Hacker News new | past | comments | ask | show | jobs | submit login
Aegis Authenticator – Open-source 2FA for Android (getaegis.app)
149 points by ignitionmonkey 3 months ago | hide | past | favorite | 113 comments

I don't know about you but does anyone else screenshot (and even print physical copies of, to keep safe) their authenticator barcodes given by websites, in case some day your chosen app dies or your phone(s)/tablets/everything gets lost?

I store my password manager (Bitwarden) TOTP code in my safe in QR code format. I keep all my other TOTPs in my password manager.

My Bitwarden password is long (at least 40 characters long, I didn't count precisely) and never used or reused.

Doesn't it kinda defeat the point of storing TOTP codes in your password manager?

You wouldn't need to store the codes, but you would need to store the key that makes the codes.

If it's secured by TOTP and a unique and secure password, it's not the weakest link.

This reduces the attack scope from two devices to one. If your computer or web browser is compromised then both your TOTP secrets and password secrets are in one basket. Storing TOTP on a separate device can make it significantly harder to compromise your accounts.

He might be using two different password manager accounts, one for passwords and one TOTP? Although it doesn't help much if he logs in from the same machine anyway.

Partially, but it still offers protection against e.g. replay attacks and e-mail hacks.

I would say not when you can secure bitwarden with a hardware key 2FA.

Aegis has an option to export an encrypted backup of the database. I export one every time I add a new code to the app.

One of the authors here. Recent versions of Aegis also come with an automatic backup feature, so that an export is created at a location of your choosing automatically every time a change is made to your entry list. Might be a little more convenient than doing manual exports every time.

Thanks for pointing this out! I've been using Aegis for quite a while and didn't know this.

Yes, and the exact reason I use aegis (plus open source!)

I use Aegis, but also import the TOTP URI to pass, and use it with pass-otp[1].

It kind of defeats the purpose of 2FA, but I keep my pass repo relatively secure, and the convenience is worth it.

[1]: https://github.com/tadfisher/pass-otp

That's really what scratch codes are for.

Yes, but not every service offers recovery codes.

That’s like a must. Services that don’t probably have an easy way to reset your 2FA via email verification which entirely negates the benefit of 2FA (last line of defence if your password or email are compromised). You probably want to stay away from those services entirely.

Always keep a hardcopy in a safe, for that day your phone is lost or dies. You don't wanna ask Amazon to remove your 2FA, as this involves paperwork. I learned the hard way, but luckily located backups

I put them into Bitwarden alongside the password.

Yes, that means that there's a single place where both factors are stored but if Bitwarden has two-factor authentication (it does), the two factors are preserved.

You really only not do this once. When you lose your phone, you learn.

You can use the QR codes to enroll new devices. (But then so can anyone who finds your QRs, so if you do this, keep them safe)

I keep screenshot of QR Codes, & phrases itself in a separate keypass database.

I sometimes do that when I don't have to write them down.

Yes I do keep backups.

I've switched to it recently, it's really great:

* Open source

* Has search functionality

* Has biometric unlock functionality

* Has no external dependencies (SMS/remote accounts)

* Nice design/UX

* Dark mode

* Can import from other apps

* Just works

* Can do an encrypted export

* Encrypted export can be read by other apps, see https://github.com/beemdevelopment/Aegis/blob/master/scripts...

I don't see any reason to use it over andOTP, which has all those features and has been around years before Aegis. It even looks suspiciously similar to andOTP, if not heavily inspired by it.

* Aegis has a nicer design

* Aegis has an extensive import functionality, andOTP does not seems to have it

* andOTP relocks every time you switch apps, which can be annoying if you need multiple codes when you login to multiple services. In Aegis that behaviour is configurable

* andOTP makes you choose between biometric encryption and password, Aegis supports both at the same time

* andOTP supports tags, Aegis does not

Due to the import functionality, it's easy enough to give it a try, and see if you like it yourself.

