The Hard Truth About 2FA Apps
Most authenticator apps are unnecessary privacy risks. Google Authenticator sends your TOTP secrets to Google's cloud (not end-to-end encrypted). Microsoft Authenticator collects telemetry. Authy had a data breach exposing 33 million phone numbers in 2024. You're adding security while subtracting privacy.
Use open-source alternatives. Your second factor shouldn't be a surveillance tool.
Quick Comparison Table
| App | Open Source | Platforms | Cloud Backup | Best For |
|---|---|---|---|---|
| Aegis | Yes | Android only | Local only | Privacy-focused Android users |
| Ente Auth | Yes | All platforms | E2E encrypted | Cross-platform with privacy |
| 2FAS | Yes | iOS, Android | iCloud/Google Drive | Simple, clean interface |
| Authy | No | All platforms | Twilio cloud | Multi-device convenience |
| YubiKey | Partial | Hardware + all | On device | Maximum security |
Our Recommendations
For Android Users
Aegis Authenticator: Best-in-class privacy. Open-source, encrypted vault, no cloud, no account required. Export backups yourself.
For Cross-Platform
Ente Auth: Open-source with E2E encrypted cloud sync. Works on Android, iOS, Windows, Mac, Linux, and web.
For High-Security Accounts
YubiKey + Yubico Authenticator: TOTP secrets stored on hardware key. Phishing-resistant. Use for crypto, email, banking.
For iOS Simplicity
2FAS: Clean interface, open-source, browser extensions. iCloud backup (not E2E encrypted, but Apple controls the keys).
Aegis Authenticator: The Gold Standard
Best for: Android users who want maximum privacy and control.
Aegis is what every authenticator should be. Open-source. No cloud. No account. No telemetry. Your TOTP secrets stay on your device, encrypted with AES-256-GCM, protected by a password you choose.
Why Aegis Wins
- True local storage: Secrets never leave your device unless you export them
- Encrypted vault: Password or biometric lock with strong encryption
- Fully open-source: Auditable code, no hidden data collection
- No account required: Install and use immediately
- Import/export: Migrate from Google Authenticator, Authy, and others
- Automatic backups: Encrypted exports to storage you control
The Limitations
- Android only: No iOS, no desktop
- Manual backup management: You're responsible for storing your encrypted exports
- No cloud sync: Can't access codes on multiple devices
Who Should Use Aegis
Android users who don't need cross-device sync and want their TOTP secrets stored locally. If you're comfortable managing your own backups, this is the most private option.
Download Aegis (free on F-Droid and Google Play)
Ente Auth: Open-Source Cloud Sync Done Right
Best for: Users who need cross-platform access with end-to-end encrypted backup.
Ente Auth solves the backup problem without sacrificing privacy. It's from the same team behind Ente Photos, an encrypted Google Photos alternative. Your TOTP secrets sync to their cloud, but they're end-to-end encrypted. Ente can't read them.
Why Ente Auth Works
- End-to-end encrypted: Secrets encrypted before upload; Ente can't access them
- Cross-platform: Android, iOS, Windows, Mac, Linux, web
- Fully open-source: Code audited by Cure53, Symbolic Software, and Fallible
- Free forever: No paid tier required for authenticator
- Offline generation: Works without internet after initial sync
- Multi-device sync: Add a code on your phone, see it on your laptop
The Trade-offs
- Requires account: Need to create an Ente account for sync
- Trust the encryption: You're trusting their E2E implementation (audited, but still trust)
- Newer app: Less track record than Authy or Aegis
Who Should Use Ente Auth
Anyone who needs TOTP codes on multiple devices and wants privacy. If you lost your phone with Aegis, recovery is painful. With Ente Auth, log in on a new device and your codes are there, still encrypted.
Download Ente Auth (free)
2FAS: Simple and Open-Source
Best for: iOS users wanting an open-source option with a clean interface.
2FAS is straightforward. No account required. Open-source. Clean design. Browser extensions for one-tap authentication. It backs up to iCloud (iOS) or Google Drive (Android), not end-to-end encrypted, but the platform controls the keys.
Strengths
- Open-source: Community-driven development
- No account needed: Use immediately without sign-up
- Browser extensions: One-tap autofill for codes
- Clean interface: Easy to navigate, well-designed
- Free: No paid features
Weaknesses
- No desktop app: Mobile only (browser extensions help)
- Cloud backup not E2E: Apple/Google can technically access
- Limited features: Basic TOTP only
Who Should Use 2FAS
iOS users who want open-source simplicity. It's more trustworthy than Google Authenticator, easier than Ente Auth setup, and has a better interface than most alternatives.
Download 2FAS (free)
Authy: The Convenient Compromise
Best for: Users who prioritize convenience over privacy.
Authy was the gold standard for multi-device sync before better options existed. It's owned by Twilio, closed-source, and had a data breach in 2024 that exposed 33 million phone numbers. It works well, but you're trusting a company with your 2FA secrets.
The Good
- Multi-device sync: Works on phone, tablet, desktop
- Encrypted backups: Protected with a password you set
- Recovery possible: Lost your phone? Restore on a new device
- Established: Years of operation, widely supported
The Problems
- Closed-source: Can't verify what the app actually does
- Twilio breach (July 2024) attackers accessed 33 million phone numbers via Authy API
- Phone number required: Must link to your number for recovery
- Corporate ownership: Twilio's incentives may not align with yours
Who Should Use Authy
If you're already using Authy and it works, you don't need to panic. But if you're choosing a new authenticator, Ente Auth offers the same convenience with better privacy. Consider migrating.
