-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Aegis authenticators #13968
Comments
Please investigate properly before commenting. Check the Playstore link last "Updated on |
To clarify I was simply quoting the site: https://lichess.org/account/twofactor and not making any claims as to the legitimacy of the archival of andOTP. |
* master: replace 2FA Android app - closes #13968 - closes #13969 always show tournament verdict reason use Tournament.isEnterable remove superfluous account CSS classes, some scala tweaks dont flow text around official blog teaser image show completed game result in blind mode fix typo prettierignore readme and add -n short arg for --no-install remove unnecessary tsc flag fix insight & chart tsc deps fixing Removes conditional formatting Swiss requirements Cleaned up tournament.isStarted check css fixed #13867 tournament requirements styling add tag id and link
Very good commit in #13969 in taking care to edit existing translations for In the past we were hesitant to recommend Google Authenticator because it didn't offer cross-device sync (so more support requests), but since this April that is covered. I didn't know this and was testing alternatives for this string just yesterday, as it happens! I have two remaining concerns with Google Authenticator:
My suggestion for this guidance was to introduce an altogether new string that doesn't give a specific example, and then having a non-translateable I have a shortlist of credible alternatives on each platform and I have personally tested each one. Here is what that could look like: Get an app for two-factor authentication. We recommend the following apps: (translateable string ends here) The list of apps would be entirely outside of translations, so we could easily update them as needed. ➡️ Would you be interested in a pull request rewording the strings along these lines please @ornicar? As a bonus, the ones I cited all feature a Lichess icon and are FOSS. They also all have 100,000+ users and importantly, they support backing up to an encrypted file and not just iCloud keychain/Google Account. |
There are many authenticator apps but none of them are as good as Aegis. 2FAS - It has Google MLKit tracker. ~5 times extra size than Aegis. It took a real security expert to discover MLKit to be a tracker.
Translation:
@ornicar I really don't see a reason to suggest other alternatives when we've Aegis as a better privacy friendly solution exist. |
@shuvashish76 The analysis is out of date. 2FAS no longer uses Firebase Analytics, only Crashlytics. You can confirm as much from the exodus report. Not sure on ML Kit use beyond that. Authenticator Pro has a non-ML Kit version for F-Droid per this discussion, but I'll grant it's still used for barcode scanning in the Play Store version (I found some code referencing those libraries but not sure on the extent of use). |
AppManager scanner report of both apps PlayStore latest version.
Most people will use PlayStore version anyway. |
Hello people who suggest adding apps. However, Aegis is just a replacement for andOTP in Lichess example, so others can find and use other similar applications themselves. |
I agree there is no point in suggesting all the alternatives exist in the wild. Just suggest one good app to users & that's it. In this case I've mentioned why Aegis is better (for android). I'll not argue more about others. |
I've explained above why I think it is good to give multiple options and why I don't hesitate to recommend these. It's worth noting MLKit can and does work wholly offline for barcode scanning, but it is ultimately Google software on a tracker-filled system, so I don't doubt that some data is being passed here and there. Like you say, most people will use Play Store and we have a responsibility to protect their data, but I also very much doubt that users are at any actual security risk at all. I would not mind recommending a strong user experience in this realm (coupled with good security practice), over a pure FOSS piece of software personally. As a concrete example, I think the Aegis user experience isn't quite as friendly (though it is strong). Though I cannot prove it, I think its backup prompt (after the first code is added) is probably less effective than 2FAS's which asks the user upfront. For Wear OS watch users, the functionality Authenticator Pro provides could add a lot of value. The above, and the fact andOTP seemed healthy but then disappeared is why I think it's good to have a few options available. I've been an Aegis user myself since andOTP was retired but I'm also conscious I don't represent the norm and I don't see these options as especially harmful. As a last note, this string would not help anyone who already has andOTP, because you don't see the string when you already have 2FA set up. However, it could help thousands of Lichess users in future which is why it was worth thinking through our suggestions. Ultimately these are nitpicks and I'm glad we didn't just go for the standard choice of Google/Microsoft Authenticator, or putting in a password manager (which defeats half its purpose). |
https://lichess.org/account/twofactor
Sadly the project has been archived, see the announcement here.
Request to replace andOTP recommendation with Aegis.
Reasons:
Please use F-Droid link so that everyone including degoogled/playstore not available countries could use it.
Thanks.
The text was updated successfully, but these errors were encountered: