Aegis v3.0 – a free, secure and open source 2FA app for Android

I adore Aegis, and view it as one of the most important apps on my phone.<p>If you use Aegis on Android and use a Gnome-based Linux distro, I highly recommend complementing with Gnome Authenticator[1][2][3][4].<p><pre><code> flatpak install flathub com.belmoussaoui.Authenticator </code></pre> Gnome Authenticator is still a little early and buggy (mainly performance issues when you have lots of tokens), but it can import and export Aegis format (and a few others). It&#x27;s been downright luxurious having my seeds on my phone and my laptop and desktop.<p>[1] <a href="https:&#x2F;&#x2F;gitlab.gnome.org&#x2F;World&#x2F;Authenticator" rel="nofollow">https:&#x2F;&#x2F;gitlab.gnome.org&#x2F;World&#x2F;Authenticator</a><p>[2] <a href="https:&#x2F;&#x2F;flathub.org&#x2F;apps&#x2F;com.belmoussaoui.Authenticator" rel="nofollow">https:&#x2F;&#x2F;flathub.org&#x2F;apps&#x2F;com.belmoussaoui.Authenticator</a><p>[3] I think (I hope) that Gnome Authenticator will be distributed as part of Gnome at some point in the future, but it isn&#x27;t yet<p>[4] It&#x27;s also super easy to build and run from source using Gnome Builder[5]. Just open Builder and clone the source from gitlab, and click the &quot;Build&quot; button and it will do its thing<p>[5] <a href="https:&#x2F;&#x2F;wiki.gnome.org&#x2F;Newcomers&#x2F;BuildProject" rel="nofollow">https:&#x2F;&#x2F;wiki.gnome.org&#x2F;Newcomers&#x2F;BuildProject</a>

Bitwarden and KeePassXC also provide free, secure, and open-source 2FA in addition to password management. I keep my TOTP secret keys separate from my passwords simply by storing them in separate vaults. I don&#x27;t know why anyone would use anything else (although I&#x27;d love for someone to comment and tell me).

I&#x27;m a veteran developer, but really more of a &quot;normal&quot; than the type of developer who is commenting on this story. I admit I find this stuff really, really, really confusing. I hate dealing with any of this stuff, I don&#x27;t do it voluntarily for the same reasons I don&#x27;t (for example) use pretty good privacy for email (I just use web gmail like a regular person).<p>Anyway, I do (involuntarily) use 2FA for two services, and managed to set myself up with Google Authenticator on my Android phone. Both services that onboarded me for this explained it really poorly, but at least got me hooked up and I now routinely (and reluctantly) login to those services this way. Reading this I suddenly realised, whoaaa, if I lose my phone do I lose access to those (important) services? Well no, I hope not at least, when I look at the Authenticator app it has the green &quot;your codes are being saved to your google account&quot; cloud icon. That&#x27;s kind of reassuring. I suppose.<p>I&#x27;m not really sure what my point is, other than online security is an ever more important issue, it&#x27;s a swamp and even many technical people who might know everything there is to know about some arcane corner of the technology universe don&#x27;t necessarily properly understand it. Although I suspect most would not be prepared to admit it like I just did. Actual normal people (like my wife for example) have absolutely no chance of getting on top of the details and navigating their way to a best practice solution. I hope Google (or Apple) don&#x27;t either give up on this or go full evil, that would be really bad.<p>I think I will check out whether my two services can give me recovery codes. I am confident I can manage vital username&#x2F;password combinations and recovery codes, that&#x27;s the level of sophistication (or not) I&#x27;m comfortable with in this space.

Since we&#x27;re here: Anyone else dealing with the stupid thing where your organization won&#x27;t let you have your generating token thing and instead force you into e.g. Duo?<p>I have only one, and its frustrating. I know it&#x27;s probably breakable with rooted Android or something but haven&#x27;t had much time to look into it (or fight it)

Aegis should really be more well-known IMO. I installed it on an old phone that didn&#x27;t have enough storage for Google Authenticator and was really pleased with the app. The fact that it&#x27;s a community project is also a nice bonus.

