Aegis Authenticator review — open-source 2FA for Android
Aegis is the best open-source TOTP authenticator for Android. Encrypted backup, biometric unlock, no cloud dependency and completely offline.
Aegis Authenticator review
Aegis is an open-source authenticator app for Android supporting TOTP and HOTP. Encrypted local storage, biometric unlock, no account required, no cloud connection. The default choice for anyone wanting to replace the 2FA codes of Google Authenticator or Authy.
Why 2FA at all?
Two-factor authentication adds a second security layer alongside your password. Even if an attacker knows your password, they also need access to your second factor. TOTP (Time-based One-Time Password) generates a new six-digit code on your device every 30 seconds — without an internet connection.
What Aegis does better than alternatives
Encrypted backup: Aegis stores your 2FA tokens encrypted in a local file. You choose the backup password yourself. If your phone breaks, import the backup on a new device and immediately have access to all codes. Google Authenticator didn’t offer this for a long time and has improved, but still requires a Google account.
No cloud connection: Aegis synchronises nothing automatically to a cloud. You manage the backup. Advantage: no risk of account lockout at a third party. Disadvantage: you are responsible for keeping the backup.
Biometric unlock: Open Aegis with your fingerprint or face recognition. The tokens are encrypted until you unlock — even if someone has physical access to your phone.
Import from Google Authenticator: Aegis can scan QR codes that Google Authenticator exports. Migration takes less than 5 minutes.
Open-source: Full source code available on GitHub. Independently auditable.
Specifications
| Property | Value |
|---|---|
| Platform | Android (also on GrapheneOS) |
| Protocols | TOTP, HOTP, Steam |
| Backup | Encrypted local file (JSON) |
| Biometric | Fingerprint, face recognition |
| Open-source | Yes (MIT licence) |
| Cloud sync | No |
| Price | Free |
| Availability | Play Store, F-Droid, GitHub APK |
Comparison with alternatives
| Aegis | Google Authenticator | Authy | Bitwarden (TOTP) | |
|---|---|---|---|---|
| Open-source | ✅ | ❌ | ❌ | ✅ |
| Encrypted backup | ✅ | Limited | ✅ (cloud) | ✅ |
| Cloud-independent | ✅ | No | No | Depends |
| Biometric | ✅ | ✅ | ✅ | ✅ |
| Platform | Android | Android, iOS | Android, iOS | All |
| Free | ✅ | ✅ | ✅ | Premium |
Authy syncs codes to their cloud — convenient as backup, but Twilio (the parent company) had a data breach in 2022 where phone numbers were stolen. Not recommended for high threat profiles.
Bitwarden TOTP (premium) is convenient if you want everything in one app, but combines password and 2FA in the same vault. If that vault is compromised, you no longer have a real second factor.
Backup strategy
Aegis exports an encrypted JSON file. Recommended approach:
- Export regularly (after every new 2FA addition)
- Store the backup on an encrypted USB drive or in your iStorage drive
- Note the backup password separately from the backup itself
If you lose your phone without a backup, you need access via recovery codes — make sure you keep those too for every service where you enable 2FA.
Download
— recommended, no Google dependencies- Google Play Store
- GitHub APK — direct download
On GrapheneOS
Aegis works fully on GrapheneOS without Google Play Services. Install via F-Droid or direct APK from GitHub. No extra configuration needed.
Conclusion
Aegis is the best TOTP authenticator for Android. Encrypted, open-source, no cloud connection, simple backup. There is no reason to use Google Authenticator or Authy if you’re on Android.
See also:
- Two-factor authentication guide — which services should be prioritised for 2FA
- YubiKey vs Nitrokey review — hardware 2FA for higher threat profiles
- Bitwarden review — password manager used alongside Aegis