👋 New user here - thanks for making a great app! I was wondering if there was any interest/history in supporting auto-filling OTP codes on iOS (similar to how this was request for 2fas-android in twofas/2fas-android#15). I understand that neither Apple/Google work with multiple password managers configured simultaneously. It looks like 1password's OTP autofill works by copying the OTP to the clipboard when a password for that site is auto-filled, which makes sense since they're already configured as the password manager, so they know when a password is auto-filled.

For those interested in advocating for this on iOS, I also found this support discussion on Apple's forums.

I wondered if there was any exploration of this as a feature before, or if any alternative mechanisms are possible. I suspect it makes sense to simply close this issue while we wait for iOS support, but wasn't sure if I missed something

Hello,

today I downloaded 2FAS app to test it because I'm thinking about moving on from Authy but it looks like I found bug that when I enable unlocking using TouchID which only works sometimes, but when I try to edit registred 2FA entry it automatically asks for authentications using TouchID.

I'm using iPad Air 4th Gen running iPadOS 16.4 Public Beta.

It is sometimes useful to import the 2FA token in another app. 2FAS has the option to copy the secret key for a token which is great. It would be even better if there was also the option to display the associated QR code.

Can't edit existing token. Can't change the name or even assign it to the another group because Save button is disabled all the time.

Is this behaviour a security feature or a bug?

Hey,

it would be great to have an option to display a QR Code (Key + Name + Additional Info)

This helps to share the item with others or with other apps (show on iPad / scan on iPhone)

My old OTP app has this feature and with this it was so easy to move to 2fas :-)

Thank you
Tom

Hello Team, Please check the screenshots which I have shared with you guys. Am not able to run the code and am using Xcode Version 14.2 Please lemme know what should I do or is there any stable branch?

iPad Mini 5, iOS 16.6

Before the update to 4.5.0 the iPad Mini in portrait orientation with the sidebar enabled would show one vertical row of tokens on the right side - perfect.

Now it shows 2 rows in the token list, with the left row partially hidden behind the sidebar. You have to tap away the sidebar for half of the tokens being usable. Would be nice if you could fix that.

Searching is one of the most often used feature of 2FAS considering people mostly use 2FAS to go to the token they want to copy. It would be much more convenient for the search bar to always be shown instead of having to scroll down and then click search every time.

The most convenient part of Raivo was the dedicated search button in the menu bar that activated the search field with one click

(I know of the automatic search im the settings already)

Thank you for the amazing app!

First I would like to express my genuine admiration and appreciation for the 2FAS Auth app that you have developed. This application provides me with an outstanding two-factor authentication experience, making security easily accessible. Its clean design, ease of use, and reassuring encryption features allow users to effortlessly protect their data and privacy in my daily lives.

However, I have noticed that 2FAS Auth is currently available only for mobile devices. While this has already proven to be extremely convenient for many users, there may still be some inconvenience for those who frequently use Mac computers. Therefore, I kindly request that you consider developing a version of 2FAS Auth for Mac(not browser extention), allowing even more users to enjoy the security and convenience offered by 2FAS Auth on various devices. Thanks!

As the title says, Apple Watch support would be amazing as sometimes i dont have the phone with me but the Watch always strapped onto my arm

This isn't app-specific, but I'm reporting here since there's no repo for the website and the iOS app is where I was asked to accept the ToS (or at least linked to the ToS... there was no requirement to accept it?). This is about the ToS at https://2fas.com/terms-of-service/ as of 2023-09-11.

Clause 11.2 reads:

You represent and warrant that you will not modify, prepare derivative works of, or reverse engineer any of 2FAS’s Services.

Where the phrase "2FAS Services" is defined to mean "all products and services that 2FAS currently provides or may provide in the future", including the apps and the browser extension (but apparently not the server side? But I digress).

2FAS is an open source project, the apps are open source and licensed under the GPL. Is it really the intention of 2FAS to prohibit people from modifying the source code? Is it the intention of 2FAS to prohibit people from forking the repos (i.e to "prepare derivative works" of them)?

What does 2FAS consider "reverse engineering"? Everything is in the open. Is reading the source code "reverse engineering"? How about adding debug logs to trace API calls? Prohibiting "reverse engineering" in an open source project which encourages community contributions seems inappropriate, but if you do want to prohibit it, it needs a lot of clarification.

