Cheers, appreciated and do understand your frustration besides the last point which I would consider a security issue if you could export tokens. That shouldn’t be a feature at all.
This is hardcore, linux techy solution which I would not know where to start. 
This is why I will use 2FAS, you can export your tokens blob encrypted or not encrypted and store where you like.
- The encrypted blob is stored on your g-drive under a special application partition or on iCloud somewhere.
- It allows you to have it on multiple devices and does get wiped out easily.
- You can also import from a backup or other authenticators.
- There are browser extensions
- Free
anyway, that is the end of the sales pitch (p.s. I am not affiliated with them 
)
I don’t think so. If you have access to the app because you have logged into it then there are no more security barriers as you have access to the whole data. I am sure you would need to re-verify to export the tokens and as I said this export could be encrypted or plain text.
Exporting the tokens is a data freedom thing and does not tie you into this one platform if you decide you don’t like it any-more.
Breaking into my Apple Passwords app is like breaking into my whole computer — most web apps would already be authenticated and available to the attacker.
Yet, I still believe some services, like banking, shouldn’t have passwords stored anywhere. Every service and device, including your phone and computer, should be considered insecure by default, even if you’re using de-Googled phones or running Linux Desktop. If you have sensitive data or critical logins, don’t store them in any password manager.
But, I’m not buying another phone just to handle 2FA separately. Logging into services like Amazon, Cloudflare, GitHub, etc., should be quick and easy. It’s not like we’re dealing with nuclear codes — it’s everyday tasks that should be simple yet reasonably secure. Apple Passwords app delivers just that.
I don’t want to look back and realize I spent a whole month or two of my lifetime just filling in TOTP codes for Amazon, Cloudflare and GitHub — frightening!
Besides, Apple’s Passwords manager has much more at risk reputation-wise if compromised than any other apps out there.
Plus, with Advanced Data Protection all data is E2EE, meaning I’m the weakest link — and I have full control over that, and it is my responsibility. If the data isn’t stored with E2EE, like in Google Authenticator or 2FAS, it’s worthless to me!
1 Like
2FAS does use EE2E if this helps.
They say:
The communication between your phone and your clouds or Browser is e2e encrypted by default.
Communication doesn’t necessarily mean that the data stays encrypted at rest. While a simple self-signed certificate encrypts communication data, the phrasing seems intentionally ambiguous, making it rather a poor marketing strategy at least.
History proves that governments and those in power can go off the rails — time and time again, in fact. Nowadays, when data for billions of people is involved, even the slightest chance of exploitation shouldn’t exist. It has to be impossible by design. If end-to-end encryption for both communication and data at rest isn’t in place, we’re essentially opening the door to chaos. It’s not just bad for security — it’s a real threat to democracy. Potential, but still!
Now, there’s also the question of how Apple manages this and whether there are pitfalls, such as storing clear text metadata alongside encrypted data — that would be a separate issue. But, the bottom line is, if a cloud provider in 2024 isn’t encrypting critical user data, both during communication and at rest, like logins, passwords, notes, and photos, it shouldn’t be trusted or even used at all.
2 Likes
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.
Y’all are so far off-topic, we can’t even see the original topic from here.