AppBITS: Proton Authenticator Takes on 2FA Apps
In “Two-Factor Authentication, Two-Step Verification, and 1Password” (10 July 2023), I explained that for true two-factor authentication, you needed to acquire your time-based one-time password (TOTP) from a device other than the one on which you’re logging in. By having 1Password automatically enter those automatically generated six-digit codes for me, I’m instead using two-step verification. That’s much more secure than plain passwords, but not as strong as two-factor authentication because an attacker could compromise 1Password to access both the password and the verification code.
I’m willing to accept that slightly reduced level of security in return for a vastly better user experience, but if you’re not, the Swiss company Proton, best known for the security-focused ProtonMail service and Proton VPN (see “Do You Use It? VPN Use Is Widespread,” 26 May 2025), has introduced a new standalone app for generating two-factor authentication codes. The free and open source Proton Authenticator works like Google Authenticator and Authy, enabling you to add accounts that support two-factor authentication and display the six-digit codes they generate.
What sets Proton Authenticator apart from Google Authenticator and Authy is that it runs on more platforms—iOS, macOS, Windows, Android, and Linux—and can sync its accounts between them. Authy used to support both iOS and macOS and sync accounts between them but dropped its Mac support over a year ago (see “Authy Desktop to Reach End-of-Life on 19 March 2024,” 14 February 2024). In fact, Proton Authenticator’s “Mac app” is actually an iPad app, meaning that it doesn’t really look like a Mac app and runs only on Macs with Apple silicon. There also seems to be no way to update accounts using the Mac version; I can’t figure out how to simulate the iPhone version’s touch and hold on the Mac.
Proton Authenticator claims that it can import existing accounts from itself and Proton’s password manager, Proton Pass (which features the same two-step verification capability as 1Password), plus other two-factor systems, including 2FAS, Aegis Authenticator, Authy, Bitwarden Authenticator, Ente Auth, Google Authenticator, LastPass Authenticator app, and Microsoft Authenticator.
However, for Authy and Microsoft Authenticator, Proton Authenticator indicates that they don’t offer export options, so there’s no way to import from them. Why include them in the interface when there’s no chance they could work?
Missing from the import list are 1Password and Apple’s Passwords. 1Password seems like an understandable omission, since I see no way of extracting the two-factor authentication seed. However, Apple’s Passwords does allow copying of a setup URL that contains a secret attribute you can paste in when manually creating a Proton Authenticator account.
otpauth://totp/Example%3A%20ace%40tidbits.com?secret=h62c5sy3kq3fs4rdsdlh3yje&issuer=Example
When creating manual accounts, Proton Authenticator allows you to configure the number of digits it will display and how often they will rotate. For the algorithm, you can choose from SHA1, SHA256, and SHA512, and for the type, between TOTP and STEAM. I honestly have no idea when those might be necessary, but Thag the Security-Conscious Caveman approves.
Other nice touches include:
- When used within the Apple ecosystem, Proton Authenticator lets you sync accounts via iCloud, which is easier than Authy’s separate account. A Proton account is necessary if you want to sync across non-Apple platforms.
- To boost security, Proton Authenticator can restrict access using Face ID on the iPhone and Touch ID on the iPad and Mac. However, it does not allow you to set a separate PIN for access, meaning that if someone learns your passcode or password, they can use that even if they fail biometric authentication. An independent access PIN would be an easy and important thing to add.
- It displays both the current code and the next one (and lets you copy either on the Mac from the contextual menu). This feature is particularly helpful when the current code is about to expire—instead of having to wait for the new code to generate, you can use the next code that’s already displayed.
- An option to hide codes ensures that no one can shoulder-surf your codes after you’ve unlocked the app. (Tap or click one to copy it.) Even though the codes are good for only 30 seconds—1 minute if you display the next code—that still provides a window in which a spy movie hacker could get in.
Overall, Proton Authenticator looks like a solid entry in the burgeoning category for two-factor authentication apps, which—based on a quick App Store search—is flooded with approximately 31,742 entries from aspiring developers who pasted a TOTP library from GitHub into an Xcode project.
All that said, I’m sticking with 1Password.
Many of the subsequent comments actually predate this article—I’m moving them here to centralize discussion of Proton Authenticator.
Introducing Proton Authenticator – secure 2FA, your way
Proton Authenticator protects your accounts with best-in-class security for free, whether you have a Proton Account or not. You can sign in to your Proton Account or use iCloud sync if you want to sync your codes between multiple devices, or you can keep your codes locally on one device. It’s a greater level of flexibility than many other 2FA apps available.
