Aegis Authenticator — Secure Open-Source 2FA for Android

Introduction

Aegis Authenticator is a free and open-source two-factor authentication app for Android. It stores TOTP and HOTP tokens in an encrypted vault, giving users full control over their 2FA credentials without relying on proprietary cloud services.

What Aegis Does

• Generates time-based (TOTP) and counter-based (HOTP) one-time passwords
• Encrypts the token vault with AES-256-GCM using a user-chosen password or biometrics
• Imports tokens from Google Authenticator, Authy, Microsoft Authenticator, and other apps
• Supports scanning QR codes or manual entry for adding new accounts
• Provides automatic backups to user-selected storage locations

Architecture Overview

Aegis is a native Android application written in Java. It uses a local SQLite database wrapped in an encrypted container (AES-256-GCM) as its vault. The app runs entirely on-device with no network calls for token generation, ensuring air-gapped security for credential storage.

Self-Hosting & Configuration

• Download the APK from GitHub releases or install via F-Droid
• Set a vault password on first launch to enable encryption
• Enable biometric unlock for convenience while keeping encryption active
• Configure automatic backups to local storage or a cloud-synced directory
• Use the export feature to create encrypted or plain-text backups for migration

Key Features

• Fully offline operation with no cloud dependency
• Groups and icons for organizing tokens by service or category
• Dark mode and Material Design UI with search functionality
• Panic trigger support to wipe the vault in emergency scenarios
• Compatible with any standard TOTP/HOTP service

Comparison with Similar Tools

• Google Authenticator — no encryption, no export, limited backup options
• Authy — cloud-synced but proprietary and closed-source
• andOTP — similar open-source approach but no longer actively maintained
• FreeOTP — minimal feature set without vault encryption
• Bitwarden Authenticator — requires Bitwarden ecosystem for full functionality

FAQ

Q: Can I use Aegis without a password? A: Yes, but vault encryption will be disabled. A password or biometric lock is recommended.

Q: Does Aegis sync across devices? A: Not natively. You can export an encrypted vault and import it on another device manually.

Q: What happens if I forget my vault password? A: The vault cannot be recovered without the password. Keep a backup of your encrypted export file.

Q: Is Aegis available for iOS? A: No, Aegis is Android-only. Alternatives like Raivo OTP serve the iOS ecosystem.

Sources

• https://github.com/beemdevelopment/Aegis
• https://getaegis.app