Does anyone know if chrome Authenticator plugin is legit?

I’m don’t know much about open source, I like the idea of this plugin without needing a phone. Thanks for any insight.

1 Like

I’m also interested in this extension, since there aren’t many choices of an open-source 2FA client for PC. On the AlternativeTo website I found a program call “2fast” which is:

the first free, open source, two factor authenticator for Windows and Android with the ability to store the sensitive data encrypted at a place of your choice instead of a 3rd party cloud location

I don’t know if it is good or not, maybe tomorrow I will test if and see if it’s legit :thinking:

Do you know it this authenticator plugin is legit? I have no idea how to check soirce code if it’s legit or not, am hoping someone who does know can tell me. I tested it on a dummy account and it works great, I just don’t know if it has some backdoor or whatever can anyone respond to this?

Sorry, I didn’t respond to your question :sweat_smile:

Here’s the Google Drive Privacy link: Google Drive Integration Privacy | Authenticator
The interesting part is this one:

Authenticator stores data by using storage services built into your browser; we don’t ever see or have direct control over your data. We do not claim any responsibility over your data as we have no direct control over it.

When you sign into your Google Account from Authenticator, Authenticator will start to automatically upload your account secrets to Google Drive for the purpose of backing up your data. Authenticator does not store any information from your Google Account other than the credentials needed to upload files to your Drive and the identifier of the folder Authenticator uploads backups to.

And on the Google Chrome Web Store Authenticator - Chrome Web Store
Says this:

Authenticator collects the following:

Authentication information
For example: passwords, credentials, security question, or personal identification number (PIN)

And on the open-source projects tends to be the idea that there are more private, because people can look to the code and see if there’s something off. In my case I don’t know much about reading code (for now) but I tend to trust more on the open-source projects because of what I said earlier. However, been open-source doesn’t do it 100% privacy friendly, and the extension seems to use Google Drive if you linked it to your Google account so maybe use it locally if you can and it will be fine (sorry for the long reply :melting_face:)

Thank you this is helpful.

I would do a lot of research on this because this is the first time I’ve personally heard of a browser extension authenticator. When it comes to anything security and privacy related, you want to see what most people are saying. If this isn’t a solution that’s broadly known, that would be a red flag for me. That’s not to say that is isn’t safe, though, just that I would want to see more knowledgeable people verify that this is a safe tool to use before trusting it.

When it comes to something like an authenticator, that requirement for security goes extra high.

That said, part of why you may want to keep your authenticator on your phone or a separate device is because if your computer is compromised, someone who wants to log into accounts that you may be logged out of would also need your phone in order to get in. By running an authenticator in your browser, you’ve lowered that barrier in the case of someone grabbing your computer. How serious this is for you depends on your threat model, but just outlining a potential concern.

1 Like

Exactly why I’m here. I don’t know what I don’t know, open source code is greek to me, I was hoping someone here knows the code and can tell a lay person if it’s legit.

On that note, it seems to have 1.6k stars and nearly 500 forks, so doesn’t look too bad on the surface. The only concerning thing is that the last release was in late 2021.

chrome is google.
nothing google is legit. ever.

Presumably that extension will work on all Chromium browsers like most Chrome Web Store extensions. OP could just use Brave if they weren’t already.

But also whether or not folks are relying on Google depends on their threat model. While not the most private, Google products are generally very secure.

Lastly, I don’t think this extension is provided by Google themselves, just featured.

I should have rephrased my question. Is there anyone in this techlore forum who can see a backdoor in the Authenticator code because its greek to me? I’m trying to do my due dilligence.