jahed.dev

Avoid Authy, Use Aegis

Authy is a popular two-factor verification tool used by a lot of people. Previously, Google Authenticator was the go-to for this but Google neglected the app and avoided simple features like backup and recovery. Authy allowed backups by encrypting them with a password and storing them remotely tied to your phone number. Great solution.

The downside? Authy was bought by Twilio (the SMS service) and hasn't made any significant improvements for years.

The major downside is that none of it is open-source. You can't export your codes to back up yourself. You're entirely bound to Twilio's service. Which might be one reason why they bought it.

Having automatic backups tied to your phone number is extremely convenient for a general audience. The same reason instant messengers like WhatsApp and Signal tie their identifiers to phone numbers. But that comes at a cost. Are single backups enough if they can get corrupted? What happens if Authy abruptly shuts down its services? It's impossible to know until it happens.

So, what's the alternative? Aegis.

More importantly, it creates encrypted backups automatically on your device so you can upload them to wherever you want. A physical hard drive, Syncthing, cloud storage, whatever.

That also means you don't need to store backup passwords for every single account. How many people actually download and safely store those passwords anyway? With Aegis, as long as you store your encryption password somewhere safe (and ideally physical) and separate from your Aegis backups, you're safe. If you lose access to Aegis, you or someone else can create a program to decrypt and restore your backup onto another app.

Aegis is one those open source applications that I'm truly impressed by. It's perfect for what it does and unlike Authy, I'd be perfectly happy if it didn't update itself -- outside of security and compatibility of course.

Thanks for reading.