Thanks for responding. I should have mentioned I've been a user of andOTP for a few years so that's why I brought the comparison up. I wish more projects (including Aegis) mentioned what distinguishes themselves from very similar options.

I think the fact that Aegis allows you to import from a number of other authenticators, notably proprietary ones, is an important feature in getting people to move over to an open source equivalent, which is something I respect.

One minor correction to what you said though - andOTP doesn't relock every time you switch apps. I tried this just now to verify this.

I tried andOTP again now, and I figured out why it was locking for me.

I usually switch apps by clicking on the icon on the home screen, rather than the task switcher.

When I launch it from the home screen it always re-locks.

This can be turned off in the settings: "Security" -> "Re-lock when going into the background"

I've already unticked all the Re-lock settings, and it still locks for me every time I launch it from the home screen/app drawer.

I tried also on another phone, and same thing.

That seems like a bug, I didn't experience that before.

Kind of sucks that the passphrase to open Aegis is also the passphrase that encrypts your backup. I have to access my 2FA app frequently, so I had to set the passphrase to 3 characters. Luckily the backup is only saved on the devices I own.

That's what the biometric access is for. Choose a strong password, use fingerprint or face-reader for quick access.

I don't know. I'm not comfortable giving any software access to the fingerprint sensor (I've also taped it off), and definitely not as means of authentication.

Seems much more secure than having a three-letter passphrase, but fair enough. You can still encrypt the backup with an additional layer when you back it up. I use the E2EE in Nextcloud for folders with sensitive info, that works quite seamlessly.

Agree, I just imported all my 2F secrets from andOTP, which worked great. Having biometric access and a working cloud backup just makes it that little bit more accessible so it's actually a pleasure to use.

I also love that it has an option for a super-compact view. The default one takes up way too much space.

It's perfect, just donated a few beers to the author as well. You can do so, too: https://www.buymeacoffee.com/beemdevelopment

Sounds awesome!

Authy is fricken awful. It requires SMS for "security" entirely defeating the purpose of 2FA. Worse off, some SAASs _require_ Authy specifically.

Think about that. That means the security of an enterprise system at your company is completely dependent on whether or not an individual secures their personal cell phone account. Absolutely stupid, avoid Authy like the plague.

Authy's trying to make an open standard proprietary. I don't understand why you have to sign up for it with your phone number, or how they've gotten websites like Twitch to offer Authy-exclusive 2FA. In any case I was able to phish myself out of my old phone's Authy account really easily. It's a really bad thing to happen for regular consumers.

Anecdotally, I've seen a few places that instead of mentioning the protocol just say 'download G Auth' or 'download Authy', and so far all of those worked with Aegis when I tried.

I use Authy for a few reasons. One is the ability to sync and use it across multiple devices. This is really convenient.

But the killer is the desktop app. I've had a number of instances where someone I was helping could not get the time of their phone and computer close enough to properly generate codes. Running the Authy app on the machine meant the time matched perfectly and they were finally able to log in.

It's not perfect but has some killer features.

> Authy is fricken awful. It requires SMS for "security" entirely defeating the purpose of 2FA

Explain. There is a separate password to defeat traditional SMS attacks.

I believe it uses it for account recovery if you don't have a device with it installed anymore.

Authy is a disaster. It damaged my data and I got locked out from many services. At some point the app's generate token is not accepted - I've never had such issues with Microsoft Authenticator or 1Password's 2FA.

I've been using Authy for a long time and have never come across SMS for security. When would that be triggered?

I think it's a point of recovery for your authy account that they're talking about.

Gotcha, thanks.

Nice, I consider that a good sign! Means it's unlikely to ever go proprietary like Google Authenticator did.

I used to use andOTP, mainly because it was possible to export OTP tokens when upgrading or resetting my phone.

Then IIRC I heard that andOTP wasn't that secure/maintained. Or maybe that their backup file encryption wasn't that great. I am not sure about these claims, but I migrated to Aegis, that could nicely import AndOTP tokens.