Clause 25.1 reads:

You agree to defend, indemnify, and hold harmless 2FAS, our future affiliates and their respective members, managers, shareholders, officers, directors, employees, agents, vendors, customers, indemnitees, representatives, successors, licensees and assigns, and each of them, from and against any and all claims, actions, demands, damages, losses, costs and expenses, including reasonable attorney’s fees and disbursements, charges, penalties, judgments, and interest sustained or which any of them may sustain arising out of, resulting from or relating to any material breach or alleged breach of any representation, warranty, obligation, or agreement made by you in this Agreement including, without limitation, any breach or alleged breach by you with respect to third party intellectual property, third party privacy, interference with third party or other User data, and non-permitted uses.

This seems impossible to interpret. I have tried to add parentheses around the various comma-separated lists in the sentence, but I'm unable to find a way to parenthesize it which results in a sentence which makes sense. I also find it weird that it requires me to defend and indemnify all the customers of any future affiliates of 2FAS.

Clause 11.1 reads, in part:

You represent and warrant that your use of the Services will not be for any illegal activities

I take tremendous moral issue with this. Illegal does not mean immoral or harmful. Worse, the ToS does not specify which jurisdiction it talks about; is it the one the user is registered in? The one the user currently resides in? The one 2FAS is registered in (Delaware)?

To illustrate the moral issue with this clause: Assuming the applicable jurisdiction is that in which the user lives: Should a user from a US state which has outlawed abortion be considered in breach of the ToS and risk 2FAS closing their account they use 2FAS to authenticate with a service which lets them have an abortion?

I don't see the ability to add an encryption password when enabling iCloud Sync. Does this mean the files are stored unencrypted in iCloud, meaning they can be accessed from any of my authenticated Apple devices?

I assume this means if my Macbook was compromised for example, it would be possible for the 2FAS files to be stolen even though I only ever use 2FAS on my iPhone? This seems like a serious risk. Every additional Apple device I authenticate on is an additional risk of having my TOTP codes compromised.

It seems like an encryption password should be used when enabling iCloud Sync.

As the title says it would be awesome to have support for 5 digit alpha numeric 2FA codes such as for steam, this would would increase the versatility of the app.

As a user of 2fas, I have noticed that many of the services I have added do not have icons available. Unfortunately, the current app only allows the addition of brand icons that already exist. In order to enhance user experience and make the app more visually appealing, I suggest adding a feature that allows users to customize and choose their own icons for added services.
This feature would be especially helpful for services that do not have premade icons available, and would allow for greater personalization and organization within the app.
Thank you for your consideration!

Situation: Export data from Laspass Authenticator app using iOS app. Import the data into 2FAS app.

Expected behavior: The data is imported.

Actual behavior: Error, this file is in a newer format version than the one the app supports.

Steps to reproduce:

1. Create a token in Raivo OTP making sure to add spaces in the secret seed
2. Export to ZIP, then unzip it
3. Import the .json into 2FAS
4. The token in question is silently skipped

This is made particularly serious by the present context: Raivo's main dev quietly sold out the whole community who gathered around his app to some dubious company with unclear privacy practices and then walked away whistling, so we can expect a lot of Raivo OTP users coming over to 2FAS, and they'll lose some of their tokens because of this bug.

1. Import Google Auth tokens 'Choose QR code'
2. User chooses QR and clicks Continue
3. The 'Import tokens' modal shows up again with options to Scan/Choose -> however, the codes from step 2 have been imported, but user does not get informed of this

User now has to click cancel, and then switch from Settings to Tokens to see they have been imported.

Solution: after step 2, move the user to the Tokens UI, or first give options 'import more' 'done' and import more -> step 3, done -> Tokens UI

Does this mean that it will only run on 16.4 and above or it will be built on 16.4?

Use case: My primary device is a Pixel 7 Pro (Android), and I also have an iPad. Both devices are connected to my Google account as well as Google Drive. Syncing the backups between the devices is a pain without a common backup mechanism.

