Raivo OTP breaks users' one-time passwords
Finding a solid and reliable Multi-Factor Authentication (MFA) that you can trust is not a task to be taken lightly. For iOS, my choice has been the open-source application Raivo OTP. However, after yesterday’s automatic update, I no longer have my OTPs.
Now you see OTPs, now you don’t
What happens when a developer sells his popular open-source project to a company looking to monetize the application? Spoiler, nothing good. Nothing good at all.
Raivo OTP after prompting users to subscribe to access previously free features. And presumably before making users’ existing tokens inaccessible.
Apparently, Tijme Gommers, security researcher and developer behind the popular MFA application Raivo OTP decided to sell his project to a company called Mobime last year. Eight months later, Mobime released their first update to Raivo OTP and madness ensued.
Not only did a chain of app updates initially crash Raivo OTP, but more seriously, previously registered one-time passwords were purged (or hopefully hidden?). As Raivo OTP eloquently informed me: “It looks empty around here” and it sure did.
You did back up your secret keys right?
Back in 2020, I posted an article on how to back up your 2FA secret keys with KeePassXC and thankfully I did eat my own dog food. However, after looking at Raivo OTP’s issue tracker on Github I did observe that some fellow users might not have taken the necessary precautions.
The issue tracker showed a lot of disgruntled users, and Mobime eventually pulled the plug on the entire tracker after receiving more backlash than they could handle. Users were providing feedback to Mobime until Mobime disabled the issue tracker.
The blame game
We need someone to blame, but who?
- The original developer?
It might seem like the developer sold out his users, but I doubt that was his intention. Few people can survive on developing free and open-source software. The expectation that open-source software must always be free is simply not sustainable. However, an in-app notification about the ownership change would have been a nice gesture. - Mobime, the new owner?
Mobime did break the application and is seemingly responsible for temporary or permanent data loss in the form of disappearing one-time passwords (OTPs). If Mobime’s only addition to the application is adding a subscription model to charge for previously free features, then I’m not feeling very optimistic about future development. - The user?
We should all make strides to back up and protect our sensitive data. And don’t forget about redundancy.
Apple’s App Store
Buying and monetizing (or worse) both closed and open-source applications has become a popular approach to earn some quick bucks. It would have been great if Apple could inform affected users when an app they’re using has been transferred to a new owner. Or maybe there’s an app for that already :)
Now, who can recommend an alternative MFA application for iOS?