I don't see any reason to use it over andOTP, which has all those features and has been around years before Aegis. It even looks suspiciously similar to andOTP, if not heavily inspired by it.
* Aegis has an extensive import functionality, andOTP does not seems to have it
* andOTP relocks every time you switch apps, which can be annoying if you need multiple codes when you login to multiple services. In Aegis that behaviour is configurable
* andOTP makes you choose between biometric encryption and password, Aegis supports both at the same time
* andOTP supports tags, Aegis does not
Due to the import functionality, it's easy enough to give it a try, and see if you like it yourself.
Thanks for responding. I should have mentioned I've been a user of andOTP for a few years so that's why I brought the comparison up. I wish more projects (including Aegis) mentioned what distinguishes themselves from very similar options.
I think the fact that Aegis allows you to import from a number of other authenticators, notably proprietary ones, is an important feature in getting people to move over to an open source equivalent, which is something I respect.
One minor correction to what you said though - andOTP doesn't relock every time you switch apps. I tried this just now to verify this.
Kind of sucks that the passphrase to open Aegis is also the passphrase that encrypts your backup. I have to access my 2FA app frequently, so I had to set the passphrase to 3 characters. Luckily the backup is only saved on the devices I own.
I don't know. I'm not comfortable giving any software access to the fingerprint sensor (I've also taped it off), and definitely not as means of authentication.
Seems much more secure than having a three-letter passphrase, but fair enough.
You can still encrypt the backup with an additional layer when you back it up. I use the E2EE in Nextcloud for folders with sensitive info, that works quite seamlessly.
Agree, I just imported all my 2F secrets from andOTP, which worked great. Having biometric access and a working cloud backup just makes it that little bit more accessible so it's actually a pleasure to use.
I also love that it has an option for a super-compact view. The default one takes up way too much space.
I don't know about you but does anyone else screenshot (and even print physical copies of, to keep safe) their authenticator barcodes given by websites, in case some day your chosen app dies or your phone(s)/tablets/everything gets lost?
This reduces the attack scope from two devices to one. If your computer or web browser is compromised then both your TOTP secrets and password secrets are in one basket. Storing TOTP on a separate device can make it significantly harder to compromise your accounts.
He might be using two different password manager accounts, one for passwords and one TOTP? Although it doesn't help much if he logs in from the same machine anyway.
One of the authors here. Recent versions of Aegis also come with an automatic backup feature, so that an export is created at a location of your choosing automatically every time a change is made to your entry list. Might be a little more convenient than doing manual exports every time.
That’s like a must. Services that don’t probably have an easy way to reset your 2FA via email verification which entirely negates the benefit of 2FA (last line of defence if your password or email are compromised). You probably want to stay away from those services entirely.
Always keep a hardcopy in a safe, for that day your phone is lost or dies. You don't wanna ask Amazon to remove your 2FA, as this involves paperwork. I learned the hard way, but luckily located backups
Yes, that means that there's a single place where both factors are stored but if Bitwarden has two-factor authentication (it does), the two factors are preserved.
Authy is fricken awful. It requires SMS for "security" entirely defeating the purpose of 2FA. Worse off, some SAASs _require_ Authy specifically.
Think about that. That means the security of an enterprise system at your company is completely dependent on whether or not an individual secures their personal cell phone account. Absolutely stupid, avoid Authy like the plague.
Authy's trying to make an open standard proprietary. I don't understand why you have to sign up for it with your phone number, or how they've gotten websites like Twitch to offer Authy-exclusive 2FA. In any case I was able to phish myself out of my old phone's Authy account really easily. It's a really bad thing to happen for regular consumers.
Anecdotally, I've seen a few places that instead of mentioning the protocol just say 'download G Auth' or 'download Authy', and so far all of those worked with Aegis when I tried.
I use Authy for a few reasons. One is the ability to sync and use it across multiple devices. This is really convenient.
But the killer is the desktop app. I've had a number of instances where someone I was helping could not get the time of their phone and computer close enough to properly generate codes. Running the Authy app on the machine meant the time matched perfectly and they were finally able to log in.