Very interesting. I’ve been happy with Authy, though I’ve had some worries about Twilio’s commitment to the tool. I’ll be investigating Proton as an alternative.
I’m thinking about switching from OTP Auth, which also syncs across iCloud (perfect for me) to Proton now that it’s here. I’ll likely be checking it out later today.
I have a few authentication tokens in 1Password and the Apple Passwords app, but those are for accounts I don’t care about all that much, and which tend to bug me a lot more than I’d like for the 2FA - having to go to a separate app can be a pain.
I hope they add Watch support.
Kevin
There is an Apple Watch version. I haven’t tried it yet, but it is available.
[edit - I have it installed. It works just fine. Unlike the iOS version, it shows only the current 2FA code and not the next one.]
I didn’t see the Watch mentioned in their web page, but it was mentioned in the description in the App Store, so thank you for the tip.
Proton Authenticator’s product page says:
But, I can’t find a list of existing authenticators from which Proton's can import.
Does anyone know which authenticators are supported by Proton Authenticator’s import capability?
Thank you.
It can import from:
2FAS
Aegis Authenticator
Bitwarden Authenticator
Ente Auth
Google Authenticator
Lastpass Authenticator
And, weirdly, Proton Authenticator
Proton Pass
There are also import icons for Authy and Microsoft Authenticator but with yellow caution signs that say these apps don’t support exporting data from their app and suggests contacting the developer to add that support.
I’ve set it up. It’s nice - it shows the next code coming in the iOS app (not the watchOS app though) and the codes are large and take up a lot of space - I can see 5 in my iPhone screen at a time, but there is an option to make the search bar (by default on the bottom) activated by default when you start the app.
If you have a Proton account it will sync between devices, plus it optionally backs up to iCloud.
My understanding is that Watch support has happened already, but I can’t find verification.
The IOS App Store listing for Proton Authenticator shows an Apple Watch app.
As always, I should remember to maybe wait a few releases before installing a new app, particularly when it deals with securing important secrets.
(WOW, horrible mistake)
Please correct me if I have misunderstood this…
If I install this authenticator on my desktop am I not cancelling out the benefit of two factor authentication? To reassert that protection I can switch on 2FA access in the desktop version of Proton Authenticator which forces me to use my phone before I can access codes on the desktop. But in that case why not just use the phone version alone?
For those with multiple phones or laptops with cellular connections there may be a real benefit here.
A commonly held belief. And actually early on, 2FA was often advertised that way. But truth is, you don’t need to rely on two separate devices. It’s usually a pain, too. The security benefit of 2FA comes from requiring something you know (password) with something you have (authenticated device). If you eavesdrop on the secret, you still don’t have the device. Conversely, if you steal the device, you still don’t learn the secret. But there is no actual requirement that these two items have to originate from separate devices. Obviously, this breaks down if your device security is poor, i.e. anybody can use your device to generate authentication codes (which is also why most auth apps offer a password/TouchID option). Or you write down your device password on a sticky note attached to or around the device.
This is the bit from that article that is most concerning, IMO if it is true.
Thank you!
Absolutely true. Because all of these 2FA apps have mechanisms to backup/restore/transfer credentials.
For instance, in Google Authenticator, I can tell it to export all my keys. It will generate a QR code containing them all, which I can scan using Google Authenticator on another phone, importing them all.
The way to protect against it is to make sure you have security on your device. In my particular case, the phone is locked with FaceID, and Google Authenticator (like many other secure apps) requires another Face ID authentication when the app is launched. But if someone gets my device passcode, that security goes away. So it is really important to keep that code secret.
I suppose an authenticator app could be designed such that there is no way to export/transfer keys to another device, but I don’t think many people would want to use it, since you’d need to generate new keys every time you get a new phone. And it may be a challenge to do that if your old phone is lost/stolen/broken.
Apple (sort of) solves this problem by keeping the keys used by Apple’s 2FA in iCloud. They are automatically sync’ed to devices that are logged in to your Apple ID. Someone who gets your Apple ID credentials can therefore generate codes used by Apple’s 2FA system. You can lock out an attacker by changing your password, but you’d better do it before the attacker does it to you.
So yeah, if someone gets the login credentials to your authentication device, you’re in for a world of hurt.
