
AndOTP: Open-source two-factor authentication for Android - xrisk
https://github.com/andOTP/andOTP
======
gravitas
A little bit ago in another HN article
([https://news.ycombinator.com/item?id=20232164](https://news.ycombinator.com/item?id=20232164))
where AndOTP popped up, a link was shared with a nice discourse between the
AndOTP author and a newer one, Aegis:

[https://old.reddit.com/r/androidapps/comments/b45zrj/dev_aeg...](https://old.reddit.com/r/androidapps/comments/b45zrj/dev_aegis_authenticator_secure_two_factor/ej4dfzw/)

AndOTP isn't seeing a lot of development, but Aegis is moving like gangbusters
and recently passed the 1.0 mark. Thanks to that HN trail of info, I've
switched from AndOTP to Aegis:

[https://github.com/beemdevelopment/Aegis](https://github.com/beemdevelopment/Aegis)

The Aegis devs have been doing a bang up job and the app is worth a look, it
can import your AndOTP (and other apps) data. This is not a slight against
AndOTP, just what I personally see as a natural progression based on that
reddit thread above.

~~~
gopkarthik
Thank you for this recommendation. Just tried Aegis on Android:

1\. Its UX is more polished than andOTP; the AMOLED theme in particular is
well done.

2\. It also supports fingerprint unlocking, the lack of which was the biggest
pain point when regularly using andOTP.

3\. Supports imports from popular 2FA apps, though this requires root access.

A few issues I noticed:

1\. While importing from andOTP, the issuer is blank when the 2FA token was
manually added to andOTP. So now I have a list of 2FA codes with no indication
as to which website they belong to.
[Screenshot]([https://gopi.dev/images/aegis.jpg](https://gopi.dev/images/aegis.jpg))

2\. The 'Vault is unlocked' notification persists even on closing the app.

3\. OpenPGP integration for backups isn't available.

~~~
gravitas
For issue #1 - try going into settings and enabling Account Name, I believe
it's off by default. I, like you, had to edit each entry after import; Aegis
has multiple metadata fields and I think the old data imports into the (not
visible) Account field if I recall my experience correctly.

~~~
abrowne
This (issuer saved in account name field) is what I got when I just imported
my andOTP data. If you long-press and edit an entry, you can see and change
both fields.

------
NilsIRL
Here are some alternatives:

* FreeOTP [https://github.com/freeotp/freeotp-android](https://github.com/freeotp/freeotp-android)

* FreeOTP+ [https://github.com/helloworld1/FreeOTPPlus](https://github.com/helloworld1/FreeOTPPlus)

* Password Store[3] (pass[4]) supports pass-otp[5]

3: [https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

4: [https://www.passwordstore.org/](https://www.passwordstore.org/)

5: [https://github.com/tadfisher/pass-otp](https://github.com/tadfisher/pass-
otp)

~~~
graton
FreeOTP hasn't had a commit since Dec 14, 2017, according to the GitHub repo.
Also Android 10 gave a warning when I ran it. That is was developed for an
older version of Android.

~~~
boring_twenties
> FreeOTP hasn't had a commit since Dec 14, 2017

Why is this seen as a necessarily bad thing? Neither the requirements nor the
TOTP protocol has changed since then.

~~~
graton
Well it hasn't been updated for Android 10. Android 10 gives a warning the
first time you run it. Not a positive thing.

~~~
boring_twenties
Yes the comment I responded to said that, but after the word "also," implying
it wasn't the only or even main reason.

------
dastx
Is there a reason people don't use their password manager for OTP? In my case
I'm using 1Password, which supports OTP but I know most other password
managers support it too including clients for Keepass.

I guess there is the issue of your password manager being compromised but
honestly I'm way less worried about that than website x or y getting
compromised.

~~~
zokier
It isn't much of a second factor if it is the same factor as your password.

~~~
bscphil
You can make an argument for a second factor (other than hardware key) being
of fairly little value to anyone using an _offline_ password manager and
generating passwords with a huge amount of entropy.

I don't think this is entirely true, and so I often use TOTP with important
sites. But I'm okay with storing the TOTP key in my password manager (which
encrypts the password database with a long key phrase _and_ a key file). Even
on top of the very little chance that any of my long passwords are going to
get leaked or broken, I think the chance that this happens because my password
manager gets hacked along with the TOTP keys (as opposed to me getting phished
or a vulnerability in a website) is pretty remote.

------
edent
I use this extensively. Took a little while to swap all my codes from Authy -
but well worth it.

Simple app, encrypted backups, and open source. What's not to like?

------
ggm
Being able to move without having to hold Q/R codes is good. I have to
maintain PGP encoded (and keystore held) images of screengrabs of Q/R codes
because very few of the OTP out there want to acknowledge you _might_ want to
move a 2FA to another system.

These are not secrets which have to stay locked in one cupboard. They are
secrets which might stay locked in several cupboards: I have two phones. Is it
not sensible to share the Q/R initialized state amongst them?

------
naranja
I still prefer the much simpler FreeOTP+. Just start, tap and go. Can be
easily backed up and restored: either via Import/Export or plain Titanium
Backup.

------
coderobe
Been using AndOTP for months and i love that it supports android's keystore
and device credentials for authentication. I had switched to it from Authy,
which was quite heavy.

Aegis' design looks a lot less dense than AndOTP on the screenshots, though it
seems to be widely recommended. I'll have to check what that's all about

~~~
gravitas
The density is configurable in Aegis, 3 "View Modes" \- Normal (what you see
by default I think?), Compact and Small. You can then choose to show or hide
the Account name to further reduce size, and it supports Groups to organize.

------
rlvesco7
The best AndOTP feature for me is the fact that it integrates with
OpenKeyChain thus allowing the use of PGP keys for backups. I also wish there
were more apps that use OpenKeyChain. For example something that allowed
notetaking.

------
shmerl
Yep, it's pretty good. For regular Linux I can also recommend oathtool:
[https://www.nongnu.org/oath-toolkit/](https://www.nongnu.org/oath-toolkit/)

------
8K832d7tNmiQ
I used to use this app frequently until my workspace required me to switch to
iOS. I need to manually set all my OTPs to OTP Auth due to its backup
incompactibility. Does anyone knows a way to do that?

~~~
StavrosK
You can export your keys to JSON from andOTP, I'm not sure if there's import
functionality in the iOS app, though.

------
nkootstra
Another alternative is:
[https://github.com/tijme/raivo](https://github.com/tijme/raivo)

Unfortunately it's only for iOS

------
snvzz
I have used this for years. I don't know a better solution.

------
pkstn
Also try [https://avain.app](https://avain.app)

