Heard the first time about them (ente) yesterday in a discussion about "which 2FA are u using?". Directly switched to https://ente.com/auth/ on Android and Linux Desktop and very happy with it.
You presumably had a working 2fa app already, but off the cuff decide to switch to new unvetted variant X; basically unknown auth system after reading a few paragraphs of text in an afternoon?
Ente is extremely well known in the privacy circles, so this is not just some random company with a random app out of nowhere.
Check PrivacyGuides for example.
Here’s where it was added to PrivacyGuides - https://github.com/privacyguides/privacyguides.org/issues/36.... The person opening the issue is the CEO of ente. So the CEO of ente gets his company mentioned in PrivacyGuides back when it was new and that makes it more legit?
PrivacyGuides goes through their own process of vetting (whether you would agree with their process or not that’s another topic) so I think the discussion to add Ente Photos is the more relevant link
https://discuss.privacyguides.net/t/ente-photo-management/11...
> PrivacyGuides goes through their own process of vetting ... so I think the discussion
The discussion is not all that relevant as PrivacyGuides does not rely solely on community input. The core team pretty much generates content and lists recommendations based on (what they claim is) their own research (which isn't saying much).
The forum and community really give us a lot of external insights, with the voting system letting us poll how popular something is.
While we put a very heavy importance on the community consensus, it is mostly up to the team to decide what comes and goes, where more heavy decisions require more votes...
A reason why it has never really been written out is that policies can be gamed, and the team really wants to be able to veto decisions...
As far as "evaluating"/reviewing tools the methods to do so are not documented...
While I would have the same reaction, in this case I think it is a sane decision. Ente is cornering the privacy market and I think they're doing a great job. They have a lot to lose (trust) and it would be stupid if they did something shady with the data entered in the 2FA app.
Not knowing them, how could OP trust them instantly? Whether they really have that trust or not, you have to know them for a while and from many different trustable sources. The story is a bit strange.
> new unvetted variant X; basically unknown auth system
Valid concerns. In the case of Ente Auth though, it is used by folks working at CERN [0], who also sponsored a recent security audit: https://ente.com/blog/cern-audit/
They just store tokens, without other FA at "worst" you get locked of your account but nobody else has access either. You're also supposed to, as good practice, not be limited to token generation and typically have a dozen or so of recovery tokens. Also if they were somewhat not working at doing the 1 task they should do, namely generate tokens, then you won't be able to use them so it won't even be added.
So... I might be missing something, can you please explain what worries you and why I should thus worry too?
Not saying they’re a paid promoter. But if I paid someone to speak about my newly launched product, they’d say something exactly like that. “Never heard of these guys before, but I loved their other product you’ve never heard of. I’m super excited to try this one!”
I'm very happy syncing between KeepassXC on Debian and Keepass2Android on mobile. It handles TOTP accoss devices.
What I'm missing is a way to create and use Passkeys across devices. My use case does not support creating a new Passkey on every device, I need to sync them via servers I control. The system that supports that will be the system that I migrate to.
Oh, wow, thanks for posting that. I switched to Ente for my photos recently, had no idea they also have a 2FA app. I was looking for a replacement for Aegis (after a switch to iOS), and this can even import from Aegis backup files. Neat. This means I can finally ditch my old phone I still had to have around just for 2FA :)
I was just thinking their end goal seems to be to harvest creds by putting their own rebadged distribution of local models. That’s the only “business” model that makes sense.
Expressly harvesting creds through a 2FA app seems a little more direct.
Ente offers E2EE photo hosting, the storage they sell through subscriptions to that is their business model. Their main selling point is that all machine learning to cluster faces is done on your devices. I would assume that they want more users to train their models on to improve their core offering
Does this seem sound?