The iOS/iPadOS version of Google Authenticator was like that until just a couple of years ago! That made setting up a new phone or tablet a major pain (unless one did something incredibly insecure: keeping printouts of the QR codes used to synch Authenticator with a website).
So I’ve decided to remove all the codes and then delete the app. It’s probably fine for most people, but this issue reminds me that one thing I like about OTP Auth is that it uses a discrete PIN to unlock when starting the app. So while it can use Face ID or Touch ID to unlock, without biometrics it requires a PIN.
While I have done this, I have done it in a secure way. (I won’t share how, though.)
Serious question, not trolling: why? Would describing your method compromise its security somehow?
I spent an afternoon going through Proton Authenticator & comparing it to several other 2FA Auth apps. All are sort of similar, but Proton Auth has some equal or better features, especially for a 1.0. Some more mature 2FA apps are better.
Good:
Import works well. (From Auth apps that support export).
Export works well. Via DropBox, AIrDrop, etc. (Can also use export an an alt backup.)
Backup to iCloud.
Multi-device Sync (requires Free or Paid Proton account).
Easy to use.
Can export to file, then re-import to different device. This is a way to “manually sync” your devices without exposure to any particular cloud service.
Separates 2FA Auth from Password manager.
Can edit name of each 2FA record.
Click to copy auth code.
Available for Mac & iOS, also Android, Windows, etc.
Bad:
Bug in Mac version can’t save imported entries. Auto-deletes all imported entries at quit. Can not save edits in imported entries either. Still an issue in v 1.1.1(3) on Aug 6, 2025.
No push notification when 2FA code is received. (You’ll need to remember which Auth app to open & which entry).
Multi-device Sync requires Free or Paid Proton account.
Free Proton account is fine to start, but you may outgrow it & need the paid account.
Non-optional display of next 2FA code in app. This may give a shoulder surfer enough time to attack. Would be better as an optional preference.
No sync via iCloud. Only backup.
Exported JSON file is plain text. Easily readable in any text editor. (This could also be considered a good feature).
Overall I like the new Proton Auth app.
I always considered that a feature rather than an undesirable limitation, though it was inconvenient at times. I always keep the seed codes securely stored with other critical, confidential documents.
Kevin
So far I am not convinced that this is an improvement over other authenticators. In particular:
Right, same with a device passcode. You can unlock Proton with biometrics but it falls back on the device / account passcode.
This is reminding me of why I went back to 1Password rather than using the Apple passwords app for most passwords. If your device account passphrase is known, then your passwords are discoverable. So one thing I’d need from Proton is a separate passphrase or PIN for the app that is unlocked by biometrics, but not by the device password/passphrase.
Doh! And I should have come back here before publishing my article. Been a busy week…
You’re slightly lowering your security, but not significantly. However, if you’re willing to do that, using a password manager that can also enter 2FA codes (two-step verification) makes using them a lot easier. See
I had no trouble importing from the Mac (really iPad) version from Google Authenticator. However, I can confirm that you can’t edit entries on the Mac. On the iPhone, it requires a touch and hold and then tapping Edit; I can’t see any way to simulate that on the Mac.
I had no trouble importing to iPhone from other Auth apps. THen after exporting from iPhone Proton Auth app to JSON file (via Dropbox) it was easy to import into the MacOS version. I could edit those imported entries. But could not save the edits, throwing an error.
The real problem surfaces when you quit & relaunch the MacOS app. That’s when you’ll discover Proton Auth has not saved your imported data. Even if you edited it. Manually created entries survive.
I would venture a guess that Proton has not resolved the differences in iOS file system access between the iPad version & how it needs to access the MacOS file system. Might be something like that.
It shouldn’t. Presumably they are just printed and put in a locked fire secure safe in a secure location.
As long as we don’t know the location, I don’t see a security issue as that’s literally the only thing one could do. Maybe then wipe the printer’s memory.
But physical access is total access. Same principle as the authenticator apps themselves. If someone has your device and is into the authenticator past device authentication, then it’s supposed to be you. If it’s not, you have a fundamental problem.
