Possibility to create TOTP for Ente Auth in Ente Auth and no need for both 2FA when trying to connect #5323
Replies: 1 comment 4 replies
-
|
You can recover your account using the recovery key from If you wish, you can use passkeys / hardware security keys to add an additional factor for authentication. from |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I already copied my recovery key, but it doesn’t seems to bypass the e-mail verification. As I see it, there is 2 scenarios :
My ideas are these :
Hope I’m clear enough. have a good day :) NOTA 1 : I saw Ente supports passkey, but it would means putting the key for my TOTP account in my password manager, which would be a major security problem IMO (putting all the eggs in the same basket). NOTA 2 : In the french version of the app, passkey is translated to code d’accès. The right translation is clé d’accès. |
Beta Was this translation helpful? Give feedback.
-
|
You can reach out to support@ente.io to disable email verification or 2FA. Also, since both of these are optional, you can choose which factor you would like to use (one of these, both of these, or none of these). Translations are crowd sourced from the community here: https://crowdin.com/project/ente-authenticator-app. If you would like to make amends, please do! |
Beta Was this translation helpful? Give feedback.
-
Maybe I misunderstood, but does it means Ente can disable 2FA (e-mail verification and TOTP) on demand ? It looks like a major security breach and defeat the all point of 2FA authentification.
I’ve seen that, but, as I explained in my previous answer, the way Ente implemented 2FA is really weird. The solutions I proposed would solve the problems I pointed, and erase the need to reach out to support to disable second factor.
Thanks. I’ll check this out. |
Beta Was this translation helpful? Give feedback.
-
|
I would like to raise this issue again since I came across this problem myself (not actually experiencing it, but thinking about the possible scenario). As @TiTwo102 mentioned before, wouldn't it be a major security breach if someone hacked my mail account, wants to get access to ente auth (which would be protected by 2FA) and then mails ente support to disable 2FA? The attacker would then be able to restore the ente auth account by triggering a password reset using my e-mail. Do you have to provide the recovery code in this process? If so, why don't you just allow users to use their recovery code before e-mail authentication in the first place? User would be able to restore the account with a code that's stored in a secure space (e.g. on paper) without writing an e-mail to support first. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
For now, the only way to add a 2FA to Ente Auth seems to be e-mail verification. Even if better than nothing, I still think it’s not the best since, if my main e-mail account is hacked or lost, I also lost access to my Ente Auth account (if I understood correctly, the recovery key doesn’t bypass the e-mail verification).
To create a 2FA TOTP for Ente Auth account, I have to go to Ente photo. I believe a setting inside the Ente Auth app to create a TOTP would be nice.
Also, there is no recovery code when you create a TOTP for the Ente account (inside Ente Photo). I noted the seed, but it’s not really the same since I would have to add this seed into another authentification app.
Also, when e-mail verification and TOTP are activated, you need both to connect to your Ente account. Having the need for just one of them would be better IMO. If I want to connect, I enter my e-mail adress. Then Ente asks me if I want to use e-mail verification OR the TOTP code, and then it asks for my password.
Beta Was this translation helpful? Give feedback.
All reactions