this post was submitted on 29 Aug 2023
87 points (95.8% liked)

Open Source

31404 readers
73 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Hey y'all!

I've been using Authy for some time now (switched from Google Authenticator) but an increasing amount of people is suggesting Aegis over Authy in some posts here at Lemmy and that got me curious.

Was wondering what would be the main selling points for one to use Aegis instead of Authy, can somebody help out?

Thanks in advance!

top 50 comments
sorted by: hot top controversial new old
[–] ultra@kbin.social 71 points 1 year ago* (last edited 1 year ago) (2 children)

This is an easy one.

The entire privacy policy of Aegis:

Aegis Authenticator does not collect any data from your device.

  • Camera access is only used for scanning QR codes.

If you believe this policy has been violated, please let us know.

Relevant parts of Authy's privacy policy:

We use that phone number to identify you, to provide you 2FA services, and to maintain logs for security and anti-fraud purposes.

We may also send notices about Twilio products or events to you, but you may click on the unsubscribe link that will appear at the bottom of any of our marketing emails or you can contact customer support to opt out.

Device Information. When you download and open the Authy desktop or mobile app, we automatically collect information about the type of device you have downloaded the app on and your device identifier.

Login History and Authy Account History. When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that.

Geolocation information. If you have location services turned on, we collect your location based on your IP address.

How we share personal data. In general, Authy shares personal data in the same way Twilio does (see How Twilio shares personal data for more).

From "How Twilio shares personal data": However, we do need to share it in some circumstances. These may be to provide you services (e.g., to route a call or send an email), or when necessary for our suppliers to provide services to us, or for another reason listed here, or share personal data for cross-context behavioral advertising.

However, Authy users should be aware that an application that integrates with the Authy 2-Factor API can access your phone number, email address, and user name. It will also be able to access your primary device type and information associated with your login activity to that application. It may also retain this information on its own servers. We may also share other information related to your account with that application to help them and us detect suspicious or fraudulent activity on your account.

[–] MXX53@programming.dev 12 points 1 year ago

This might be the strongest argument I have seen. Thank you!

[–] Kelho@lemmy.ml 2 points 1 year ago

Thanks, that ToS from Authy regarding personal data is scary

[–] clmbmb@lemmy.dbzer0.com 40 points 1 year ago (1 children)

The main point is that Authy is a company that hosts your data on their cloud and you can't know what they do with it. Aegis is local, but has the ability to create scheduled backups, which then you can sync to your own server or just copy it in different locations for safety.

[–] miss_brainfart@lemmy.ml 21 points 1 year ago

2FA not being 100% local and offline kinda defeats the point for me. I want potential attackers to need physical access to my device if they intend to get into my accounts.

[–] MangoPenguin@lemmy.blahaj.zone 16 points 1 year ago (1 children)

Authy locks you in and intentionally makes it very hard to export keys. I made the mistake of using it once years ago and it was annoying to get out of it.

[–] Swarfega@lemm.ee 2 points 1 year ago

If you haven't already you can delete your Authy account. You have to contact support and it takes a few days to complete but at least then you know you're not leaving anything behind.

[–] faintwhenfree@lemmus.org 14 points 1 year ago (1 children)

Aegis works the best for me, it is specifically for power users because it allows sharing of the seed phrase quite easily. So may not be for users who don't understand that part. But for me has been a godsend. I am trying to get my parents on a better 2fa standards. And it works because I scan and setup 2fa first on aegis and then share it to their authy. They find authy useful and I'm not worried about them accidently sharing seed phrase.

For backups, aegis does automatic backups to local storage and next cloud syncs it to my cloud. It is encrypted so you can use something like foldersync to sync it your gdrive or mega or something like that.

Aegis is not multi platform, but I honestly don't care, in my opinion it's better to have aegis on my phone and when I need to login from a desktop, looking up the code in phone is a separate device factor which adds on to the security. Meaning if somebody knew my passwords and stole my laptop, they'll still have to steal my phone to access 2fa. Different story if they steal my phone though.