I just wrote a stupid simple Python app that reads an unencrypted Backup.2fas and uses the Yubikey ‘ykman’ command line app to load up a Yubikey with TOTP tokens. Install free Youbico Authenticator app and you can use the key to get your 6 digit OTPs. I know that’s what 2FAS does, and I know that putting an unencrypted Backup.2fas anywhere is seriously stupid, but it’s really cool that you allow exporting unencrypted so we can do stuff like this. I erased it.

Hello

I just moved from Google Authenticator to 2FAS with the iOS App.
It seems the import will miss the account name which is the additional info in 2FAS.

Alex

iOS
mac

the extension can't be pairing right.

i tried reinstall both extension and apps, did not fix

I'm sure I'm not the only one that feels this tab is useless and only serves to clutter the UI.

Please give users the ability to remove it.

Watch App Token Previews for watchOS

As discussed in this article, lets add a watchOS instance for the iOS app.

Provide support for the wearables watchOS targets using "Watch App for iOS App" to enable scroll view of tokens.

PS: ... I noticed similar issues were closed prior to being completed, these should remain open for people to follow and track status, also helps you avoid duplicate issues.

Linking Closed Related

• #1
• #16

Hi everyone,

first of all I'd like to thank you for your great app and for your decision to go open-source. Your app and your website are amazing, very transparent and explain everything perfectly.

Getting to the point: In your security-section you state out, that your app does not collect personal or private data and that you only use statistical information that is collected through Firebase. To do that, your app has to connect to a whole bunch of different domains. In the last days of using the app it connected to 11 different domains: api2.2fas.com, app-measurement.com, gateway.icloud.com, ocsp.pki.goog, firebaseloggin-pa.googleapis.com, itunes.apple.com, metrics.icloud.com, device-provisioning.googleapis.com, fcmtoken.googleapis.com, firebase-setting-crashlytics.com, firebaseinstallations.googleapis.com

The issue I'd like to express is, that there are some people (like me) who'd love for their OTP-App to not connect to the internet at all. While most of the domains are for using Firebase of course and while I totally trust you when you say that you don't collect personal information, there is hardly a way for me to monitor that (as I am not able to audit your code). I know that you need the collected information for several reasons. That's why I'd suggest an additional feature that is easy to implement and that would allow for your users to chose, wheter the app may or may not connect to the internet. Of course you'd lose a certain amount of information that you could otherwise collect. However, I'd assume that many people would still voluntarily grant you access to the statistical information while at the same time you'd make your app far more attractive for people, who want their OTP-App to not share any information with anybody. I'd argue that there are some people who would even do an in-app-purchase (or something like that) to get this feature and that you'd be able to convice even more people that you're serious when you say that you care about the privaxcy of your users.

I'm looking forward to reading your thoughts about my proposal. Thanks for your time!

Best regards
Ilsidur

Lacks a proper export function for importing into other apps.
Suppose 2FAS stops working in the future, how do you get 2FA codes in the next app?
Ravio OTP can create a QR code for each item you can scan.

Since the last update (5.0) the minimum requirement for the app was set to iOS 16.4. People with older devices still on iOS 15 will not be able to install your app at all. An apple community thread claims that the developer can enable the install of old versions of the app (4.5). Would this be possible?

Most apps I bought for iOS show up in the app store on a Mac with Apple silicon. 2FAS does not.
Please make 2FAS available on Apple silicon if the account already has installed 2FAS on an iDevice.

I would love it if the backups to iCloud for iOS could be client side encrypted as I believe by default it is not e2ee encrypted by advanced data protection even, and also support (https://2fas.com/support/security-privacy/is-2fas-backup-safe/) says there is an ability to set a password and I am not seeing that option on iOS for iCloud backup (only exporting a file I see)

Android app has a google drive backup feature, but the ios app has an iCloud backup feature.
While this is a complete feature itself.
Can we have a common backup origin for both platforms?

If so, why not make it off by default?

Recently I migrated from Raivo OTP to 2FAS because the original developer of that app sold it to some shady no-name company. What bothers me is that there are an excessive amounts of logging, even when the anonymous crash reports setting is disabled. Why? If you claim to respect users privacy and anonymity, why isn't there a setting to disable this?