Nowadays, I use it in combination with bitwarden (it supports OTP), which I use for my less important accounts. Bitwarden (self-hosted with bitwarden-rs) allows me to generate those without my phone. I still keep every token in Aegis as well.

AndOTP features I miss with Aegis:

- Icon library for common websites using OTP

- Maybe Steam OTP support? I never used it though, since it would more or less lock me out of trading, without the app, so I use e-mail.

Icon packs are coming. [1] Steam accounts can be imported if you have root access, or you can try [2].

IIRC Steam codes are almost standard except they use a different encoding because... Valve likes to roll their own stuff (?). I agree that trading makes only having codes a bit less useful. They could've used the same codes to confirm trades instead of an entirely separate interface.

[1] https://github.com/beemdevelopment/Aegis/issues/509

[2] https://github.com/beemdevelopment/Aegis/wiki/Adding-Steam-t...

Thanks for pointing this out.

Yeah, steam rolling their own stuff is a bit troublesome at ties, but I think they were among the first to use TOTP tokens, IIRC ? There was a story here the other day on how they roll their own password encryption over HTTPS for logging in... It's a shame they don't use standard authentication mechanisms, though.

And I should clarify: my yubikey is my main 2FA token, though support for U2F/Webauthn is a bit limited.

One of the authors here.

> Icon library for common websites using OTP

Someone from the community is maintaining an icon pack for Aegis: https://github.com/aegis-icons/aegis-icons. We're currently working on making icon packs easier to use in Aegis, see: https://github.com/beemdevelopment/Aegis/issues/509.

> Maybe Steam OTP support

Steam is supported, actually! But like you said, you'd still need the Steam app if you're doing trading.

Hey there, thanks for Aegis, it is my main OTP vault for important suff.

Thank you and your sibling comment. I'm glad this is being worked on! Discovery is also important IMO, so a one-tap install of the most widely used icon pack would be nice to have too :)

Thanks for your support! That's a fair point. We'll see what the feedback is like when we release initial support for icons packs and decide whether to include a pack out of the box after that.

> I migrated to Aegis, that could nicely import AndOTP tokens.

Thanks. I use andOTP too and was hoping this point was answered somewhere here :-).

Oh, perhaps I should also mention that Aegis can easily display OTP secrets that can be pasted into Bitwarden.

You can also display Qr codes to easily export a select few to another authenticator app.

Not sure about Aegis -> AndOTP? Aegis can export txt and json, as well as its own encrypted format.

It works together with icon packs you installed as an app. I use Whicons, it has lovely monochrome icons for most sites I use.

Bit OT: I’m interested in an open standard for “push” 2FA. Receive a push notification on Google or Apple’s standard platform, or at the least be able to open the app and just tap the account to send second factor auth (maybe when you open the app it queries all accounts to find which is currently waiting for auth). Are there security concerns blocking this?

There is server-sent events.

Been testing this - migrated from FreeOTP (redhad).

I have a conflict on export of keys for backup. But then you kind of need it in the event you loose the phone (so you don't have to rely on sms or email to recover account access).

Personally I think the best security I have seen is in Keybase or Matrix with the trusted devices concept. I like how keybase allows for one of the devices to be a paper device.

There are scripts to help you export from FreeOTP (and transform to the FreeOTP+ format), even without a rooted phone.

The opposition to export features by FreeOTP maintainers is idiotic, because there is no contract that TOTP seed never moves or lives only on one device. The only expectation is that it is not shared with 3rd parties and is carefully kept secret. At the same time, migrating to a new phone and having to change 30 different 2FA codes individually is untenable.

My big thing with these apps, Authy, Duo, Google Authenticator is site icons. Authy finally figured out a way to query the website and either get the favicon or some image from the website. I know, it's really the most minuscule part but it frustrates me to see "(D)" for Digital Ocean. But it's enough to keep me with it.

