AndOTP isn't seeing a lot of development, but Aegis is moving like gangbusters and recently passed the 1.0 mark. Thanks to that HN trail of info, I've switched from AndOTP to Aegis:
The Aegis devs have been doing a bang up job and the app is worth a look, it can import your AndOTP (and other apps) data. This is not a slight against AndOTP, just what I personally see as a natural progression based on that reddit thread above.
1. Its UX is more polished than andOTP; the AMOLED theme in particular is well done.
2. It also supports fingerprint unlocking, the lack of which was the biggest pain point when regularly using andOTP.
3. Supports imports from popular 2FA apps, though this requires root access.
A few issues I noticed:
1. While importing from andOTP, the issuer is blank when the 2FA token was manually added to andOTP. So now I have a list of 2FA codes with no indication as to which website they belong to. [Screenshot](https://gopi.dev/images/aegis.jpg)
2. The 'Vault is unlocked' notification persists even on closing the app.
3. OpenPGP integration for backups isn't available.
* FreeOTP https://github.com/freeotp/freeotp-android
* FreeOTP+ https://github.com/helloworld1/FreeOTPPlus
* Password Store (pass) supports pass-otp
Why is this seen as a necessarily bad thing? Neither the requirements nor the TOTP protocol has changed since then.
I guess there is the issue of your password manager being compromised but honestly I'm way less worried about that than website x or y getting compromised.
I don't think this is entirely true, and so I often use TOTP with important sites. But I'm okay with storing the TOTP key in my password manager (which encrypts the password database with a long key phrase and a key file). Even on top of the very little chance that any of my long passwords are going to get leaked or broken, I think the chance that this happens because my password manager gets hacked along with the TOTP keys (as opposed to me getting phished or a vulnerability in a website) is pretty remote.
if lose my phone, i can't access any of them. if i change my phone, it will take me hours and hours to change every single one of those accounts.
there must be a middle ground between those two.
Simple app, encrypted backups, and open source. What's not to like?
These are not secrets which have to stay locked in one cupboard. They are secrets which might stay locked in several cupboards: I have two phones. Is it not sensible to share the Q/R initialized state amongst them?
Aegis' design looks a lot less dense than AndOTP on the screenshots, though it seems to be widely recommended. I'll have to check what that's all about
Unfortunately it's only for iOS