Aegis v3.0 – a free, secure and open source 2FA app for Android

Some can do that in their own app, e.g. Steam Guard. Too bad that's not a standard. But the FIDO2/webauthn stuff may be similar.

you might enjoy Bitwarden (self hosted with vaultwarden) which copies the TOTP to clipboard after logging in to a site.

I almost^ missed a train recently because I tried to book my ticket and for the first time ever (and actually not since either) Amex wanted to send me a verification code. They support only SMS & email, but you can't change it for the current one and it was set to SMS, and I don't have email on my phone anyway & was at the station. Anyway - SMS didn't arrive. Had the same thing recently with them from a bank, it's the network blocking them, suspected spam or whatever.

There's plenty of other reasons not to use SMS 2FA, but it might suddenly not work one day right when you need it, and totally out of your control, is perhaps the most universally compelling?

I use Aegis only as backup because the workflow is cumbersome as you say (the app itself is flawless in my book), my primary TOTP authenticator is KeePass. I use the exact same KeePass setup on Linux, Windows and MacOS and copying a TOTP token is only a hotkey away. My KeePass also acts as SSH agent which also works with Cygwin, MSYS and WSL. On Android I use KeePassDX which also supports TOTP. I almost never ever open Aegis and when I do it's mostly to check that I can remember the password. I sync my KeePass databases across all devices and OSes with Syncthing.

I agree this kind of sucks (I have about 40 tokens on there), but it's relatively well mitigated with the search functionality and typing the first few characters of the service. This works for all that I've tried except the root MFA token from AWS, and I could easily fix that by exporting and changing the name and re-importing if I wanted to.

This has two things about it that make me actively not want it:

1. Does not work offline (requires an internet connection to work). The current design for TOTP is super flexible as they only require time syncronization, which doesn't require an internet connection.

2. It means I have to install an app for each service, which I absoulutely do not want to do. I would prefer to only use native apps for things that actually need to be native. PWAs and web UIs are strongly preferred for me. A comprehensive and robust way to manage permissions would mitigate my dislike for native apps somewhat, but this is getting harder and harder (though praise be unto GrapheneOS for their efforts!)

From an engineering perspective, it also feels like unnecesary bloat/complexity and coupling.

Couple things no one's mentioned yet. In Aegis you can add icons to token slots, and manually sort them (alphabetically). This, plus searching, helps a lot in finding tokens quickly. They have pre-existing icons for most of the common sites.

the website would present a QR code, you would open the phone and scan the code, the phone would make a request signed with your key to a URL, and the website would authenticate you because by making this signed request you proved that "something you have" part is done.

WebAuthN essentially gives you that behavior, with the addition of making it MITM-resistant (which TOTP isn't). It even works cross-platform these days (I think both devices need Bluetooth as a proof-of-proximity, to make sure an adversary isn't relaying you a QR code).

Unfortunately both iOS and Android absolutely insist on syncing these credentials to the cloud, but both now have APIs that would allow a third party to provide a local-only backend.

the UX will be terrible.

if you run safari and store all your passwords using icloud “passwords”, safari will automatically prefill the 2fa code. i assume this is the case for other browsers as well?

That's pretty close to webauthn, which works very nicely with yubikeys if the service supports it. 2fa? Please tap yubi button - done.

Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.

I just click search and type 2-3 characters and most of the time I can see what I need right away. I'm using way over 20 services with 2FA and that's really the least of my concern.

And I actually don't use search that much since Aegis also has a feature of sorting by the usage so whatever I'm using regularly are already at the top for me.

Nowadays I open Aegis and I have > 20 services there, and trying to look for my code between all the running numbers is a pain.

exactly :(

I wish passkeys get rolled out quickly across all sites, most people use just 2 or 3 trusted devices 99% of the time.

for those edge cases where you are working on an untrusted device, the passkey on your trusted mobile can help with authentication via Bluetooth or some QR code etc,...

I used to quite like the hack that LastPass authenticator had to make it easier.

If you ever encountered a TOTP form in your browser that the LastPass browser extension recognised it would send a push notification to the aunthenticator app on your phone which if approved would send the TOTP code to your browser and submit the form on your behalf.

Unfortunately it only ever worked on the handful of websites Lastpass had implemented bespoke support for, but it was magic when it worked. It would be nice to have a universal standard for push notification 2FA.

At least with aegis I can create groups. So I can separate email, work stuff, etc and only see a few tokens in each group.

Sure the ui isn't great. And it takes a couple extra clicks to the groups. But given the stupid shit that sites do like disabling paste for two factor codes or passwords, i just would never trust them to not fuck up a more streamlined solution. I like a bit more manual control sometimes, at the expense of convenience.

And it also runs and is backed up completely offline, which is nice.

phone making a request means it cannot be airgapped.

working airgapped / offline is a great quality speaking in favor of TOTP

I started moving my company's team and contractors (as well as family and friends) ... onto Aegis

An important question on this, if you don't mind:

If the phone, where Aegis was installed, is dead/lost/stolen, which options are available to make sure that access to the accounts linked to that phone wouldn't be lost either?

Syncing to the cloud is an opt-in setting in Google Auth.

