Aegis Authenticator review — open-source 2FA for Android
Who is this for? Android users who want a better 2FA app than Google Authenticator or Authy — open-source, encrypted backup, no cloud connection. See the [2FA guide](/en/guides/two-factor-authentication-guide/) for context on which method fits your situation.
Aegis Authenticator review
Who is this for? Android users who want a better 2FA app than Google Authenticator or Authy — open-source, encrypted backup, no cloud connection. See the 2FA guide for context on which method fits your situation.
Aegis is an open-source authenticator app for Android supporting TOTP and HOTP. Encrypted local storage, biometric unlock, no account required, no cloud connection. The default choice for anyone wanting to replace the 2FA codes of Google Authenticator or Authy.
Why 2FA at all?
Two-factor authentication adds a second security layer alongside your password. Even if an attacker knows your password, they also need access to your second factor. TOTP (Time-based One-Time Password) generates a new six-digit code on your device every 30 seconds — without an internet connection.
What Aegis does better than alternatives
Encrypted backup: Aegis can export your vault encrypted and also supports automatic backups to a location you choose. You pick the vault password yourself. If your phone breaks, import the backup on a new device and immediately regain access to your codes. Google Authenticator has improved, but remains much more tied to a Google account.
No cloud connection: Aegis synchronises nothing automatically to a cloud. You manage the backup. Advantage: no risk of account lockout at a third party. Disadvantage: you are responsible for keeping the backup.
Biometric unlock: Open Aegis with your fingerprint or face recognition. The tokens are encrypted until you unlock — even if someone has physical access to your phone.
Import from other authenticators: Aegis supports imports from Google Authenticator, Authy, Microsoft Authenticator, FreeOTP and other apps. Migration usually only takes a few minutes.
Open-source: Full source code available on GitHub. Independently auditable.
Specifications
| Property | Value |
|---|---|
| Platform | Android (also on GrapheneOS) |
| Protocols | TOTP, HOTP |
| Backup | Encrypted or plaintext export, plus automatic backups |
| Biometric | Fingerprint, face recognition |
| Open-source | Yes (GPLv3) |
| Cloud sync | No |
| Price | Free |
| Availability | Play Store, F-Droid, GitHub APK |
Comparison with alternatives
| Aegis | Google Authenticator | Authy | Bitwarden (TOTP) | |
|---|---|---|---|---|
| Open-source | Yes | No | No | Yes |
| Encrypted backup | Yes | Limited | Yes (cloud) | Yes |
| Cloud-independent | Yes | No | No | Depends |
| Biometric | Yes | Yes | Yes | Yes |
| Platform | Android | Android, iOS | Android, iOS | All |
| Free | Yes | Yes | Yes | Premium |
Authy syncs codes to the cloud. That is convenient as a fallback, but less attractive for higher-risk profiles that want no cloud link. More importantly, the more relevant current trust issue is the 2024 exposure of phone-number data tied to Authy accounts.
Bitwarden TOTP (premium) is convenient if you want everything in one app, but combines password and 2FA in the same vault. If that vault is compromised, you no longer have a real second factor.
Backup strategy
Aegis exports an encrypted JSON file. Recommended approach:
- Export regularly (after every new 2FA addition)
- Store the backup on an encrypted USB drive or in your iStorage drive
- Note the backup password separately from the backup itself
If you lose your phone without a backup, you need access via recovery codes — make sure you keep those too for every service where you enable 2FA.
Caveats
Android only: Aegis is the best TOTP app in this lane, but only if you are already on Android. If you need the same setup across Android and iPhone, this is not that product.
Backup discipline is non-optional: The whole privacy advantage of no cloud dependency also means there is no safety net. If you do not export and protect backups consistently, you are trading convenience away without actually reducing your risk.
TOTP is not the top tier for every account: Aegis is excellent for TOTP, but high-value accounts should still move to hardware keys where supported. This is the best software authenticator in its category, not the end of the 2FA story.
Download
- — recommended, no Google dependencies
- Google Play Store
- GitHub APK — direct download
On GrapheneOS
Aegis works fully on GrapheneOS without Google Play Services. Install via F-Droid or direct APK from GitHub. No extra configuration needed.
Pros and cons
Pros
- Encrypted local backup with a password you choose — no cloud connection required
- No cloud connection or account required — no risk of third-party lockout
- Biometric unlock (fingerprint or face recognition) with tokens encrypted until unlock
- Imports from multiple authenticator apps in minutes
- Available on F-Droid — no Google dependencies, works fully on GrapheneOS
Cons
- Android only — no iOS version
- You are responsible for keeping the backup safe; losing both phone and backup means losing 2FA access
- No automatic sync — manual export required after every new 2FA addition
Conclusion
Aegis is the best TOTP authenticator for Android. Encrypted, open-source, no cloud connection, simple backup. There is no reason to use Google Authenticator or Authy if you’re on Android.
Next step
Choose this if…
Choose Aegis if you are on Android and want an encrypted, offline 2FA app with no cloud connection.
- Two-factor authentication guide — which services to prioritise for 2FA and how to set them up
Already have this?
Export your vault after every new 2FA addition and store the backup separately from your phone. Keep your backup password in a different place from the backup itself.
- Bitwarden review — password manager used alongside Aegis
Want to go further?
- YubiKey vs Nitrokey review — hardware 2FA for higher profiles