[–] AAR@rdr.lol 8 points 1 year ago

There are desktop apps that can import the Aegis backup file to display the 2FA codes on Debian I'm using Authenticator

[–] cybertario@lemmy.ml 12 points 1 year ago* (last edited 1 year ago) (1 children)

Aegis may import and export seed with easy. I switch from Authy to Aegis just for this. It also have automatic backups. Authy only selling point was the sync function and maybe the bad desktop app. Now I had a double backup, the native function, and a synced keepassxc file with all the Aegis OTP exported for desktop use. KeepassXC support OTP export with QR so I can create there and export to Aegis if I want. Best solution ever.

[–] vomitaur@links.hackliberty.org 5 points 1 year ago (1 children)

how did you get your keys out of authy?

[–] cybertario@lemmy.ml 3 points 1 year ago

I didn't, slowly change every service from authy to aegis. 😅🤷‍♂️

[–] maniel@lemmy.ml 7 points 1 year ago* (last edited 1 year ago) (1 children)

what works for others doesn't have to work for you, they suggest aegis because its open source and authy is not, on the other hand authy is multi-platoform and has builtin synchronization between devices, so there's the thing: you can rely on third party for backup in authy or back it up manually but where? some third party again? for me personally moving to aegis just because it's open source is a bit of a PITA, and minus being open-source, aegis is inferior IMO, no multi-platform sync, you don't have to take out your distraction device to input an OTP, there's a standalone PC app or browser addons

[–] eager_eagle@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

After having issues moving away from Google Authenticator, portability became one of the requirements I was looking for in an MFA tool; that immediately discarded Authy to me.

I don't have sync using Aegis, but I know my codes are backed up to at least 3 different locations I control, and I can either set up a new device when I need, or ditch Aegis altogether if they start making stupid choices.

[–] maniel@lemmy.ml 2 points 1 year ago* (last edited 1 year ago) (3 children)

ditch Aegis altogether if they start making stupid choices.

do you mean you can migrate directly from aegis to another app? for me it's a flaw, that way your OTPs are less secure, Authy distinctly states it has no such feature because of security, many other apps don't have export feature because of that yet Aegis developers boast about it

[–] eager_eagle@lemmy.world 5 points 1 year ago* (last edited 1 year ago)

that way your OTPs are less secure

Aegis backups are encrypted. One could argue that storing OTP seeds in someone else's server is even less secure, which is what Authy does.

because of security

Yeah, I read that too when choosing OTP managers and I'm not convinced. These security reasons they give to practice vendor lock-in just sound very convenient to them. They could very well add a secure bidirectional data import/export functionality like Aegis does. If they are really concerned about account takeover, they can confirm user identity, add delays with notifications before exporting, or add any similar bureaucracy. But if password managers allow exporting entire vaults, an MFA app can allow the same for OTPs.

And I insist on this feature because manually resetting over 40+ MFA codes that I have because there is no export feature is a REAL PITA.

[–] rufus@discuss.tchncs.de 2 points 1 year ago* (last edited 1 year ago)

Aegis lets you choose if you want your keys exported/backed up/included in the android backup. You have to setup a password to encrypt the storage and it came with every backup option disabled when I installed it. So should be safe.

Authy also has the option to backup to cloud. So you probably need to use Google Authenticator if you want to be locked out of your accounts in case you lose your phone.

[–] clb92@feddit.dk 2 points 1 year ago

I'd guess that it doesn't make a huge difference in terms of security.

Surely both apps encrypt the seeds they store, and surely you can't export seeds from Aegis before decrypting them (pin, password or biometric). If someone has your credentials (or encryption keys) to both these apps, and especially if they have physical access to your phone too, there will be ways of accessing the seeds whether there's an export function in the app or not.

[–] danielquinn@lemmy.ca 7 points 1 year ago (2 children)

Can someone give me a reason why I might want to move to Aegis from andOTP?

[–] darklamer@lemmy.dbzer0.com 9 points 1 year ago (2 children)
[–] danielquinn@lemmy.ca 4 points 1 year ago (1 children)

I had no idea! It's still works, but yeah, that's a very good reason to switch!

[–] darklamer@lemmy.dbzer0.com 2 points 1 year ago

I too was still using andOTP until some days ago, unaware that it had been abandoned, until I started reading about OTP apps here and then switched to Aegis: https://lemmy.dbzer0.com/comment/2137482

[–] cheeseburger@lemmy.ca 3 points 1 year ago

FFS, thanks I had no idea.

[–] peregus@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

I moved because it seems abandoned and because the QR code it generates can't be used from an iPhone, the ones that creates Aegis works everywhere. And Aegis seems more...nice, IMHO.