That sounded scary, but after reading into the Retool breach (thanks for pointing it out), it doesn't sound like Google Authenticator is completely to blame.

Retool points out the "attacker was able to navigate through multiple layers of security" [0], i.e.:

1. "through a SMS-based phishing attack" on "Several employees"

2. "one employee logged into the [SMS phishing] link", "logging into the fake portal"

3. "attacker called the [phished] employee" "and deepfaked our [IT team] employee’s actual voice"

4. "the [phished] employee grew more and more suspicious, but unfortunately did provide the attacker one ... (MFA) code" (over the call)

5. "The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward."

6. "This enabled them to have an active GSuite session on that device." With "Google Authenticator synchronization feature that syncs MFA codes to the cloud", "if your Google account is compromised, so now are your MFA codes".

By #5, I'm thinking GA sync is about as blameworthy as Okta for allowing a device to be added with just a single additional OTP token shared over a phone call?

Here's a different perspective (tptacek) [1]:

> We use OTPs extensively at Retool: it’s how we authenticate into [Google, Okta, internal VPN and Retool]

They should stop using OTPs. OTPs are obsolete. For the past decade, the industry has been migrating from OTPs to phishing-proof authenticators: U2F, then WebAuthn, and now Passkeys†. The entire motivation for these new 2FA schemes is that OTPs are susceptible to phishing, and it is practically impossible to prevent phishing attacks with real user populations

TOTP is dead. SMS is whatever "past dead" is. Whatever your system of record is for authentication (Okta, Google, what have you), it needs to require phishing-resistant authentication.

My only concern is the present tense in this post about OTPs, and the diagnosis of the problem this post reached. The problem here isn't software custody of secrets. It's authenticators that only authenticate one way, from the user to the service.

[0] https://retool.com/blog/mfa-isnt-mfa

[1] https://news.ycombinator.com/item?id=37503551

Point of order: Retool got hit by an SMS phishing attack, and while they made a big deal out of Google syncing TOTP seeds, the real moral of their story is to stop using TOTP altogether; it's not phishing-resistant. Rather than cutting a whole team from one TOTP app to another, it would probably be a better idea to shift the whole team to an IdP that forces FIDO2. TOTP is obsolete.

Which is idiotic, as having your seeds on your desktop no longer makes it two factor authentication, rendering the use of phrase factually incorrect.

There is no way I will install authentificator as flatpak.

It's been downright luxurious having my seeds on my phone and my laptop and desktop.

The same is possible for my iOS tool of choice (called "OTP auth"). It can also synchronize to iCloud (passphrase encrypted) and make use of that on macOS.

I've resisted the temptation of that comfort so far (and of just putting the TOTP seeds into Bitwarden or 1Password), because it does seem a lot like collapsing what's now definitely two or maybe three factors into two or sometimes only one.

Why not Keepass?

You can just use a Keepass database and then you aren't locked in to a single OS (KeepassXC, Keepass2Android, etc.). Synchronize any way you like.

Because doing this reduces the 2FA into 1FA (i.e. there is no longer a possession factor).

Bitwarden 2FA is not free.

The main downside for me with using Bitwarden for 2FA TOTP is that I can't add more than one TOTP to a password. At work we use Active Directory so I can access a lot of sites with the same account, but all those sites have a different TOTP. I can only store one in Bitwarden and I am forced to store the rest on my phone in a regular authenticator app. I don't want to create duplicate accounts in Bitwarden just for the TOTP.

For my personal threat model, most 2FA flows decrease my security. Historically, the loss of my phone is a more likelier event than a compromise of my credentials and the damage to me and the businesses holding my accounts from loss of my credentials is much less than the denial of service from loss of access. This flips with some access from my employer and my bank, but I don't associate any of my personal devices with my employer's account in any way.

It is a shame how the industry seems to think that security is some single dimension along which things are more or less secure. Denial of service for personal accounts is often times more damning and common than account compromise. 2FA makes me less secure in some cases.

The current state of technology seems frightening indeed. This 2FA is a miracle. It is free and independent of the big tech companies. I'd put it on the same level of importance as Mozilla products. In the future, we will see more proof-of-personality applications for security reasons. But recovery codes won't be going out of fashion any time soon. Unless, of course, AI-enabled developers are gifted with long-term memory in the next few years.

But can you access your google account if you lose your phone? That account belongs to google, not to you.

I use my own 15 lines of Python code calling pyotp. At least for desktop means preferably CLI.

I would say that the "generic desktop app" approach is to be avoided. The reason is that there is a strictly better alternative that targets almost the same audience. By implementing a TOTP generator as a desktop browser extension instead, one gets visibility into which site the user visits, and can show only the relevant code, or, if there is none, a phishing warning.

The users that are left behind in the browser extension approach are those who need TOTP for non-web things like SSH.

Happy user of https://authenticator.cc/

I use Bitwarden for passwords and 2FA (browser plugin, Android app for mobile). Definitely not recommended by anyone security focused, but these 2fa are forced onto me by different platforms and not something I chose/care.

There should be desktop authenticator software. If I can have one on Linux I'm sure all the other desktop OSs have at least 1.

