App for two-factor authentication in the cloud

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

One of the most topics warm and most discussed in our community is certainly that of two-factor applications. As important as they are, for some, difficult to manage precisely for the fear of losing the keys to the various services to which they are registered forever. To solve this problem many often ask themselves: which ones app for two-factor authentication in the cloud exist?

Two-factor authentication, just to give a very brief summary for those who don't know what we're talking about, is the request for a unique code after logging in to a site. It is currently one of the most important security measures you can have on your online accounts and it is recommended to activate it almost everywhere. There are several methods for two-factor authentication and the most used ones are generally two: SMS and a code generated by an application.

Two-factor authentication: better not to use SMS

We tend to exclude and advise against SMS as it is an ineffective method ¹ and we always suggest using a generator code from an application (in addition to the possible use of physical keys such as the YubiKey Obviously).

Therefore there are, as we already know, many alternative applications to Google Authenticator. These applications generally make automatic and encrypted backups but only locally. Hence the fear of many people: what if I forget to save the backup somewhere? What if I lose it? What if the backup doesn't actually do it but crashes?

Small digression since we mentioned Google Authenticator: those who use Google Authenticator have recently been able to save codes in the cloud ². It's a shame that, when they launched this great news, they also forgot to mention that they are archived without using the zero-knowledge encryption and therefore they are potentially accessible by Google itself.

A researcher actually discovered this by analyzing data traffic ³ and only later did Google admit that, yes, in short, it was and is wanted ⁴. Bottom line: don't use Google Authenticator in the cloud.

App for two-factor authentication in the cloud

Let us now try to understand the needs of daily life by trying to propose compromises that are as safe as possible. Having an application for two-factor authentication in the cloud in our opinion is a less secure method of having it only locally. However, it is more convenient because even if we lose our smartphone we know that our codes are all safe and encrypted "somewhere". We could do the same with the local backup, saving it (or even printing it) from time to time. However, as mentioned, we talk about trade-offs and making life easier with technology.

Given the importance of this operation, we find it essential that the applications used are first and foremost Open source, use the zero-knowledge encryption and that, possibly, have passed independent security audits.

So let's go in order with our advice, always reminding you that in any case these applications should also be protected with two-factor authentication but I recommend that you do not save the latter within the application itself otherwise you will get into a loop of (in)security. If you plan to use one of these applications in the cloud it is best to use one locally, such as Aegis or Authenticator Pro, for the 2FA code.

Make an encrypted backup once and save it somewhere safe (since it is encrypted you can save it more or less anywhere, even in saved Telegram messages, for example).

Finally, it is good to remember that the codes should all be potentially safe as all the applications we suggest they use Zero-knowledge encryption and that even if there were to be an attack on the servers of these companies, your codes will be protected by the password chosen by you. This is why, in our opinion, it is important choose applications Open source and with independent security audits.

Apps for two-factor authentication in the cloud: our list

Bitwarden

Open source
codes saved in the cloud
security audits
for a fee
available for iOS

Bitwarden is a free password manager and Open source, one of the best and that we suggest Often. In its paid version (around €1 per month) it can also be used as an application for managing two-factor authentication. Our advice, and we repeat it often, is to not keep passwords and OTPs in the same place. Therefore, consider this alternative mainly if you use a password manager alternative.

Ente Auth

codes saved in the cloud
Open source
currently free (a paid plan is planned for new members in the future)
soon available for iOS (currently in beta)

Body is a provider for manage your photos online which offers a zero-knowledge encrypted space. Recently, leveraging their architecture, they released a nice application for 2FA codes. In order to use it you must have an account on Ente, the same one you will use to save your photos. It is currently possible to have a free one-year plan for Ente and the developers let it be known that those who already use Ente Authenticator will be able to use it for free without problems. Ente Photos' lowest plan starts at €10 per year.

A security audit is planned for their infrastructure however it has not yet been carried out as it is still being developed and improved.

Proton Pass

codes saved in the cloud
Open source
available for iOS

As with Bitwarden, we recommend Proton Pass only if not also used as a password manager. In the free version it allows you to manage only three credentials for two-factor authentication while they are infinite in the paid version. On desktop you can only use the del extension Browsers. Clearly everything is in the cloud and simple to use.

Keepass

Open source
possibility of saving codes also in the cloud
security audits
free (if we exclude the server to rely on)
available for iOS

Keepass is an offline password manager which however also allows you to save authentication codes and above all it also has the ability to work in the cloud. As? We have dedicated an entire article to this option, so if you are interested you can see it here. It is generally possible to use any WebDAV connection such as any server Nextcloud, encrypting everything with its own key.

Standard Notes

codes saved in the cloud
Open source
security audits
for a fee
available for iOS

In the paid version (around €50 per year) Standard Notes, an excellent one alternative for Google Keep, offers the possibility of managing your 2FA in the cloud. Given the somewhat high price, it is unlikely that anyone would want to pay this amount exclusively for 2FA in the cloud, however if you are already thinking of using Standard Notes for your private documents then you could take advantage of this opportunity.

1. Is SMS 2FA Secure?[↩]
2. Google Authenticator now supports Google Account synchronization[↩]
3. Mysk on Mastodon[↩]
4. Google's response[↩]

Join communities