[–] Krafting@lemmy.world 6 points 1 year ago (1 children)

You might want to check out FreeOTP+, open source OTP client, all stored locally so be sure to backup everything from time to time.

I was using Authy for a few years until I started caring more about my online security and privacy.

I never heard of Aegis, but it seems like a good open source OTP client with automatic backups!

[–] clmbmb@lemmy.dbzer0.com 3 points 1 year ago

There's also Authenticator Pro , which is also open source and looks better than Aegis.

[–] venusenvy47@lemdro.id 5 points 1 year ago (2 children)

I moved my TOTP's from Authy to Bitwarden, where you can have access to your seeds and export if you want. But I believe this requires paying the $10 per year for Bitwarden premium (which I already had).

[–] Voroxpete@sh.itjust.works 12 points 1 year ago (4 children)

I hope you're not also using Bitwarden as your password manager. Having your authenticator and your password manager accessible in the same place, with the same account, completely defeats the point of 2FA.

[–] venusenvy47@lemdro.id 4 points 1 year ago

I am using it as my password manager, and I understand it puts all my eggs in the Bitwarden basket. But I don't think it defeats the purpose of 2FA. For example, someone getting my Google password doesn't mean they have my TOTP needed to get into my Google account, or any other account with 2FA.

[–] amki@feddit.de 1 points 1 year ago

If you are able to open your password vault from the device you use as a second factor (which you probably do) the whole point is defeated anyways. Multiple apps on the same device won't save you.

[–] mp3@lemmy.ca 1 points 1 year ago

It's only as weak as the weakest link. If you're using a strong and unique password as well as a strong 2FA (FIDO2) to access your Bitwarden account then it's an acceptable trade-off.

[–] FlexibleToast@lemmy.world 1 points 1 year ago (1 children)

But I have Bitwarden setup to need 2fa.

[–] anzo@programming.dev 4 points 1 year ago

It's passwords all the way down!

[–] towerful@programming.dev 4 points 1 year ago (1 children)

Vaultwarden is the unofficial open source backend that's compatible with bitwarden clients.
But $10 a year is nothing, and it removes a lot of worries

[–] danielquinn@lemmy.ca 2 points 1 year ago

It also supports Bitwarden, so it's a good deal.

[–] dosse91@lemmy.trippy.pizza 4 points 1 year ago

For me the choice is really easy: Aegis works, Authy crashes when it opens the camera 😂

I've been using Aegis for a while now and it never gave me issues. I set up automatic backups to a folder which is synchronized with my home server with syncthing so there's no risk of losing access to anything.

[–] NENathaniel@lemmy.ca 4 points 1 year ago* (last edited 1 year ago) (2 children)

One more recommendation would be 2FAS, also open source

[–] ProtonBadger@kbin.social 1 points 1 year ago

Yeah, I recently moved from Authy to 2FAS, took about an hour moving everything over. It can do cloud backup and export/import files manually as well.

[–] Rescuer6394@feddit.nl 1 points 1 year ago
[–] PuppyOSAndCoffee@lemmy.ml 3 points 1 year ago (1 children)

Aegis is not multi-platform so if that matters...does anyone have FreeOTP experience?

[–] mp3@lemmy.ca 2 points 1 year ago (1 children)

There's 2FAS if you need something open-source and multi-platform.

[–] venusenvy47@lemdro.id 3 points 1 year ago (1 children)

I read the website, but I couldn't see how the account syncing occurs between the mobile apps and the browser extensions. I installed the browser extension but didn't see a way to make an account. Do I have to self-host the data for syncing?

[–] mp3@lemmy.ca 1 points 1 year ago

The addon is used to send a request to auto-type a token. You get the prompt on the phone, and when you accept the token is auto-typed and the website+token selected is saved for the next time, so on the next request you just need to approve on the phone.

[–] davad@lemmy.world 3 points 1 year ago (1 children)

A third option is KeePassXC. You can set TOTP seeds for entries there.

Aegis lets you back up your TOTP seeds.

[–] Pantherina@feddit.de 0 points 1 year ago (1 children)

Authy is not on FDroid? Its not open source so its Tracking BS 99%

[–] UnfortunateShort@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

The only permission that app requires is camera and that only while it's running in fg (any you can probably disable it if you don't care about QR codes).