Avoid Authy, Use Aegis
Authy is a popular two-factor verification tool used by a lot of people. Previously, Google Authenticator was the go-to for this but Google neglected the app and avoided simple features like backup and recovery. Authy allowed backups by encrypting them with a password and storing them remotely tied to your phone number. Great solution.
The downside? Authy was bought by Twilio (the SMS service) and hasn't made any significant improvements for years.
- The interface is janky. Padding is inconsistent, account logos are often old and inconsistent.
- The user journey is fiddly. To get to a code, on the list view you need to find the account and touch it, then go back. Every time. If you have a lot of accounts to log into, that's a lot of transitions. The grid view gives very little space for the "grid".
The major downside is that none of it is open-source. You can't export your codes to back up yourself. You're entirely bound to Twilio's service. Which might be one reason why they bought it.
Having automatic backups tied to your phone number is extremely convenient for a general audience. The same reason instant messengers like WhatsApp and Signal tie their identifiers to phone numbers. But that comes at a cost. Are single backups enough if they can get corrupted? What happens if Authy abruptly shuts down its services? It's impossible to know until it happens.
So, what's the alternative? Aegis.
- It's open-source and available on F-Droid with reproducible builds.
- It has a clean, evenly padded interface.
- You can see all of your account codes at once without needing to touch through.
- You can share and transfer accounts using QR codes. Useful if you have a shared login or don't want to restore from a backup.
- You can group your accounts together if you want. Personally, I prefer using search.
- It has minimal permissions. It doesn't ask for network access so it's entirely local.
More importantly, it creates encrypted backups automatically on your device so you can upload them to wherever you want. A physical hard drive, Syncthing, cloud storage, whatever.
That also means you don't need to store backup passwords for every single account. How many people actually download and safely store those passwords anyway? With Aegis, as long as you store your encryption password somewhere safe (and ideally physical) and separate from your Aegis backups, you're safe. If you lose access to Aegis, you or someone else can create a program to decrypt and restore your backup onto another app.
Aegis is one those open source applications that I'm truly impressed by. It's perfect for what it does and unlike Authy, I'd be perfectly happy if it didn't update itself -- outside of security and compatibility of course.
Thanks for reading.