Aegis is good and I enjoy using it.<p>I hope others don&#x27;t follow Microsoft Authenticators footsteps in creating their own Authenticator, saying others are insecure, and not allowing Authenticators like Aegis.

What&#x27;s the backup story like?<p>Can you do an encrypted backup on demand (protected with a password you supply)? Is there any desktop app such backup can be opened&#x2F;read with (or even eg. read with something like sqlite db browser)? Can the app be configured to save an encrypted copy to eg. Dropbox whenever changes are made?<p>Is it recommended to install from Play store, or the APK off GitHub?

I really like it that more and more apps start using Material 3&#x2F;You.<p>Apples UI design was never my cup of tea, but I love the consistency of UI design in most iOS apps, compared to the wild UI inconsistencies on Android.

I&#x27;ve been using Aegis for a number of years, and have found nothing I don&#x27;t like about it. It&#x27;s a perfectly functional app, and I&#x27;m looking forward to trying out the new update!

I&#x27;m currently a happy user of 2FAS[1], any idea how Aegis compares to it? A quick search suggests that Aegis doesn&#x27;t support multiple devices and is not available on desktop.<p>[1]: <a href="https:&#x2F;&#x2F;2fas.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;2fas.com&#x2F;</a>

I have being using andOTP for years but the development seems to halt, also it&#x27;s no longer available from f-droid. The feature that backup with gpg encryption is broken.<p>I hope it&#x27;s possible to import my otps from andotp into aegis. Also the backup encryption with gpg (openkeychain) is welcomed.

Long ago, I used Google Authenticator to store 2FA tokens without giving it much thought.<p>When I lost the app data to a phone reset, I also lost my 2FA tokens. Got lucky I didn&#x27;t have many tokens saved at the time and was able to restore all the important accounts despite losing the tokens. Even though it was my fault for not reading the T&amp;C of the Google Authenticator app, I cursed Google for creating an inferior product on an OS they controlled. What was the use of requiring login with a Google account on the Android device if you are not going to persist this kind of data.<p>Then I moved to Authy which syncs and stores your tokens online to their cloud, allaying all the fears I had from previous experience. Incidentally another phone reset happened.<p>Now Authy allows you to access your tokens &quot;locally&quot; to any device that can install their app or browser extension. Using more than one &quot;device&quot; locally gives you data redundancy.<p>I cannot just trust a browser extension with my 2FA tokens (yikes), so at the time I only had my Android device with the tokens locally. When this &quot;trusted device&quot; (read app data) was lost I had to request support for a reset to gain back my data from Authy. That process takes 48 hours after initiating the reset.<p>(The app data counts as a device, not the other way around; this is the crux of my problem with 2FA application design.)<p>As soon as I got my tokens back I moved to Aegis and never looked back. I can export backups, save them encrypted on any location and import them anytime without fear of losing app data aka device.

Those interested in this, might also be interested in Ente auth:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;ente-io&#x2F;ente&#x2F;tree&#x2F;main&#x2F;auth">https:&#x2F;&#x2F;github.com&#x2F;ente-io&#x2F;ente&#x2F;tree&#x2F;main&#x2F;auth</a>

Great app that does the job! The kind I don&#x27;t mind installing on my phone.<p>I use it for nextcloud, github and my microsoft account (it was really buried in the settings but it is possible to avoid using MS auth something app).

Here&#x27;s a utility to convert exported Aegis JSON to a Keepass 2 or KeepassXC database if anyone&#x27;s interested <a href="https:&#x2F;&#x2F;github.com&#x2F;GeKorm&#x2F;atk">https:&#x2F;&#x2F;github.com&#x2F;GeKorm&#x2F;atk</a> (binaries in the releases page)

Are there any good 2FA applications for Desktop?<p>Using the phone to authenticate every login seems very inefficient.<p>Some of us do not like using the phone.

