obsidian says this takes 6 minutes to read.

look at the page updates here

I used to be an Authy user. I liked the app, and I was pretty happy with the service provided. They had a desktop version of the app that worked flawlessly, and was pretty fine to use. Then they killed off the desktop app. I was like, okay fine, I’m gonna keep a copy of the EXE for the Authy program, and use that from now on. The desktop version would keep working for a couple of months, until it too died because of I believe Authy just blocking all connections to that app.

So I was like, fine, I’ll just use my phone, and this was great, up until I decided to reinstall the OS on my phone. And then I discover that Authy implemented fucking Play Protect, which means I cannot even use it on the hardware I own because the developer was “lmao fuck you”, and I wasn’t willing to flash my phone back to stock firmware, so I was like “fuck it” and then proceeded to tear out every single TOTP login from Authy and moved these to another app. I was searching for literally any other 2FA app that was half decent, and the first app I found was Ente Auth. Ente Auth was pretty much everything I was looking for: it had exportable secrets (not like Authy, smh), it didn’t link your phone number to your account, it didn’t gave a rat’s ass if your phone was modified or not, alongside being open source, it was nice.

Moving every TOTP to Ente was a big pain, and it is because Authy does not support exporting secrets, which I can only imagine it is a case of “fuck you”, or just a misguided attempt to provide security or something. So my process looked like the following: I had to load up Authy on another device (in this case, it was my sister’s iPad), I logged in the account that had 2FA enabled, I then removed 2FA, then added the account’s 2FA secret on Ente, and then deleted the 2FA secret on Authy. Rinse and repeat for the next 40 logins, and this easily took me 2 or 3 hours. It fucking sucked. But at least it was a one and done thing. I never have to do that again. And if I wanted to move to something else in the future, Ente Auth allows to export your shit to plaintext, or even to a neat HTML that has QR codes that you can scan, and it is all laid out in a very neat format that is just awesome.

But recently I been working on moving everything that is password and 2FA related offline. I made the move from Bitwarden to KeepassXC a couple of years ago, and even decided to delete my Bitwarden account and to stay with KeepassXC. Meanwhile, I was fine with Ente Auth, but I really started to get tired of the app and program itself. First of all, on the app on Android, they keep promoting other services they have, specifically, Ente Photos. Look, I know that Ente is a smallish company, and that they kinda need to do this to keep themselves afloat, but it kinda put a bad taste in my mouth. Like I feel, sooner or later, that they may do something in the future to screw over their users in the name of money. Another reason, is that the Android app isn’t really great, like it lags out, it feels like it is some sort of port to Android that has not been optimized well. It feels like the moment a couple years ago when Discord switched from its native version, to one that used React instead. Another reason I been looking to switch from Ente, is that everything is stored online, and if Ente gets breached, welp, there goes all your 2FA secrets. Another reason is that, I’ve seen Ente do a lot of their marketing in privacy/degoogle communities, and it makes me kinda suspicious, if that makes sense. Also there has been some rumors that Ente collects more data than required to operate, however I think these are just rumors however.

So I been on a lookout for anything that would be close as Ente Auth as possible, and I think I found two options, one is using KeepassXC itself for TOTP and then there’s Aegis. So Aegis is a open source TOTP app that works only on Android. It is open source, offline, and also supports code exporting. It also supports a large number of other apps, like Google Authenticator, FreeOTP, Ente Auth, alongside a large number of other TOTP apps. This is awesome, and allows you to easily switch from one device to another. Also, Aegis has support for exporting secrets pretty easily, either as a plaintext file, an encrypted JSON, or a neat HTML, same as Ente Auth. The downside is that it is only available for Android, and there really is no Windows or Linux version available1. I do appreciate the ability to simply open the program for 2FA on Linux or Windows, and then just copy and paste the code, all in the same machine. And sure, this defeats the purpose of like 2FA (since ideally 2FA and the device you are using should be separated) but I don’t care I think lmao.

KeepassXC also supports 2FA, but getting it set up is pretty annoying. KeepassXC doesn’t really support bulk secrets importing, so that means you now need to go, find the account you are trying to add the 2FA to, and then add the secret manually. It sucks, and it took me around an hour to get everything imported, but at least now KeepassXC shows the codes now, and you can also fill 2FA codes on websites with the KeepassXC browser extension too. But like, is keeping your 2FA codes with your passwords safe? I don’t know. Like, my KeepassXC has a pretty long password on it, and it is only shared on my devices and no where else, and doesn’t touch internet storage with the exception of Filen (as a backup), so I guess I feel confident with it? Who knows. I think if I were to go full in using KeepassXC as the 2FA program, I would need to move my 2FA backup codes elsewhere (since I save them in KeepassXC for safekeeping, or who knows, maybe this is just fine. I guess, at the end of the day, I would probably use a system where I keep both 2FA codes on Aegis on my phone, and then KeepassXC for my PC and laptop. Maybe I could also get a security key and use that as an additional authentication factor for my KeepassXC vault, but I think that may be overkill, I think, lmao.

updates:

  1. i guess using Windows Subsystem for Android or Waydroid may work? Who knows.↩︎