Aegis v3.0 – a free, secure and open source 2FA app for Android

Overall reception of Aegis

  • Widely praised as polished, reliable, and “flawless” for many users.
  • Valued for being free, open source, community-driven, and independent of big vendors.
  • Seen as trustworthy enough for critical 2FA, though some note that authenticators are especially sensitive and want to understand its history more deeply.

Features, backups, and migration

  • Key strengths: local-only storage by default, strong encryption, optional app-specific password, import/export, groups/folders, search, usage-based sorting, icons, Material 3 UI, and good performance even on low-end Android.
  • Backup options: on-demand encrypted JSON export, automatic local backups, optional Android/Google cloud backup, and ability to sync encrypted backups via tools like Syncthing or third‑party clouds.
  • Aegis can import andOTP backups; several users migrated from andOTP (now unmaintained) and other apps like FreeOTP and Authy with few issues.

Comparisons with other authenticators

  • Positive contrast with Google Authenticator and Authy: Aegis is FOSS, not tied to a phone number, not inherently cloud-synced, and has straightforward backup/restore.
  • Authy criticized for vendor lock‑in, no official backup/export, and the desktop app being discontinued.
  • Some prefer KeePass/Bitwarden/2FAS/etc. for integrated passwords+TOTP; others dislike collapsing factors into one tool.

Cloud sync, Google Authenticator, and Retool

  • Concern that Google Authenticator’s cloud sync exposes TOTP secrets to new attack paths and was involved as one layer in the Retool breach.
  • Disagreement on how much GA is to blame: some see it as “one more hole in the Swiss cheese”; others emphasize that TOTP itself is phishable and argue for WebAuthn/passkeys instead.
  • Cloud sync is described as opt‑in but criticized for dark‑pattern onboarding and unclear controls.

2FA UX, security models, and alternatives

  • Common complaints: managing dozens of TOTP codes is clumsy; SMS 2FA is unreliable and insecure.
  • Aegis mitigations: search, groups, icons, and sorting.
  • Debate over best model:
    • Some keep TOTP in password managers for convenience; others insist on strict separation to preserve true multi‑factor.
    • Some argue TOTP is “obsolete” vs. phishing‑resistant methods (WebAuthn, passkeys, hardware keys); others still see TOTP as practical and beneficial.
  • Broader worry that normal users find all of this confusing, with serious lockout risk if phones or accounts are lost.