FreeOTP, supported by Redhat, is another open source 2FA application. I use it.<p>FreeOTP: <a href="https:&#x2F;&#x2F;freeotp.github.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freeotp.github.io&#x2F;</a>

I use this app and are very happy. For me the selling point was the possibility to backup my profile and therefore all the configured keys.

Aegis is really great. So nice not to use proprietary authenticators. And it can do import and export.<p>Does anyone know the history of this project? It seems legit but an authenticator is a pretty sensitive application so making sure this app is trustworthy is a little more important than for other apps.

I happened upon this app recently when I was frantically searching for a Google replacement. Couldn&#x27;t believe something this polished was lurking. I used another open source app several years ago but it got discontinued (FreeTOTP or something).

Just use Bitwarden. The UI is clunkier, but the UX is better. After it fills in the username and password, it puts the OTP in the clipboard, so you can just paste and go without opening an app and manually copying it into the login form.

Etrade (probably some other companies?) uses Symantec VIP, which is a proprietary TOTP client. I was really glad to have found a project that allows me top stop using it and instead utilize other standard TOTP clients.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;dlenski&#x2F;python-vipaccess">https:&#x2F;&#x2F;github.com&#x2F;dlenski&#x2F;python-vipaccess</a> <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;jarbro&#x2F;ca7c9d3eebba1396d53b4a7228575948" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;jarbro&#x2F;ca7c9d3eebba1396d53b4a7228575...</a>

I used it until I switched to KeePassXC for all of my secret management means, but it&#x27;s still a great app to fall back to, and allows for simple information exchange when moving to another app.

Does it support folders for separating entries? I like to separate work from personal entries.

On F-Droid there is still version 2.2.2 (last updated 6 month ago). If I try to install the app from Github releases I get a version conflict with my current version from F-Droid. Any tips?

Apparently I missed the memo, still using Authy while everyone&#x27;s moved to Aegis?<p>Any particular reason&#x2F;benefit(&#x2F;con or breach of Authy), other than being FOSS (which I do see as a benefit)?

Truly open-source, available on f-droid, works on everything including low-end android hardware with everything except microsoft (because microsoft). What&#x27;s not to like.

This looks very nice. Had I not just moved all my 2FA to keepass, I would give it a go. My setup: mac desktop, linux desktops, android with syncthing to tie it all together.

While we&#x27;re talking about places to use 2FA, if you have a watch it might be a good idea to put your 2FA codes there for redundancy.

What do you guys prefer to use on iOS?

I use one that has to be activated with the Yubikey over NFC. Pretty slick.

Can we just get a 2FA app that&#x27;s cross-platform and synchronized? I understand the security implications of that but I don&#x27;t care, I would rather have my social media hacked and have it convenient than just have to go grab my phone whenever I want to login into something.<p>Authy is discontinuing their desktop app...

Last year Google Authenticator started syncing secrets to the cloud[0] which means that those secrets can now be accessed in new ways outside of the user&#x27;s control[1], which resulted in a huge breach at a startup called Retool[2].<p>From then on I started moving my company&#x27;s team and contractors (as well as family and friends) off of Google Auth and onto Aegis. The app is clean, easy to use, open source, has all the options we could dream off. (and its privacy policy isn&#x27;t tens-of-pages-long like some other apps, where privacy seemed to be part of the marketing strategy but not the product itself)<p>I&#x27;ve been a very happy user.<p>[0]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35690398">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35690398</a><p>[1]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35708869">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35708869</a><p>[2]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37500895">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=37500895</a>

I love Aegis but I can&#x27;t help but think that it&#x27;s sad we ended up in this place with regards to 2FA. When all these temporary codes started they were sent over SMS, which was insecure but at least all I needed to do was to pick up my phone. Nowadays I open Aegis and I have &gt; 20 services there, and trying to look for my code between all the running numbers is a pain.<p>It would have been so much more comfortable if we flipped this around a little - the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that &quot;something you have&quot; part is done.<p>It feels like when the 2FA thing started no one considered that sooner or later all services will require it, and the UX will be terrible.