this issue reminds me that one thing I like about OTP Auth is that it uses a discrete PIN to unlock when starting the app. So while it can use Face ID or Touch ID to unlock, without biometrics it requires a PIN.
While I have done this, I have done it in a secure way. (I won’t share how, though.)
Serious question, not trolling: why? Would describing your method compromise its security somehow?
I spent an afternoon going through Proton Authenticator & comparing it to several other 2FA Auth apps. All are sort of similar, but Proton Auth has some equal or better features, especially for a 1.0. Some more mature 2FA apps are better.
Good:
Import works well. (From Auth apps that support export).
Export works well. Via DropBox, AIrDrop, etc. (Can also use export an an alt backup.)
Backup to iCloud.
Multi-device Sync (requires Free or Paid Proton account).
Easy to use.
Can export to file, then re-import to different device. This is a way to “manually sync” your devices without exposure to any particular cloud service.
Separates 2FA Auth from Password manager.
Can edit name of each 2FA record.
Click to copy auth code.
Available for Mac & iOS, also Android, Windows, etc.
Bad:
Bug in Mac version can’t save imported entries. Auto-deletes all imported entries at quit. Can not save edits in imported entries either. Still an issue in v 1.1.1(3) on Aug 6, 2025.
No push notification when 2FA code is received. (You’ll need to remember which Auth app to open & which entry).
Multi-device Sync requires Free or Paid Proton account.
Free Proton account is fine to start, but you may outgrow it & need the paid account.
Non-optional display of next 2FA code in app. This may give a shoulder surfer enough time to attack. Would be better as an optional preference.
No sync via iCloud. Only backup.
Exported JSON file is plain text. Easily readable in any text editor. (This could also be considered a good feature).
Overall I like the new Proton Auth app.
The iOS/iPadOS version of Google Authenticator was like that until just a couple of years ago!
I always considered that a feature rather than an undesirable limitation, though it was inconvenient at times. I always keep the seed codes securely stored with other critical, confidential documents.
Kevin
So far I am not convinced that this is an improvement over other authenticators. In particular:
Right, same with a device passcode. You can unlock Proton with biometrics but it falls back on the device / account passcode.
This is reminding me of why I went back to 1Password rather than using the Apple passwords app for most passwords. If your device account passphrase is known, then your passwords are discoverable. So one thing I’d need from Proton is a separate passphrase or PIN for the app that is unlocked by biometrics, but not by the device password/passphrase.
Doh! And I should have come back here before publishing my article. Been a busy week…
You’re slightly lowering your security, but not significantly. However, if you’re willing to do that, using a password manager that can also enter 2FA codes (two-step verification) makes using them a lot easier. See
I had no trouble importing from the Mac (really iPad) version from Google Authenticator. However, I can confirm that you can’t edit entries on the Mac. On the iPhone, it requires a touch and hold and then tapping Edit; I can’t see any way to simulate that on the Mac.
I had no trouble importing to iPhone from other Auth apps. THen after exporting from iPhone Proton Auth app to JSON file (via Dropbox) it was easy to import into the MacOS version. I could edit those imported entries. But could not save the edits, throwing an error.
The real problem surfaces when you quit & relaunch the MacOS app. That’s when you’ll discover Proton Auth has not saved your imported data. Even if you edited it. Manually created entries survive.
I would venture a guess that Proton has not resolved the differences in iOS file system access between the iPad version & how it needs to access the MacOS file system. Might be something like that.
It shouldn’t. Presumably they are just printed and put in a locked fire secure safe in a secure location.
As long as we don’t know the location, I don’t see a security issue as that’s literally the only thing one could do. Maybe then wipe the printer’s memory.
But physical access is total access. Same principle as the authenticator apps themselves. If someone has your device and is into the authenticator past device authentication, then it’s supposed to be you. If it’s not, you have a fundamental problem.
Or perhaps they took screenshots that are now stored locally or in the cloud (hopefully encrypted!). In any case, none of our guesses rely on security-by-obscurity so perhaps they’re doing something else.
courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps:
In the single most damning thing I can say about Proton in 2025, the Proton GitHub repository has a “cursorrules” file. They’re vibe-coding their public systems. Much secure!
I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. David Gerard: "Proton’s Lumo AI chatbot: not end-to-end encrypte…" - GSV Sleeper Service
While I’m happy to see the availability of another feature-rich 2FA app, I was a bit surprised at how the mainstream press made such a big deal about the desktop clients as a delineator. Virtually none of the stories mentioned Ente Auth, which offers all the same clients (plus a web client). And, if anything, Ente Auth (which is also open source) is even more feature-rich than Proton’s app. I suspect the omission is because Ente isn’t well-known (or maybe the journalists were just lazy with their research or regurgitated a press release).
I switched myself and my whole family from Authy to Ente Auth several months ago and couldn’t be happier with the change.
Yeah, the first I’d heard of Ente Auth was in the Proton Authenticator import screen.
The few mentions of Ente Auth by readers in the comments section (at the end) of the Wirecutter’s article about authentication applications are all favorable :
Unfortunately, the article itself has no mention of Ente Auth.
I use OTP Auth
Other Features
2FAS looks promising on paper.
Anyone tried it?
Kevin
I did, I’d say approx the same feature set as OTP Auth but slightly less good IMHO.
For example the 2FAS browser extension implementation is quite awkward, you click the Safari toolbar icon, then have to use your iPhone in the middle to authorise the request, then the code appears on your Mac, you copy and paste. And it didn’t seem to autofill the login page of the website I was testing.
Thanks for the feedback @gingerbeardman
I’ve looked at OTP Auth, EnteAuth, Duo, Google Authenticator, and some others, and the feature that I really like (I won’t say “need”) is Apple Watch support. I find that a lot handier than dragging out my phone every time.
Kevin
I’ve used OTP Auth for a few years, and the Apple Watch app for more than half my OTP lookups (it’s such a pain to switch to OTP Auth on the phone and back to the app when I can just look at my watch.). The Watch app is just fine.
Totally fair. I don’t have an Apple Watch.
I have my top three 2FA codes accessible with a swipe on my lock screen. And all codes available with an extra tap to open the app.