Add Aegis authenticators

[shuvashish76]

https://lichess.org/account/twofactor

Get an app for two-factor authentication, for example andOTP for Android...

Sadly the project has been archived, see the announcement here.

Request to replace andOTP recommendation with Aegis.
Reasons:

• It has a whitepaper and received many formal and informal reviews.
• No "network access" permission.
• Supports automatic vault backups
• Android cloud backups
• App icons are fetched fully offline.
• Supports importing from almost all major services/apps.
• Quoting from USENIX review of Popular 2FA Apps

  • It seems likely that many users would consider TOTP backups important, which suggests that password strength meters could nudge them to select stronger passwords; the only app to implement a strength meter was Aegis.
  • It is also worth noting that even though we could not observe their AAB [Android Auto Backup] behavior, andOTP and Aegis Authenticator were the only apps that allowed the user to opt in/out of using AAB. Both apps required a backup password if AAB was enabled, which, we believe, would be used to derive a key and encrypt the TOTP backup before sending it to Google Drive.
  • 6.3 Responsible Disclosure: We felt there was nothing to disclose for the following 6 apps: Google Authenticator, LastPass Authenticator, FreeOTP Authenticator, Authenticator Pro, Aegis Authenticator, and Auth0 Guardian.

Please use F-Droid link so that everyone including degoogled/playstore not available countries could use it.
Thanks.

[ComradeRamen]

I don't see andOTP recommended.

Get an app for two-factor authentication, for example Google Authenticator for Android or iOS.

[shuvashish76]

Please investigate properly before commenting. Check the Playstore link last "Updated on
Jun 14, 2021" and the project has been archived in "Jun 14, 2022", F-Droid already moved it to their archive repository.

[ComradeRamen]

To clarify I was simply quoting the site: https://lichess.org/account/twofactor and not making any claims as to the legitimacy of the archival of andOTP.

[ComradeRamen]

#13969

[superuser-does]

Very good commit in #13969 in taking care to edit existing translations for twoFactorApp.
This string was on my list to raise at the end of my string review, but it is better to do it now given today's commit.

In the past we were hesitant to recommend Google Authenticator because it didn't offer cross-device sync (so more support requests), but since this April that is covered. I didn't know this and was testing alternatives for this string just yesterday, as it happens!

I have two remaining concerns with Google Authenticator:

1. Whether iOS users tend to have Google accounts at all.
2. For Android, Google chose not to use Android's built in backup function, so this notable excludes Huawei users (no Google services) and certain FOSS nuts who have de-googled phones. There is an offline backup function but it still requires the device to scan a QR code from.
   It's also worth noting the app also no longer FOSS as of 2021.

My suggestion for this guidance was to introduce an altogether new string that doesn't give a specific example, and then having a non-translateable ul for Android and iOS respectively.

I have a shortlist of credible alternatives on each platform and I have personally tested each one. Here is what that could look like:

Get an app for two-factor authentication. We recommend the following apps: (translateable string ends here)

• Android
  • 2FAS
  • Authenticator Pro
  • Aegis Authenticator
• iOS
  • 2FAS

The list of apps would be entirely outside of translations, so we could easily update them as needed.

➡️ Would you be interested in a pull request rewording the strings along these lines please @ornicar?

As a bonus, the ones I cited all feature a Lichess icon and are FOSS. They also all have 100,000+ users and importantly, they support backing up to an encrypted file and not just iCloud keychain/Google Account.
One of the reasons that file backup is important is that the likes of LastPass have now started locking down, even though the secret is just a string of text. It also means former andOTP users like I were able to migrate to other 2FA software.

[shuvashish76]

There are many authenticator apps but none of them are as good as Aegis.

2FAS - It has Google MLKit tracker. ~5 times extra size than Aegis.
Authenticator Pro - Again includes MLKit. It has non-free dependencies to support WearOS. ~7 times heavier than Aegis.

