(no title)

For Android I'd recommend Aegis

https://f-droid.org/packages/com.beemdevelopment.aegis/

Or if you have a YubiKey you could also use it for TOTPs

Windows, Linux, Android: https://github.com/Yubico/yubioath-flutter

iOs: https://github.com/Yubico/yubioath-ios

I personally use Bitwarden for TOTPs (with a self hosted vaultwarden instance), it's by far not the most secure way to store your passwords and TOTPs next to each other, but it saves so much time.

Ente Auth or bitwarden builtin one or keepassXC builtin one.

Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!

Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.

(1) https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...

I'm of the opinion that it's basically fine yo store them in your password manager. Yes if your password manager is broken into you lose everything (same as having no 2fa in that case), but you still prevent people from guessing your password and often avoid having to deal with email- or text-based 2fa. And if your password manager is broken into, there's a good chance your device has been broken into, in which case it doesn't matter where you store your 2fa.

I use andOTP https://github.com/andOTP/andOTP and my favorite feature is the database of 2FA can be backed up PGP-encrypted and reimported on another device. But sadly it is no longer maintained. The latest version on Google Play Store is from 2021 and can still be installed and works fine on Android 14.

For Android, if you happen to use Keepass as your password manager, I really like KeePassDX[0]. If the camera app you use doesn't support QR scanning, though, you'd need an app for that (and I don't think any FOSS camera apps implement this, as for as I can tell).

This one[1] seems the most up-to-date, by a German research group. You'd share the link as text to the KeePassDX app, search for the entry it's for, and it populates it with the HTOP/TOTP secret.

There are iOS Keepass clients that support this as well, though from what I can tell there's some drama with source code[2][3] in the landscape.

[0] https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/

[1] https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...

[2] https://github.com/MiniKeePass/MiniKeePass/issues/606

[3] https://keepassium.com/articles/keepass-apps-for-ios/welcome...

And other allegations under the ethics & transparency sections of KeePassium's list of iOS alternatives https://keepassium.com/articles/keepass-apps-for-ios/

I used Aegis for a while and really liked it, switched to Bitwarden now but the UX was better

I've implanted my 2FA token in my arm and just hope it never breaks :D

If you do not need QR codes, oathtool is great. You can protect your tokens, recovery codes etc. with gpg -c or similar, so the encryption is entirely separate from the authentication mechanism.

And you actually know what is going on. Works for GitHub.

https://www.nongnu.org/oath-toolkit/

As mentioned elsewhere, Aegis and Authenticator Pro are both good on Android. Both are available on Play Store and on F-Droid.

I use a YubiKey with their Authenticator app.

I‘m using Raivo. It hasn’t let me down, yet