Or perhaps they took screenshots that are now stored locally or in the cloud (hopefully encrypted!). In any case, none of our guesses rely on security-by-obscurity so perhaps they’re doing something else.
courtesy of @davidgerard@circumstances.run, Proton is now the only privacy vendor I know of that vibe codes its apps:
I am once again begging anyone who will listen to get off of Proton as soon as reasonably possible, and to avoid their new (terrible) apps in any case. David Gerard: "Proton’s Lumo AI chatbot: not end-to-end encrypte…" - GSV Sleeper Service
While I’m happy to see the availability of another feature-rich 2FA app, I was a bit surprised at how the mainstream press made such a big deal about the desktop clients as a delineator. Virtually none of the stories mentioned Ente Auth, which offers all the same clients (plus a web client). And, if anything, Ente Auth (which is also open source) is even more feature-rich than Proton’s app. I suspect the omission is because Ente isn’t well-known (or maybe the journalists were just lazy with their research or regurgitated a press release).
I switched myself and my whole family from Authy to Ente Auth several months ago and couldn’t be happier with the change.
Yeah, the first I’d heard of Ente Auth was in the Proton Authenticator import screen.
The few mentions of Ente Auth by readers in the comments section (at the end) of the Wirecutter’s article about authentication applications are all favorable :
Unfortunately, the article itself has no mention of Ente Auth.
I use OTP Auth
Other Features
2FAS looks promising on paper.
Anyone tried it?
Kevin
I did, I’d say approx the same feature set as OTP Auth but slightly less good IMHO.
For example the 2FAS browser extension implementation is quite awkward, you click the Safari toolbar icon, then have to use your iPhone in the middle to authorise the request, then the code appears on your Mac, you copy and paste. And it didn’t seem to autofill the login page of the website I was testing.
Thanks for the feedback @gingerbeardman
I’ve looked at OTP Auth, EnteAuth, Duo, Google Authenticator, and some others, and the feature that I really like (I won’t say “need”) is Apple Watch support. I find that a lot handier than dragging out my phone every time.
Kevin
I’ve used OTP Auth for a few years, and the Apple Watch app for more than half my OTP lookups (it’s such a pain to switch to OTP Auth on the phone and back to the app when I can just look at my watch.). The Watch app is just fine.
Totally fair. I don’t have an Apple Watch.
I have my top three 2FA codes accessible with a swipe on my lock screen. And all codes available with an extra tap to open the app.
I do like Duo Mobile. It’s owned by Cisco when they bought up the security startup. It let’s you sign up and use it for personal use without having to pay until you need more licenses and let’s say you are a small to medium business.
Google and Duo now migrate the stored entries when you upgrade your phone in-place.
I have a dumb question. I use Google Authenticator with some sites. I can’t just switch to Proton Authenticator though, can I? I mean, the fact I use Google Authenticator is because the sites said to use it. How can a new authenticator easily get adopted?
Not a dumb question. Yes, you can switch to another of these Authenticator apps, since they all use the same protocol as Google Authenticator does. The Apple Passwords app can also be used to generate codes, as can 1Password and BitWarden and other password managers. That said - if Google Authenticator is working well for you, there’s really no reason to switch.
That’s interesting. And weird. I always thought these codes were more unique than that. It somehow makes it feel “too open.”
One of my banks sends me a dedicated device that generates a code and needs to be replaced every few years. Does that also use the same protocol?
You can’t just use the new authenticator, you will have to reseed the number with your new app. At least that’s what I assume since the seed number is generated by the program the first time you sync. Though you can use any authentication app or program, you can’t switch between different apps without the reseed. That would be my understanding
As previously detailed, you can import codes from Google Authenticator into Proton Authenticator. Also, some other Authenticator apps show you the secret or even a QR code so if you have another device you can use it to scan the QR code (or you can manually enter the secret.)
Actually, the codes generated by Google Authenticator and other apps based on the same 2FA standard aren’t “weird” or more “open” than older standards. Users can resynchronize the code generator whenever they want; physical code fobs cannot be reset by users. The current standard hasn’t been compromised unlike the RSA standard used by many physical fobs. Finally, openness can be an advantage for security. Protocols and algorithms that depend on secretive code bases cannot receive the same levels of scrutiny and testing that widely adopted open source or publicly visible code does.
Which protocol your physical fob uses depends on its manufacturer.
If your old app has a way to export those seeds, you can import them into another app.
For example, Google Authenticator can export them to a proprietary QR code (up to 10 codes per QR) that can be read by other instances of Google Authenticator (so there’s no need to sync via your Google cloud storage).
Fortunately, the proprietary “otpauth-migrate” URN schema isn’t too proprietary. There are open source projects that will decode it into a set of standard otpauth URNs, which you can use for migration to other apps (or for re-creation of the original QR codes, which anything can scan).