Using 2FAS on iOS 15 and extension in Vivaldi browser on 110.0.5481.111 . Go to Paypal and request a token. A notification pops up on iPhone and approves the request. Only the first digit followed by the last digit in the token are inputted into the squares on Paypal

when exiting or going to another application, it would be very good to instantly block the application, and to hide it via screen blur so as not to display the codes when opening the application selector

Mobile device management (MDM) are using AppConfig standard to preset and configure settings so apps can be mass deployed to devices: https://www.appconfig.org.

I think these options should be available:

• option that passcode is required
• toggle/hide Backup functionality
• toggle/hide biometric option
• preset lockout settings
• toggle/hide browser extension

This functionality is much more useful as it allows you to continue typing the OTP you initially saw while it's still valid, rather than having a 5 second timeframe to start typing a new OTP. This is a default option in RaivoOTP and significantly improves usability.

Every time I open the application on NextDNS I get these requests 🤔

https://imgur.com/a/VeukfBw

Hello,

After installing 2FAS 4.1.1 on iPadOS 16.3.1 no Backup.2fas file import from iOS 16.3.1 is possible. Instead of the file browser the following is shown:

By the next attempt:

After the second screen the app seems to stuck, no way out … I did several restarts, reinstalls and so on with the same results each time. To me that looks like a bug in iPadOS – in iOS the same procedure is flawless.

Many thanks for your attention and best regards

I noticed backup file has order property, but no such option in the app.
Please consider adding the ordering feature to allow most used token to be at the top of the screen.

I'm not really familiar with iOS development or Swift but looks it relatively easy to implement with tableView as seen in this SO answer.

When clicking "Copy token" in the iOS app during the initial service pairing process, the space between the first and last 3 digits remains, causing errors when pasted. This doesn't happen in normal use i.e. copying TOTPs from previously paired services.

I'm using v5.0.0

Currently there are 2 ways to sync between devices on the iOS app, via iCloud backup and via export/import.

Being an open source and free to use app, I would not and could not expect the app to take on the additional expenditure to setup and run a custom sync tool for all their uses. That being said, there are other ways to achieve the ability to sync between devices not using the same iCloud account.

One could utilize an RSA encryption certificate that would be installed in the app on both devices to synchronize an encrypted file via OneDrive, OwnDrive, DropBox, and Google Drive. This Sync could be setup in both the iOS app and the Android app to even support cross platform synchronization of tokens.

1. Scroll a bit lower to your codes
2. Exit the app or switch to another app
3. Revisit the app -> the UI now loads with the top code

This is quite annoying if you're moving in/out of the app.

I have several Google accounts, each of them has an authenticator, but after I remember the choice for the google.com domain, I am offered only to send or refuse, there is no "Choose another" option. So I suggest adding the option of multi-tokens for one domain

it would be nice to be able to share or visualize a token by QR code to scan via another app
of course.. with pin/face id lock

Apple Watch is fundamental to how I use my 2FA apps, I’d switch to yours immediately if it were added. Any ETA? Or whether it’s in the works at all?

Twitch uses a 7 digit code and 10 second refresh time so it doesn't work with 2FAS. I'm coming from raivo and it didnt detect it from the json (it said imported 45 of 45 tokens even though there was 46 tokens) and it's impossible to manually add it because there's no option for 10 second refresh times

Hi,
I noticed strange behavior on iOS 17.0.2, or maybe it was always like this. When I have only PIN set without Face ID, everything works as expected. When app is put to background and I switch to different app, then back to 2fas, I'm prompted to enter PIN.
It doesn't work like that when I enable Face ID, 2fas seems to be always unlocked then. Only when I close application and restart it, then Face ID is verified.

The codes that are displayed in the iOS widget are sometimes not updated. When this happens, the countdown timer also indicates that something is wrong. The display is truncated but i see 26:, which seems to indicate that over 30 seconds has elapsed.

I'm not sure how to reproduce this, but I've noticed it every day since I installed. Eventually it does fix itself, but I'm not sure what actions prompt this.

Hello,
I am using 2FAS Auth on my iPhone and my iPad. In the system settings I can select Nextcloud and a few others as document storage besides iCloud.
What does that mean exactly, will the data then not be stored in iCloud but on my local Nextcloud instance?
Regards

Currently we can only secure the 2fa codes with a 4 digit pin which is not secure at all. It would be very nice to be able to have an arbitrary length password.