YubiKey: Hardware Security
Best for: High-security accounts where phishing resistance matters.
YubiKeys are physical security keys. For TOTP, use Yubico Authenticator, it stores your TOTP secrets on the hardware key itself, not your phone. No phone access, no code access.
Why Hardware Keys Are Different
- Phishing-resistant: For FIDO2/WebAuthn, the key verifies you're on the real site
- TOTP on hardware: Secrets stored on key, not phone (using Yubico Authenticator)
- Physical requirement: Must have the key to authenticate
- No remote access: Malware can't steal what's on a separate device
The Downsides
- Cost: $50+ per key, and you need a backup
- Must carry it: Forget your key, can't log in
- Closed firmware: YubiKey firmware isn't open-source (can't be updated, either)
- Loss = lockout: Without backup key or codes, you're stuck
Our Recommendation
Use YubiKey for your highest-value accounts: cryptocurrency exchanges, primary email, banking. Pair with a TOTP app for everything else. Always have two keys, one as backup stored securely.
YubiKey website ($50+)
Apps to Avoid
Google Authenticator
Google Authenticator added cloud backup in 2023, but it's not end-to-end encrypted. Google can access your TOTP secrets. They're also collecting data about what services you use 2FA with. For a company whose business model is surveillance, don't give them your security data.
Microsoft Authenticator
Collects telemetry. Closed-source. Designed to push you toward Microsoft accounts. The "enterprise features" mean IT departments can manage your authenticator remotely. Fine for corporate use; bad for personal privacy.
LastPass Authenticator
LastPass had multiple security breaches, including one in 2022 that exposed encrypted password vaults. Their authenticator shares infrastructure with their compromised password manager. Don't.
How TOTP Actually Works
Understanding the mechanism helps you make better decisions:
- Setup: Service generates a secret key, shares it with your app via QR code
- Storage: Your app stores the secret key locally (or in cloud, depending on app)
- Generation: Every 30 seconds, app combines secret key + current time → 6-digit code
- Verification: Service does the same calculation, checks if codes match
The secret key is the sensitive part. Whoever has it can generate valid codes. This is why local storage (Aegis) or end-to-end encryption (Ente Auth) matters, you're protecting that secret.
TOTP vs. Passkeys/FIDO2
TOTP has a weakness: you can be phished. A fake login page can capture your password AND your TOTP code, then use them before they expire.
Passkeys and FIDO2 fix this. They cryptographically verify you're on the real website. A fake site can't complete the authentication because the keys won't match.
| Feature | TOTP Apps | Passkeys/FIDO2 |
|---|---|---|
| Phishing-resistant | No | Yes |
| Wide support | Excellent | Growing |
| Hardware required | No | Sometimes |
| Recovery options | Backup codes, re-enroll | Complex |
| Best for | Most accounts | High-value accounts |
Use passkeys/FIDO2 where available (Google, Apple, Microsoft, GitHub). Use TOTP for everything else.
Best Practices
Always Save Backup Codes
When setting up 2FA, save the backup/recovery codes. Store them securely (password manager, encrypted file, printed in safe). These are your lifeline if you lose access.
Use Two YubiKeys
If using hardware keys, always have a backup key enrolled. Store the backup separately. One key lost shouldn't mean account lockout.
Export Aegis Regularly
If using Aegis, set up automatic encrypted backups. Store exports somewhere safe, encrypted cloud storage, external drive, wherever you'll have them if your phone dies.
Don't Use SMS 2FA
SMS is vulnerable to SIM swapping, SS7 attacks, and carrier breaches. Use app-based or hardware 2FA. SMS is better than nothing, but barely.
Migration Guide
From Google Authenticator to Aegis/Ente Auth
- In Google Authenticator, tap menu → Transfer accounts → Export accounts
- Screenshot or save the QR code (securely, delete after)
- In Aegis/Ente Auth, import from Google Authenticator
- Verify codes work before removing from Google Authenticator
- Delete the export QR screenshot
From Authy
Authy doesn't allow easy export (intentionally). You'll need to re-enroll each service: disable 2FA, re-enable with new app. Annoying but necessary for privacy.
Summary
Quick Decision Guide
- Android + maximum privacy? → Aegis
- Need cross-platform sync? → Ente Auth
- iOS + simple? → 2FAS
- Highest security accounts? → YubiKey
- Already on Authy? → Consider migrating to Ente Auth
Any of the open-source options is better than Google Authenticator or no 2FA at all. Pick one, use it everywhere, and keep your backups secure.
References
- Aegis Authenticator - Official Site
- Ente Auth - Open source 2FA with E2EE backups
- 2FAS - Open source authenticator
- Privacy Guides - Multi-Factor Authentication
- Best Authenticator Apps/Keys for MFA - Avoid The Hack
- YubiKey - Hardware Security Keys
- Best 2FA Apps 2025 - Kripesh Adwani
Related Articles
- Passkeys vs FIDO2 vs Traditional 2FA. Beyond TOTP: phishing-resistant authentication
- Two-Factor Authentication Guide. Why 2FA matters and how to set it up
- Password Manager Comparison. Secure your passwords before securing your second factor
- Hardware Security Keys Comparison. YubiKey vs Nitrokey vs OnlyKey
- Browser Fingerprinting. Another way you're tracked even with good security