See also:
Of course, this is just Google Authenticator. Other apps may export the keys in other ways. And it will always be easier if your new authenticator app can just import directly from your old one.
They are more unique than that. The secret for each is only on your device. You can do what you want with it, delete it or migrate it to another app. I would says it’s “interoperable”
You should take a look at Ravio OTP, https://raivo-otp.com, which provides iOS and MacOS apps for 2FA and backup in iCloud. Open source on GitHub.
Because of work, I use Microsoft Authenticator. Good enough for me.
Unfortunately I did not do sufficient due diligence before I decided to use Authy early this year. Then I found out that development of its Mac desktop app was dropped because Authy had been hacked, making exporting data to a different app impossible without access to a Windows computer.
Then I learned that Authy collects personal data that is linked to a unique user ID number. Then it monitors a variety of non-anonymous data analytics such as the online services used which are regularly uploaded to Authy servers. I can think of no reason why this potentially sensitive information should be collected by an authenticator app.
Fortunately I stumbled upon open-source Ente Auth and since I had fewer than 15 accounts, manually transferring them took less than an hour to accomplish.
Ente Auth has a MacOS app that can be locked using the device (Face ID, Touch ID, system password), a 4-digit pin or password. My favorite feature is that when the app is unlocked, it is quickly accessible via an icon in the Finder menu Bar. I am always on my personal computer when I need 2FA so I find this option much more convenient than using my iPhone.
I opted to create an account after carefully looking at Ente’s end-to-end encryption protocols and listening to an in-depth interview with its founder about his motivations behind developing an free and secure authentication app.
I was a 1Password user for many years. But then I suffered through the worst commercial software tech support experience in 30+ years of using Macs after I was locked-out of my data after upgrading to a subscription account. (The issue was on their end.) Fortunately, I had a current local .csv file backup. Suffice it to say that I couldn’t see trusting my data to their “care” going forward.
As a 100% apple user, I don’t see why I need anything other than built-in Apple Passwords. What am I missing?
The point of these apps are that they are cross platform, so they’re for people who need to sync passwords/auth across platforms. If you’re Apple only, Passwords is fine.
Also, since Apple Passwords uses iCloud, anybody who wishes to not have their 2FA tied to cloud servers can choose an app that keeps everything on-device only. Another reason can be people who use compartmentalization as part of their security and privacy strategy.
Ente Auth also has a self-hosting option for those who prefer to manage their own server.
Perhaps the one big risk, and it’s likely a very small risk for anyone, is Apple canceling your iCloud / Apple ID for some reason.
I’ve been using 2FA for over a decade and Passwords app is very recent. If I was starting today I’d probably use Passwords but as it is I find little reason to migrate. I might try having both running alongside each prefer at some point—a project for a rainy day.
This is one of those things that is deceptive. I’m sure from a technical standpoint it would be relatively easy to add an app-specific PIN for access. But from a human standpoint it makes things a lot more tricky as you then need a PIN recovery process. This in turn can be the weak link in the security chain or a significant support cost, or both!
I just duplicated my 50 (fifty!) 2FA codes from OTP Auth to Apple Passwords app using QR code scanning. Really easy. Hoping to see some benefits in the near feature.
This means they’re in multiple apps and I can choose how to best fill the code depending on the situation or use case.
The experience filling 2FA codes on macOS is hugely improved using Passwords app. No need for third party apps, menu bar items, widgets, or browser extensions.
On iOS it’s improved, but relies on use of the standard keyboard as that presents the code.
Using third party keyboard like SwiftKey or Gboard or Yandex doesn’t present the code AFAIK. But it’s easy to switch to the system keyboard when you want to see the code.
So, my recommendation is now… use Passwords app. As mentioned you can use multiple places to store your 2FA and choose which too fill from, my hunch is that—like me—you will gravitate towards the reduced friction experience of Apple Passwords.
Sorry to sound like a numpty, but can you explain the process for this? There are six logins I have which require Google Authenticator and I’ve love to rid myself of them.
Of course! @trilo
I’m using OTP Auth, exact steps (or even whether it’s possible to export or share secrets) will vary based on what 2FA you’re using. Some lock you in!
For obvious reason I can’t show video or screenshots.
I used two devices to make it easier by using QR codes to automate data entry. You could also copy and paste secrets between devices, etc.
Device 1
Device 2
(Repeat)
First one took me about a minute, but once you know the process each one takes about 20 seconds.
Many thanks @gingerbeardman I will definitely give this a try when I get a chance.