Alternative Apps: Aegis Authenticator
An open source android app for 2FA authentication that works better than its major competitors.
For the next entry into my Alternative Apps series, I wanted to focus on an app everyone should have: Aegis 2 Factor (2FA) Authentication.
First off: What is 2FA?
I won’t go into the details of why you should be using 2FA as that has already been covered by many people. However, you really should be using it on any account that allows it. More info below:
Also, if you want to see what sites support 2FA, check out this neat community driven site: https://2fa.directory/us/
I should clarify that this article focuses on the single end user experience via a personal device.
Some of these options such as Duo or Microsoft Authenticator App, work better in enterprise environments where managing things at scale outweighs smaller privacy and security concerns.
As always, establish your Threat Model first before making any significant changes in your security posture.
With that said, let me dive into the alternatives I considered before I decided to settle for Aegis Authenticator.
Why Not Google, Microsoft, or Other 2FA Apps?
Probably the single biggest question is here is why choose Aegis over one of the major players? I’ll attempt to answer that below.
Google Authenticator
Frankly, you should try to stop using Google services wherever you can. Besides their disregard for user privacy… the app is objectively, not very good.
It has only recently gained the ability to export your keys and by default it asks for permissions that it does not need, things like your camera, contacts, etc. Google is also known to deprecate its products and this one and its lackluster updates could always be next.
Don’t believe me on their deprecated product lineup? Check this out: https://killedbygoogle.com/
Microsoft Authenticator App
For similar reasons to Google, privacy is always going to be a concern with these larger companies.
However, this app is actually better as far as the UI goes. There is more customization within the app compared to Google Authenticator (detailed comparison here) but is a better UI enough to justify privacy concerns?
That’s actually up to to decide, by the way. I am just here to provide info, you must decide how best to balance usability and privacy within your own life.
As a further note, backups of your 2FA logins are ONLY accessible via the cloud. You must have a personal Microsoft account to even back things up which brings in a slew of new privacy concerns and if you are on Apple, you must have an iCloud account created as well.
Personally, that is too much for me to give up but again, the choice is yours.
The Other Authentication Apps
Authy, LastPass, and More
Authy and LastPass are going to be who I pick on first.
Once again, we are trusting our data to a 3rd party cloud in a closed source program. On top of that, Twilio the owner of Authy had a major breach just months ago and LastPass has had multiple this year alone.
I want to make a quick note that both of these companies use E2E encryption so in theory, credentials and keys will not have been stolen.
I applaud any company implementing this into their services (and moving towards zero-trust) but you do have to wonder at what point an implementation of one of these methods might fail to the detriment of all its users.
Even with E2E, you are still leaving less-sensitive data (name, phone, email, financial info in some cases) exposed to breaches like this.
Even though it wasn’t widespread, Authy also had 93 accounts actually have devices added to them during the breach. This is a small amount, with users that probably had publicly exposed credentials, and weak passwords but the fact remains that it still happened.
As a final note, you do have to sign in with a phone number or some sort of email usually on these as well.
Perhaps not the biggest deal in the grand scheme of things but if there is an Alternative App with the same/better feature set that doesn’t need any personal info, why not give it a shot?
Aegis Authenticator
The easiest way to start is to boast about the same thing they promote on their very own home page:
Aegis is an alternative to proprietary two factor authentication apps like Google Authenticator and Authy. Its most important features, are security and backups.
As well as to show off the open source nature of the application, check out their GitHub: https://github.com/beemdevelopment/Aegis
GUI
The interface feels cleaner than the others I have used.
Everything is in a nice compact list with clear timers for when codes expire/change. It has an integrated dark and light mode (as every app these days should have these days). Also, it supports tapping on the icon to copy the codes, which combined with a nice minimize app feature, lets you copy and return to the last app immediately once you have your code.
It is these small enhancements that drive home my daily use of the app. A single second gained, multiple times a day, adds up over many years.
It also supports icon packs to keep a theme going for your entire directory which is a nice bonus feature for those of us that like continuity.
Support
Most of this is covered in the GitHub but with this being an open source project, many people are constantly updating it. It also has a dedicated FAQ and if you so desire, you can contribute your own changes as well.
Security & Backups
Again, another reason I chose this app but they do a much better job explaining. I will link that info though here: https://github.com/beemdevelopment/Aegis/blob/master/docs/vault.md
As far as backups go, I just enjoy having the freedom to decide how, when, and where my backups go. Encrypted in a self-hosted cloud? Done. Plain text exported to my PC? Sure.
Honorable Mentions
These are ones that I either haven’t been able to fully test yet heard good things about or ones that I have a somewhat rational reason for not using.
Bitwarden
On top of being a password manager it also manages 2FA as well. The only reason that I do not use it is because I did not want to manage password with it AND keep my 2FA codes there. I wanted them separate and in differing formats (cloud passwords + local 2FA).
Learn more about their implementation here: https://bitwarden.com/help/authenticator-keys/
Raivo for iOS
First of all, it’s open source: https://github.com/raivo-otp/ios-application
Now, it doesn’t have quite the same level of support that Aegis does but it is still actively updated and used and has many of the same features Aegis has… but for iOS. Frankly, this is what I would probably use if I was on an Apple device.
Conclusion
Hopefully, I have swayed you to at least check out a 2FA app. Any of these apps beat not having any 2FA at all but if you are looking for something a bit more privacy focused that is just as good as the popular ones, perhaps I convinced you to join team Aegis.
Either way, I hope you enjoyed this entry into Alternative Apps. If you like this format, consider checking out my previous post in this series below.
As always, thanks for reading and see you here next week.
-Mason C.B.