I use keepass on phone and desktop

I use KeePass. It's a little bit cryptic to set up the OTP - you have to create an advanced field called TimeOtp-Secret-Base32 with the seed in it - but after that you just Ctrl-T to get the latest code.

https://github.com/tadfisher/pass-otp

TOTPs are inherently less secure than many of these proprietary solutions (they don't offer control over where people store them and whether they create backups of them, for one thing), so I do somewhat understand companies preferring those.

Aegis will happily slurp the secrets out from Duo on a rooted device.

Duo lets you use a physical security key, I then use bitwarden to store that as a passkey. Not quite a full replacement but good enough for me (you can also self host bitwarden [0])

[0] Vaultwarden

Using a password manager as your authenticator seems very risky to me.

You should use separate services.

If your password manager is breached, at least the infiltrator cannot pass 2FA.

I'm hard opposed to storing my second factor codes alongside my first factors. Part of the reason why I use 2FA is because if my password store is compromised, the accounts in it that are compromised do not contain all of the credentials necessary to log into the accounts protected by 2FA. I also do not store my emergency removal codes in the same secret store as my passwords for this reason.

Raivo is a source-available ios app. It has exports, icloud sync and can generate a new QR code. Keychain is also not bad.

I use OTP Auth, it doesn’t get updated much but still maintained. I consider it « feature complete ».

https://apps.apple.com/fr/app/otp-auth/id659877384

OTP Auth. In use for years. Backups, iCloud Sync, Widgets, Folders. Perfekt.

I have been a happy long-time user of andOTP since migrating to it from FreeOTP (iirc) and was unaware that it was no longer maintained. Some quick digging shows that the Github repo links to this XDA post[0] where the author announced he was ceasing development. :(

The good news is that migrating to Aegis is quite simple. Export from andOTP, in Aegis go to Settings -> Import & Export -> Import from File, & choose andOTP. Pick your file and away you go.

It doesn't seem to have a database of icons like andOTP does though; none of my imported items show an icon though several did in andOTP. (Could this be because of the method they were added?)

[0] https://xdaforums.com/t/unmaintained-app-4-4-open-source-and...

Yes it's possible to import from andOTP

I use Aegis as my main app for 2FA so I can answer these questions:

Can you do an encrypted backup on demand (protected with a password you supply)?

Yes!

Is there any desktop app such backup can be opened/read with (or even eg. read with something like sqlite db browser)?

It's just plain JSON once decrypted, so it's always readable; I do know the GNOME Circle app "Authenticator" can natively import Aegis backups as well, since it's what I use on my desktop machine, but I don't know what other apps exist.

Can the app be configured to save an encrypted copy to eg. Dropbox whenever changes are made?

It does have some facilities for automatic and cloud backups judging from the settings page, but I've never tried them

Is it recommended to install from Play store, or the APK off GitHub?

If you do the latter you'd lose automatic updates. I used F-Droid.

I totally agree, it's probably the only app I ever used that I would consider flawless.

It’s why I was a bit scared when reading the title (though the screenshot makes it look like I’ll be fine), I’ve had two open source apps make their UI/UX vastly worse recently with major updates (granted, I’m assuming some people like the changes), one was Gajim (XMPP messenger) on Desktop, and another Breathly (guided breathing) on mobile.

Thanks for forking and supporting my initial clumsy tool, glad to see someone else found it useful :)

I'd take a more diverse UI experience on Android any day over a more polished yet heavily opinionated experience at iOS.

That being said, I feel like the main complaint about Android apps design is the fact that a lot of apps are just horrible half-assed implementations of old Material UI slapped together on a drag and drop editor like the Android Studio widget system. Offering an incentive for people to build anything and make money off data collection and ads without the corporate tyranny of Apple results in just that. So apps that are on FOSS repositories such as F-Droid are usually much cleaner to use, despite their UI/UX being just as diverse.

Authy has no official backup-solution, it's vendor lockin. They discontinued their desktop-app last week, are owned by a company, and so you never know when they might charge money or discontinue the app as a whole.

There are unofficial solutions for backup, but who knows when those will stop working.

Not linked to your phone number. It does encrypted backup that can be synced with Google Android backup (if you want).

Support Steam authenticator (if you follow the guide how to get the key).

You can group the MFA provider in groups that make sense to you.

You're in full control and the keys never leave your device unless you want to.

You can see the keys whenever you decide.

And the list goes on. I've been using it for years and it's the best MFA app on the market.

The fact that it's a community project is also a nice bonus.

It is more than a bonus. This is the only kind of project you know that tomorrow, the day after or a year from now there wouldn't have profit incentives or a pending IPO to completely abuse your experience as a user and extract as much profit as possible.

Same here. I haven't compared it in depth with Aegis, but besides some UI quirks I'm happy with FreeOTP. Am I missing anything important?

Hi!

I use both plus Syncthing to automatically backup my vault to the pc. Great combo!

Happy Ente user on ios.

It supports Groups to organize entries.

Let's hope they add a desktop app. I'm on that screen more than my phone. I'm not one to care about having my phone on me all the time.