Icon packs are coming [1] and you can set your own for the more niche sites.

The problem with querying websites for their icon is that it leaks data about you (your phone and desktop) to a third-party without a proxy, requires a domain to match against, and like with Authy, the icons go out of date and become inconsistent. Worst of all, you have to give network access to the entire app for a trivial feature, making it less secure and trustworthy. Offline icon packs that have a consistent look is a good solution to all of this. [2]

[1] https://github.com/beemdevelopment/Aegis/issues/509

[2] https://github.com/aegis-icons/aegis-icons

Bitwarden has this feature, and it is optional. I wouldn't mind if Aegis has it, as long as it is optional.

Authy now adds the site logo automatically. If not, you can search one up in the app

I use andOTP, open source and can export and import keys so you can have them backed up.

They're pretty similar apps in terms of features (Aegis does all of that too).

Personally, comparing screenshots, I think Aegis' interface and choice of colours is more sleek, especially in dark and OLED modes, so it got my pick.

andOTP used to have some pretty bad issues with security. I switched from andOTP over to Aegis way back then; I've heard that the andOTP author has been extremely active & responsive since, and responded/fixed the aforementioned issues over time, but I've been so happy with Aegis that I haven't felt compelled to go back.

I've been trying to switch away from a closed source authenticator and this ticks most of the boxes. The only thing it's missing is the ability to quickly filter by group. Currently you have to open app -> 3 dot menu -> filter -> select group (4 steps total), whereas the authenticator I'm currently using allows you to side swipe -> select a group (2 steps), or add a shortcut on homescreen that opens the app with the filter enabled (1 step).

Can recommend AndOTP in this case, provided using Android. Grab a build off F-Droid - easy tag-hopping with options for single or multiple tag selection. Have very few complaints, and I 2FA anything I can, at work and personally, so tags strictly necessary

The main problem with andotp is the excessive amount of padding that they add to each entry, even with the "compact" option. The group/tag selection is better (only two steps), but not nearly as convenient as the app I'm using where you can view a group/tag directly from the home screen.

I love AndOTP. It's boring, it keeps the master key in my head and offers simple backups.

One of the authors here. We've gotten a lot of similar feedback lately. This is something we plan on addressing in a future release by introducing filter chips, either directly on the main view, or one tap away. Hopefully that'll make it a bit easier to quickly filter based on groups.

This looks great. Is there any chance it will make it to iOS?

Can I throw in a question here? How do I get my accounts imported from the old Google Authenticator into the new one?

I'm currently locked out of my AWS account because I made the mistake of adding MFA to my root account at the wrong time.

The crazy thing is that AWS have my phone number but due to formatting or similar they can't send me an SMS! IT's possible that they're trying a US number but mine is Australian.

Currently using Authy. Any way to migrate my keys in bulk?

If you have root access, yes.[1] Otherwise no, sadly. One of the reasons I moved off Authy before it got worse.

There is a workaround using the Authy Desktop app but I have no idea if it works.[2]

[1] https://github.com/beemdevelopment/Aegis/pull/107

[2] https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...

Done, migrated 40 accounts to Aegis.

As I see, it backs up to the internal storage, so I have to use another app to sync the backup to a cloud of my choice

> so I have to use another app to sync the backup to a cloud of my choice

You can select Google Drive/Dropbox when backing up the vault.


One of the authors here.

Unfortunately, Google Drive and Dropbox only partially participate in Android's Storage Access Framework. In Aegis, exporting only requires the creation of a file, so that works with both. Configuring backups on the other hand requires selecting a folder, but most cloud providers don't support that. A notable exception is Nextcloud.

How about cloud paas providers like AWS? The user could generate a IAM access key with permissions to manage a specific bucket and configure Aegis with the key. Aegis would use the cloud Api to upload the backup.