Authy is a disaster. It damaged my data and I got locked out from many services. At some point the app's generate token is not accepted - I've never had such issues with Microsoft Authenticator or 1Password's 2FA.
I used to use andOTP, mainly because it was possible to export OTP tokens when upgrading or resetting my phone.
Then IIRC I heard that andOTP wasn't that secure/maintained. Or maybe that their backup file encryption wasn't that great. I am not sure about these claims, but I migrated to Aegis, that could nicely import AndOTP tokens.
Nowadays, I use it in combination with bitwarden (it supports OTP), which I use for my less important accounts. Bitwarden (self-hosted with bitwarden-rs) allows me to generate those without my phone. I still keep every token in Aegis as well.
AndOTP features I miss with Aegis:
- Icon library for common websites using OTP
- Maybe Steam OTP support? I never used it though, since it would more or less lock me out of trading, without the app, so I use e-mail.
Icon packs are coming. [1] Steam accounts can be imported if you have root access, or you can try [2].
IIRC Steam codes are almost standard except they use a different encoding because... Valve likes to roll their own stuff (?). I agree that trading makes only having codes a bit less useful. They could've used the same codes to confirm trades instead of an entirely separate interface.
Yeah, steam rolling their own stuff is a bit troublesome at ties, but I think they were among the first to use TOTP tokens, IIRC ? There was a story here the other day on how they roll their own password encryption over HTTPS for logging in... It's a shame they don't use standard authentication mechanisms, though.
And I should clarify: my yubikey is my main 2FA token, though support for U2F/Webauthn is a bit limited.
Hey there, thanks for Aegis, it is my main OTP vault for important suff.
Thank you and your sibling comment. I'm glad this is being worked on! Discovery is also important IMO, so a one-tap install of the most widely used icon pack would be nice to have too :)
Thanks for your support! That's a fair point. We'll see what the feedback is like when we release initial support for icons packs and decide whether to include a pack out of the box after that.
Been testing this - migrated from FreeOTP (redhad).
I have a conflict on export of keys for backup. But then you kind of need it in the event you loose the phone (so you don't have to rely on sms or email to recover account access).
Personally I think the best security I have seen is in Keybase or Matrix with the trusted devices concept. I like how keybase allows for one of the devices to be a paper device.
There are scripts to help you export from FreeOTP (and transform to the FreeOTP+ format), even without a rooted phone.
The opposition to export features by FreeOTP maintainers is idiotic, because there is no contract that TOTP seed never moves or lives only on one device. The only expectation is that it is not shared with 3rd parties and is carefully kept secret. At the same time, migrating to a new phone and having to change 30 different 2FA codes individually is untenable.
Bit OT: I’m interested in an open standard for “push” 2FA. Receive a push notification on Google or Apple’s standard platform, or at the least be able to open the app and just tap the account to send second factor auth (maybe when you open the app it queries all accounts to find which is currently waiting for auth). Are there security concerns blocking this?
My big thing with these apps, Authy, Duo, Google Authenticator is site icons. Authy finally figured out a way to query the website and either get the favicon or some image from the website. I know, it's really the most minuscule part but it frustrates me to see "(D)" for Digital Ocean. But it's enough to keep me with it.
Icon packs are coming [1] and you can set your own for the more niche sites.
The problem with querying websites for their icon is that it leaks data about you (your phone and desktop) to a third-party without a proxy, requires a domain to match against, and like with Authy, the icons go out of date and become inconsistent. Worst of all, you have to give network access to the entire app for a trivial feature, making it less secure and trustworthy. Offline icon packs that have a consistent look is a good solution to all of this. [2]
andOTP used to have some pretty bad issues with security. I switched from andOTP over to Aegis way back then; I've heard that the andOTP author has been extremely active & responsive since, and responded/fixed the aforementioned issues over time, but I've been so happy with Aegis that I haven't felt compelled to go back.
