My Bitwarden password is long (at least 40 characters long, I didn't count precisely) and never used or reused.
It kind of defeats the purpose of 2FA, but I keep my pass repo relatively secure, and the convenience is worth it.
Yes, that means that there's a single place where both factors are stored but if Bitwarden has two-factor authentication (it does), the two factors are preserved.
* Open source
* Has search functionality
* Has biometric unlock functionality
* Has no external dependencies (SMS/remote accounts)
* Nice design/UX
* Dark mode
* Can import from other apps
* Just works
* Can do an encrypted export
* Encrypted export can be read by other apps, see https://github.com/beemdevelopment/Aegis/blob/master/scripts...
* Aegis has an extensive import functionality, andOTP does not seems to have it
* andOTP relocks every time you switch apps, which can be annoying if you need multiple codes when you login to multiple services. In Aegis that behaviour is configurable
* andOTP makes you choose between biometric encryption and password, Aegis supports both at the same time
* andOTP supports tags, Aegis does not
Due to the import functionality, it's easy enough to give it a try, and see if you like it yourself.
I think the fact that Aegis allows you to import from a number of other authenticators, notably proprietary ones, is an important feature in getting people to move over to an open source equivalent, which is something I respect.
One minor correction to what you said though - andOTP doesn't relock every time you switch apps. I tried this just now to verify this.
I usually switch apps by clicking on the icon on the home screen, rather than the task switcher.
When I launch it from the home screen it always re-locks.
I tried also on another phone, and same thing.
I also love that it has an option for a super-compact view. The default one takes up way too much space.
It's perfect, just donated a few beers to the author as well. You can do so, too: https://www.buymeacoffee.com/beemdevelopment
Authy is fricken awful. It requires SMS for "security" entirely defeating the purpose of 2FA. Worse off, some SAASs _require_ Authy specifically.
Think about that. That means the security of an enterprise system at your company is completely dependent on whether or not an individual secures their personal cell phone account. Absolutely stupid, avoid Authy like the plague.
But the killer is the desktop app. I've had a number of instances where someone I was helping could not get the time of their phone and computer close enough to properly generate codes. Running the Authy app on the machine meant the time matched perfectly and they were finally able to log in.
It's not perfect but has some killer features.
Explain. There is a separate password to defeat traditional SMS attacks.
Then IIRC I heard that andOTP wasn't that secure/maintained. Or maybe that their backup file encryption wasn't that great. I am not sure about these claims, but I migrated to Aegis, that could nicely import AndOTP tokens.
Nowadays, I use it in combination with bitwarden (it supports OTP), which I use for my less important accounts. Bitwarden (self-hosted with bitwarden-rs) allows me to generate those without my phone. I still keep every token in Aegis as well.
AndOTP features I miss with Aegis:
- Icon library for common websites using OTP
- Maybe Steam OTP support? I never used it though, since it would more or less lock me out of trading, without the app, so I use e-mail.
IIRC Steam codes are almost standard except they use a different encoding because... Valve likes to roll their own stuff (?). I agree that trading makes only having codes a bit less useful. They could've used the same codes to confirm trades instead of an entirely separate interface.
Yeah, steam rolling their own stuff is a bit troublesome at ties, but I think they were among the first to use TOTP tokens, IIRC ? There was a story here the other day on how they roll their own password encryption over HTTPS for logging in... It's a shame they don't use standard authentication mechanisms, though.
And I should clarify: my yubikey is my main 2FA token, though support for U2F/Webauthn is a bit limited.
> Icon library for common websites using OTP
Someone from the community is maintaining an icon pack for Aegis: https://github.com/aegis-icons/aegis-icons. We're currently working on making icon packs easier to use in Aegis, see: https://github.com/beemdevelopment/Aegis/issues/509.
> Maybe Steam OTP support
Steam is supported, actually! But like you said, you'd still need the Steam app if you're doing trading.
Thank you and your sibling comment. I'm glad this is being worked on! Discovery is also important IMO, so a one-tap install of the most widely used icon pack would be nice to have too :)
Thanks. I use andOTP too and was hoping this point was answered somewhere here :-).
You can also display Qr codes to easily export a select few to another authenticator app.
Not sure about Aegis -> AndOTP? Aegis can export txt and json, as well as its own encrypted format.
I have a conflict on export of keys for backup. But then you kind of need it in the event you loose the phone (so you don't have to rely on sms or email to recover account access).
Personally I think the best security I have seen is in Keybase or Matrix with the trusted devices concept. I like how keybase allows for one of the devices to be a paper device.
The opposition to export features by FreeOTP maintainers is idiotic, because there is no contract that TOTP seed never moves or lives only on one device. The only expectation is that it is not shared with 3rd parties and is carefully kept secret. At the same time, migrating to a new phone and having to change 30 different 2FA codes individually is untenable.
The problem with querying websites for their icon is that it leaks data about you (your phone and desktop) to a third-party without a proxy, requires a domain to match against, and like with Authy, the icons go out of date and become inconsistent. Worst of all, you have to give network access to the entire app for a trivial feature, making it less secure and trustworthy. Offline icon packs that have a consistent look is a good solution to all of this. 
Personally, comparing screenshots, I think Aegis' interface and choice of colours is more sleek, especially in dark and OLED modes, so it got my pick.
I'm currently locked out of my AWS account because I made the mistake of adding MFA to my root account at the wrong time.
The crazy thing is that AWS have my phone number but due to formatting or similar they can't send me an SMS! IT's possible that they're trying a US number but mine is Australian.
There is a workaround using the Authy Desktop app but I have no idea if it works.
As I see, it backs up to the internal storage, so I have to use another app to sync the backup to a cloud of my choice
You can select Google Drive/Dropbox when backing up the vault.
Unfortunately, Google Drive and Dropbox only partially participate in Android's Storage Access Framework. In Aegis, exporting only requires the creation of a file, so that works with both. Configuring backups on the other hand requires selecting a folder, but most cloud providers don't support that. A notable exception is Nextcloud.
If that is of interest, I could help implement that.
edit: this is not released yet, I think
But change the code with:
I'm all backed up and installing the latest Lineage OS build now.
I cannot find one and so I'm stuck on using authy. I have exported all my TOTP tokens in hopes that one might turn up.
Aegis, like andOTP and others, does not appear to have a desktop client.
Open source 2FA App for Android.
Additionally, being non-Google would be considered a large benefit by many non-technical users I know.
Plus this is offline. Hence more secure.
Aegis is open source, free and has backup and restore functionality. It also has a great UI and custom icon support.
Under active development - http://github.com/beemdevelopment/aegis