Hacker News new | past | comments | ask | show | jobs | submit login
AndOTP: Open-source two-factor authentication for Android (github.com)
108 points by xrisk 29 days ago | hide | past | web | favorite | 36 comments

A little bit ago in another HN article (https://news.ycombinator.com/item?id=20232164) where AndOTP popped up, a link was shared with a nice discourse between the AndOTP author and a newer one, Aegis:


AndOTP isn't seeing a lot of development, but Aegis is moving like gangbusters and recently passed the 1.0 mark. Thanks to that HN trail of info, I've switched from AndOTP to Aegis:


The Aegis devs have been doing a bang up job and the app is worth a look, it can import your AndOTP (and other apps) data. This is not a slight against AndOTP, just what I personally see as a natural progression based on that reddit thread above.

Thank you for this recommendation. Just tried Aegis on Android:

1. Its UX is more polished than andOTP; the AMOLED theme in particular is well done.

2. It also supports fingerprint unlocking, the lack of which was the biggest pain point when regularly using andOTP.

3. Supports imports from popular 2FA apps, though this requires root access.

A few issues I noticed:

1. While importing from andOTP, the issuer is blank when the 2FA token was manually added to andOTP. So now I have a list of 2FA codes with no indication as to which website they belong to. [Screenshot](https://gopi.dev/images/aegis.jpg)

2. The 'Vault is unlocked' notification persists even on closing the app.

3. OpenPGP integration for backups isn't available.

One of the Aegis developers here. Thanks for the feedback. Could you create an issue on GitHub for #2? I'm curious to know if you killed the app or just minimized it.

Ah my bad, looks like it only happens when I kill the app and not when I exit the app properly. I do not know if android apps are supposed to clean up persistent notifications when they are killed or even if they can.

For issue #1 - try going into settings and enabling Account Name, I believe it's off by default. I, like you, had to edit each entry after import; Aegis has multiple metadata fields and I think the old data imports into the (not visible) Account field if I recall my experience correctly.

This (issuer saved in account name field) is what I got when I just imported my andOTP data. If you long-press and edit an entry, you can see and change both fields.

Perfect, thanks for this.

I use fingerprint unlocking with andOTP just fine (for a while now too). Not sure why it wouldn't work for you.

I'm using 'Password/PIN' for database encryption and it isn't compatible with 'Device Credentials' in authentication method. Can you tell me how you've enable fingerprint unlocking?

FreeOTP hasn't had a commit since Dec 14, 2017, according to the GitHub repo. Also Android 10 gave a warning when I ran it. That is was developed for an older version of Android.

> FreeOTP hasn't had a commit since Dec 14, 2017

Why is this seen as a necessarily bad thing? Neither the requirements nor the TOTP protocol has changed since then.

Well it hasn't been updated for Android 10. Android 10 gives a warning the first time you run it. Not a positive thing.

Yes the comment I responded to said that, but after the word "also," implying it wasn't the only or even main reason.

I switched from freeotp when they dropped the ability to backup the secrets database.

FreeOTP user here. Everything works as expected.

Is there a reason people don't use their password manager for OTP? In my case I'm using 1Password, which supports OTP but I know most other password managers support it too including clients for Keepass.

I guess there is the issue of your password manager being compromised but honestly I'm way less worried about that than website x or y getting compromised.

It isn't much of a second factor if it is the same factor as your password.

You can make an argument for a second factor (other than hardware key) being of fairly little value to anyone using an offline password manager and generating passwords with a huge amount of entropy.

I don't think this is entirely true, and so I often use TOTP with important sites. But I'm okay with storing the TOTP key in my password manager (which encrypts the password database with a long key phrase and a key file). Even on top of the very little chance that any of my long passwords are going to get leaked or broken, I think the chance that this happens because my password manager gets hacked along with the TOTP keys (as opposed to me getting phished or a vulnerability in a website) is pretty remote.

But the point it protects against is if a website a password belongs to is compromised. If your password manager is compromised, then yes, it is game over. But by that logic, if your password manager and your otp manager is compromised (which often live on the same phone) you haven't mitigated much.

I used to do that for the convenience of the autofill but my paranoia got the best of me. If someone got access to my 1password he could access all my accounts, which defeats the purpose of two factor authentication. It turns out that with the shared copy/paste feature between Mac and iOS, using a phone app isn't such a hassle.

i totally agree. at the same time, my phone has ~15 2FA accounts right now.

if lose my phone, i can't access any of them. if i change my phone, it will take me hours and hours to change every single one of those accounts.

there must be a middle ground between those two.

Export your 2FA from Aegis and import into new phone. That's the main reason I switched.

I use keepassXC on desktop, and Kypass on iOS. They both support OTP, but in different formats, which messes up my syncing of the database via Nextcloud, so I use Authy on iOS.

I use this extensively. Took a little while to swap all my codes from Authy - but well worth it.

Simple app, encrypted backups, and open source. What's not to like?

Being able to move without having to hold Q/R codes is good. I have to maintain PGP encoded (and keystore held) images of screengrabs of Q/R codes because very few of the OTP out there want to acknowledge you might want to move a 2FA to another system.

These are not secrets which have to stay locked in one cupboard. They are secrets which might stay locked in several cupboards: I have two phones. Is it not sensible to share the Q/R initialized state amongst them?

I still prefer the much simpler FreeOTP+. Just start, tap and go. Can be easily backed up and restored: either via Import/Export or plain Titanium Backup.

Been using AndOTP for months and i love that it supports android's keystore and device credentials for authentication. I had switched to it from Authy, which was quite heavy.

Aegis' design looks a lot less dense than AndOTP on the screenshots, though it seems to be widely recommended. I'll have to check what that's all about

The density is configurable in Aegis, 3 "View Modes" - Normal (what you see by default I think?), Compact and Small. You can then choose to show or hide the Account name to further reduce size, and it supports Groups to organize.

The best AndOTP feature for me is the fact that it integrates with OpenKeyChain thus allowing the use of PGP keys for backups. I also wish there were more apps that use OpenKeyChain. For example something that allowed notetaking.

Yep, it's pretty good. For regular Linux I can also recommend oathtool: https://www.nongnu.org/oath-toolkit/

I used to use this app frequently until my workspace required me to switch to iOS. I need to manually set all my OTPs to OTP Auth due to its backup incompactibility. Does anyone knows a way to do that?

You can export your keys to JSON from andOTP, I'm not sure if there's import functionality in the iOS app, though.

Another alternative is: https://github.com/tijme/raivo

Unfortunately it's only for iOS

I have used this for years. I don't know a better solution.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact