Is there anyone here in techlore forum, or techlore staff, that can see a backdoor in this Authenticator?

https://authenticator.cc/

I don’t understand open source code. Thanks.

I have had a look at their Github and firefox addons page as well as their addon privacy policy. Their Github has many stars, forks and the addon has ~60,000 users. I would say it is trustworthy, looking at their addon privacy policy on the mozilla addon website I can see that all the infomation is stored in the browser unless you chose to backup to a cloud source (backups are unencrypted). If you set the password then any data you give to the addon will be encrypted. Disable sync in settings>preferences and it wont sync with Firefox Sync. Looking at the permissions it only requests what it needs to:

  • Input data to the clipboard: copying the 2FA code into the clipboard to paste
  • Access your data for all websites: to scan a page for qr code

See Permission request messages for Firefox extensions | Firefox Help to explain what the permissions do.

You can disable both of these permissions in Firefox at least and the extension will still work. Because the content, the codes, and the 2FA secrets are encrypted with a password only you know there should be no “backdoor” because there are no current backdoors to encryption standards. I would recommend not using a authenticator app in the browser as it could be exploited, just like it is reccomended not to store passwords in the browser.

2 Likes