It took a real security expert to discover MLKit to be a tracker.
https://www.kuketz-blog.de/reaktion-der-gematik-auf-e-rezept-app-pruefung/
Quoting the relevant part:

Diese Kommunikation findet durch das Google ML Kit statt. Diese Kommunikation ist ohne Anlass; wir nutzen das ML Kit für das Lesen des Data Matrix Codes. Warum das ML Kit überhaupt mit Firebase Analytics kommuniziert, ist uns unbekannt. Auf jeden Fall ist es nicht durch uns initiiert.

Translation:

This communication takes place through the Google ML Kit. This communication is without cause; we use the ML Kit to read the Data Matrix code. Why the ML Kit is communicating with Firebase Analytics at all is unknown to us. In any case, it is not initiated by us.

@ornicar I really don't see a reason to suggest other alternatives when we've Aegis as a better privacy friendly solution exist.

[superuser-does]

@shuvashish76 The analysis is out of date. 2FAS no longer uses Firebase Analytics, only Crashlytics. You can confirm as much from the exodus report. Not sure on ML Kit use beyond that.

Authenticator Pro has a non-ML Kit version for F-Droid per this discussion, but I'll grant it's still used for barcode scanning in the Play Store version (I found some code referencing those libraries but not sure on the extent of use).
I take no issue with the proprietary dependencies for Wear OS support, which I imagine are unavoidable. If it gets more people to use 2FA, that is a benefit. It is no surprise it is larger than Aegis as it ships with hundreds of icons out of the box, and I wouldn't take that as disqualifying anyway.

[shuvashish76]

com.google.mlkit.common.internal.MlKitComponentDiscoveryService
com.google.mlkit.common.internal.MlKitInitProvider

com.google.mlkit.common.internal.MlKitComponentDiscoveryService

AppManager scanner report of both apps PlayStore latest version.

Authenticator Pro has a non-ML Kit version for F-Droid per this discussion, but I'll grant it's still used for barcode scanning in the Play Store version.

Most people will use PlayStore version anyway.

[M-DinhHoangViet]

Hello people who suggest adding apps. However, Aegis is just a replacement for andOTP in Lichess example, so others can find and use other similar applications themselves.

[shuvashish76]

I agree there is no point in suggesting all the alternatives exist in the wild. Just suggest one good app to users & that's it. In this case I've mentioned why Aegis is better (for android). I'll not argue more about others.

[superuser-does]

I've explained above why I think it is good to give multiple options and why I don't hesitate to recommend these. It's worth noting MLKit can and does work wholly offline for barcode scanning, but it is ultimately Google software on a tracker-filled system, so I don't doubt that some data is being passed here and there.

Like you say, most people will use Play Store and we have a responsibility to protect their data, but I also very much doubt that users are at any actual security risk at all. I would not mind recommending a strong user experience in this realm (coupled with good security practice), over a pure FOSS piece of software personally.

As a concrete example, I think the Aegis user experience isn't quite as friendly (though it is strong). Though I cannot prove it, I think its backup prompt (after the first code is added) is probably less effective than 2FAS's which asks the user upfront. For Wear OS watch users, the functionality Authenticator Pro provides could add a lot of value.
I take a bit of issue with some of the wording used by 2FAS which isn't strictly accurate, but it is a very popular and easy to use program which I'd struggle to fault it for.

The above, and the fact andOTP seemed healthy but then disappeared is why I think it's good to have a few options available. I've been an Aegis user myself since andOTP was retired but I'm also conscious I don't represent the norm and I don't see these options as especially harmful.

As a last note, this string would not help anyone who already has andOTP, because you don't see the string when you already have 2FA set up. However, it could help thousands of Lichess users in future which is why it was worth thinking through our suggestions. Ultimately these are nitpicks and I'm glad we didn't just go for the standard choice of Google/Microsoft Authenticator, or putting in a password manager (which defeats half its purpose).