A little bit ago in another HN article (https://news.ycombinator.com/item?id=20232164) where AndOTP popped up, a link was shared with a nice discourse between the AndOTP author and a newer one, Aegis:
AndOTP isn't seeing a lot of development, but Aegis is moving like gangbusters and recently passed the 1.0 mark. Thanks to that HN trail of info, I've switched from AndOTP to Aegis:
The Aegis devs have been doing a bang up job and the app is worth a look, it can import your AndOTP (and other apps) data. This is not a slight against AndOTP, just what I personally see as a natural progression based on that reddit thread above.
Thank you for this recommendation. Just tried Aegis on Android:
1. Its UX is more polished than andOTP; the AMOLED theme in particular is well done.
2. It also supports fingerprint unlocking, the lack of which was the biggest pain point when regularly using andOTP.
3. Supports imports from popular 2FA apps, though this requires root access.
A few issues I noticed:
1. While importing from andOTP, the issuer is blank when the 2FA token was manually added to andOTP. So now I have a list of 2FA codes with no indication as to which website they belong to. [Screenshot](https://gopi.dev/images/aegis.jpg)
2. The 'Vault is unlocked' notification persists even on closing the app.
3. OpenPGP integration for backups isn't available.
One of the Aegis developers here. Thanks for the feedback. Could you create an issue on GitHub for #2? I'm curious to know if you killed the app or just minimized it.
Ah my bad, looks like it only happens when I kill the app and not when I exit the app properly. I do not know if android apps are supposed to clean up persistent notifications when they are killed or even if they can.
For issue #1 - try going into settings and enabling Account Name, I believe it's off by default. I, like you, had to edit each entry after import; Aegis has multiple metadata fields and I think the old data imports into the (not visible) Account field if I recall my experience correctly.
This (issuer saved in account name field) is what I got when I just imported my andOTP data. If you long-press and edit an entry, you can see and change both fields.
I'm using 'Password/PIN' for database encryption and it isn't compatible with 'Device Credentials' in authentication method. Can you tell me how you've enable fingerprint unlocking?
FreeOTP hasn't had a commit since Dec 14, 2017, according to the GitHub repo. Also Android 10 gave a warning when I ran it. That is was developed for an older version of Android.
Is there a reason people don't use their password manager for OTP? In my case I'm using 1Password, which supports OTP but I know most other password managers support it too including clients for Keepass.
I guess there is the issue of your password manager being compromised but honestly I'm way less worried about that than website x or y getting compromised.
You can make an argument for a second factor (other than hardware key) being of fairly little value to anyone using an offline password manager and generating passwords with a huge amount of entropy.
I don't think this is entirely true, and so I often use TOTP with important sites. But I'm okay with storing the TOTP key in my password manager (which encrypts the password database with a long key phrase and a key file). Even on top of the very little chance that any of my long passwords are going to get leaked or broken, I think the chance that this happens because my password manager gets hacked along with the TOTP keys (as opposed to me getting phished or a vulnerability in a website) is pretty remote.
But the point it protects against is if a website a password belongs to is compromised. If your password manager is compromised, then yes, it is game over. But by that logic, if your password manager and your otp manager is compromised (which often live on the same phone) you haven't mitigated much.
I used to do that for the convenience of the autofill but my paranoia got the best of me. If someone got access to my 1password he could access all my accounts, which defeats the purpose of two factor authentication. It turns out that with the shared copy/paste feature between Mac and iOS, using a phone app isn't such a hassle.
I use keepassXC on desktop, and Kypass on iOS. They both support OTP, but in different formats, which messes up my syncing of the database via Nextcloud, so I use Authy on iOS.
Being able to move without having to hold Q/R codes is good. I have to maintain PGP encoded (and keystore held) images of screengrabs of Q/R codes because very few of the OTP out there want to acknowledge you might want to move a 2FA to another system.
These are not secrets which have to stay locked in one cupboard. They are secrets which might stay locked in several cupboards: I have two phones. Is it not sensible to share the Q/R initialized state amongst them?
I still prefer the much simpler FreeOTP+. Just start, tap and go. Can be easily backed up and restored: either via Import/Export or plain Titanium Backup.
Been using AndOTP for months and i love that it supports android's keystore and device credentials for authentication. I had switched to it from Authy, which was quite heavy.
Aegis' design looks a lot less dense than AndOTP on the screenshots, though it seems to be widely recommended. I'll have to check what that's all about
The density is configurable in Aegis, 3 "View Modes" - Normal (what you see by default I think?), Compact and Small. You can then choose to show or hide the Account name to further reduce size, and it supports Groups to organize.
The best AndOTP feature for me is the fact that it integrates with OpenKeyChain thus allowing the use of PGP keys for backups. I also wish there were more apps that use OpenKeyChain. For example something that allowed notetaking.
I used to use this app frequently until my workspace required me to switch to iOS. I need to manually set all my OTPs to OTP Auth due to its backup incompactibility. Does anyone knows a way to do that?
https://old.reddit.com/r/androidapps/comments/b45zrj/dev_aeg...
AndOTP isn't seeing a lot of development, but Aegis is moving like gangbusters and recently passed the 1.0 mark. Thanks to that HN trail of info, I've switched from AndOTP to Aegis:
https://github.com/beemdevelopment/Aegis
The Aegis devs have been doing a bang up job and the app is worth a look, it can import your AndOTP (and other apps) data. This is not a slight against AndOTP, just what I personally see as a natural progression based on that reddit thread above.