If that is of interest, I could help implement that.

doesn't seem to show for me, only internal space. I have no idea why.

edit: this is not released yet, I think

Might have a solution for you here:


commented on my question with a snipped I wrote based on that extraction method from authy. The code generates a Aegis compatible database instead of printing QR codes

in response to myself, I created a snippet to generate a database in bulk from authy.

follow: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...

But change the code with:


Can this import from Google Authenticator?

One of the authors here. Yes! Aegis can scan the QR codes that Google Authenticator presents in the "Transfer accounts" screen. It's also possible to import directly from Google Authenticator's internal database if you have root access.

Just migrated all devices in my home. Without root access, I had to use another phone to take a picture of the QR and then scan with Aegis. This way it had difficulty understanding QR that had more then 4 entries. Anyway, waiting for the icons support, but for now it is another Google app down! Thanks a lot.

Thank you so much for this feature! Google Authenticator has been holding my phone ransom on Android 9. I've got way too many 2fa keys to reconfigure manually and add to a new client.

I'm all backed up and installing the latest Lineage OS build now.

I've been in the market for an open source authenticator that works on android and desktop with a cloud sync.

I cannot find one and so I'm stuck on using authy. I have exported all my TOTP tokens in hopes that one might turn up.

Aegis, like andOTP and others, does not appear to have a desktop client.

Check out Tofu if you're on iOS! Open-source, way nicer UI than Google Auth, and you can back it up to iCloud.


Nice! I am using 1Password's 2FA, but, basically, it puts both the password and the second factor in one place, which turns 2FA into essentially 1FA!

Can you add 'app' to the title?

Open source 2FA App for Android.

Sucks that there is no Windows version. Android one looks pretty nice and I like that there are many import/export options

Lol windows :) no seriously if you need an OATH application for windows you can probably coerce oathtool to run under WSL or even natively.

There are some KeePass-compatible password managers on Windows that can generate TOTP codes if that's something you want.

you can install this > export backup to JSON > import to pass-otp and you have 2fa in your command line and phone

From a user's perspective, what does it have over other 2FA apps such as Google Authenticator or Duo?

I use this after having used Google Authenticator, what made me switch is easy backups and restores, not to the cloud but locally to a file. Also you don't need a Google Account if you wish to transfer your data to a new device.

To add to this. Aegis supports any cloud provider that implements Android's "Storage Access Framework".[1]


I can’t tell from the homepage, but perhaps it supports SHA256? Google Authenticator on Android (but not, weirdly, on iOS) pretends to be fine with SHA256 but then goes ahead and uses SHA1, and thus generates wrong codes.

It supports SHA1, SHA256 and SHA512.

Being open-source is not of exclusive benefit to non-users.

Additionally, being non-Google would be considered a large benefit by many non-technical users I know.

Better UI and custom icon support for the random website you have.

Plus this is offline. Hence more secure.

You can require biometric authentication to view the codes, that's the main reason I use it over GA.

I have no printer at home. Does anyone know how to backup all those QRcodes on paper ?

If you write down the secrets and the other parameters on paper, that would suffice as a backup as well. I'd recommend using Aegis' encrypted backup though.

Anyone knows if and how to use this instead of Microsoft authenticator?

When you setup Microsoft Authenticator, it defaults to a QR code that will be invalid to standard TOTP apps. However, that's because it assumes you want to use the push notification of the app. If you click a button like "key without notify", it will give you a different QR code which is fully standard and works with common apps like this.

Wow, that is a great tip! I have been avoiding setting up a TOTP with Microsoft for months because I didn't want to install their app and I didn't know you could click "without notifications" to get a standard code. Super annoying that they insist on texting me every freaking time I log into email or Teams. Now I can use Aegis, phew!

I think Microsoft Authenticator is internet based. The 2FA secret key is backed up to their servers.

Aegis is open source, free and has backup and restore functionality. It also has a great UI and custom icon support.

Under active development - http://github.com/beemdevelopment/aegis

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact