Aegis v3.0 – a free, secure and open source 2FA app for Android
Overall reception of Aegis
- Widely praised as polished, reliable, and “flawless” for many users.
- Valued for being free, open source, community-driven, and independent of big vendors.
- Seen as trustworthy enough for critical 2FA, though some note that authenticators are especially sensitive and want to understand its history more deeply.
Features, backups, and migration
- Key strengths: local-only storage by default, strong encryption, optional app-specific password, import/export, groups/folders, search, usage-based sorting, icons, Material 3 UI, and good performance even on low-end Android.
- Backup options: on-demand encrypted JSON export, automatic local backups, optional Android/Google cloud backup, and ability to sync encrypted backups via tools like Syncthing or third‑party clouds.
- Aegis can import andOTP backups; several users migrated from andOTP (now unmaintained) and other apps like FreeOTP and Authy with few issues.
Comparisons with other authenticators
- Positive contrast with Google Authenticator and Authy: Aegis is FOSS, not tied to a phone number, not inherently cloud-synced, and has straightforward backup/restore.
- Authy criticized for vendor lock‑in, no official backup/export, and the desktop app being discontinued.
- Some prefer KeePass/Bitwarden/2FAS/etc. for integrated passwords+TOTP; others dislike collapsing factors into one tool.
Cloud sync, Google Authenticator, and Retool
- Concern that Google Authenticator’s cloud sync exposes TOTP secrets to new attack paths and was involved as one layer in the Retool breach.
- Disagreement on how much GA is to blame: some see it as “one more hole in the Swiss cheese”; others emphasize that TOTP itself is phishable and argue for WebAuthn/passkeys instead.
- Cloud sync is described as opt‑in but criticized for dark‑pattern onboarding and unclear controls.
2FA UX, security models, and alternatives
- Common complaints: managing dozens of TOTP codes is clumsy; SMS 2FA is unreliable and insecure.
- Aegis mitigations: search, groups, icons, and sorting.
- Debate over best model:
- Some keep TOTP in password managers for convenience; others insist on strict separation to preserve true multi‑factor.
- Some argue TOTP is “obsolete” vs. phishing‑resistant methods (WebAuthn, passkeys, hardware keys); others still see TOTP as practical and beneficial.
- Broader worry that normal users find all of this confusing, with serious lockout risk if phones or accounts are lost.