I've been trying to switch away from a closed source authenticator and this ticks most of the boxes. The only thing it's missing is the ability to quickly filter by group. Currently you have to open app -> 3 dot menu -> filter -> select group (4 steps total), whereas the authenticator I'm currently using allows you to side swipe -> select a group (2 steps), or add a shortcut on homescreen that opens the app with the filter enabled (1 step).
Can recommend AndOTP in this case, provided using Android. Grab a build off F-Droid - easy tag-hopping with options for single or multiple tag selection. Have very few complaints, and I 2FA anything I can, at work and personally, so tags strictly necessary
The main problem with andotp is the excessive amount of padding that they add to each entry, even with the "compact" option. The group/tag selection is better (only two steps), but not nearly as convenient as the app I'm using where you can view a group/tag directly from the home screen.
One of the authors here. We've gotten a lot of similar feedback lately. This is something we plan on addressing in a future release by introducing filter chips, either directly on the main view, or one tap away. Hopefully that'll make it a bit easier to quickly filter based on groups.
Unfortunately, Google Drive and Dropbox only partially participate in Android's Storage Access Framework. In Aegis, exporting only requires the creation of a file, so that works with both. Configuring backups on the other hand requires selecting a folder, but most cloud providers don't support that. A notable exception is Nextcloud.
How about cloud paas providers like AWS? The user could generate a IAM access key with permissions to manage a specific bucket and configure Aegis with the key. Aegis would use the cloud Api to upload the backup.
If that is of interest, I could help implement that.
commented on my question with a snipped I wrote based on that extraction method from authy. The code generates a Aegis compatible database instead of printing QR codes
Can I throw in a question here? How do I get my accounts imported from the old Google Authenticator into the new one?
I'm currently locked out of my AWS account because I made the mistake of adding MFA to my root account at the wrong time.
The crazy thing is that AWS have my phone number but due to formatting or similar they can't send me an SMS! IT's possible that they're trying a US number but mine is Australian.
One of the authors here. Yes! Aegis can scan the QR codes that Google Authenticator presents in the "Transfer accounts" screen. It's also possible to import directly from Google Authenticator's internal database if you have root access.
Just migrated all devices in my home. Without root access, I had to use another phone to take a picture of the QR and then scan with Aegis. This way it had difficulty understanding QR that had more then 4 entries. Anyway, waiting for the icons support, but for now it is another Google app down! Thanks a lot.
Thank you so much for this feature! Google Authenticator has been holding my phone ransom on Android 9. I've got way too many 2fa keys to reconfigure manually and add to a new client.
I'm all backed up and installing the latest Lineage OS build now.
I use this after having used Google Authenticator, what made me switch is easy backups and restores, not to the cloud but locally to a file. Also you don't need a Google Account if you wish to transfer your data to a new device.
I can’t tell from the homepage, but perhaps it supports SHA256? Google Authenticator on Android (but not, weirdly, on iOS) pretends to be fine with SHA256 but then goes ahead and uses SHA1, and thus generates wrong codes.
If you write down the secrets and the other parameters on paper, that would suffice as a backup as well. I'd recommend using Aegis' encrypted backup though.
When you setup Microsoft Authenticator, it defaults to a QR code that will be invalid to standard TOTP apps. However, that's because it assumes you want to use the push notification of the app. If you click a button like "key without notify", it will give you a different QR code which is fully standard and works with common apps like this.
Wow, that is a great tip! I have been avoiding setting up a TOTP with Microsoft for months because I didn't want to install their app and I didn't know you could click "without notifications" to get a standard code. Super annoying that they insist on texting me every freaking time I log into email or Teams. Now I can use Aegis, phew!
* Open source
* Has search functionality
* Has biometric unlock functionality
* Has no external dependencies (SMS/remote accounts)
* Nice design/UX
* Dark mode
* Can import from other apps
* Just works
* Can do an encrypted export
* Encrypted export can be read by other apps, see https://github.com/beemdevelopment/Aegis/blob/master/scripts...