Hey y’all!

I’ve been using Authy for some time now (switched from Google Authenticator) but an increasing amount of people is suggesting Aegis over Authy in some posts here at Lemmy and that got me curious.

Was wondering what would be the main selling points for one to use Aegis instead of Authy, can somebody help out?

Thanks in advance!

  • maniel
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    edit-2
    1 year ago

    what works for others doesn’t have to work for you, they suggest aegis because its open source and authy is not, on the other hand authy is multi-platoform and has builtin synchronization between devices, so there’s the thing: you can rely on third party for backup in authy or back it up manually but where? some third party again? for me personally moving to aegis just because it’s open source is a bit of a PITA, and minus being open-source, aegis is inferior IMO, no multi-platform sync, you don’t have to take out your distraction device to input an OTP, there’s a standalone PC app or browser addons

    • Eager Eagle@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      After having issues moving away from Google Authenticator, portability became one of the requirements I was looking for in an MFA tool; that immediately discarded Authy to me.

      I don’t have sync using Aegis, but I know my codes are backed up to at least 3 different locations I control, and I can either set up a new device when I need, or ditch Aegis altogether if they start making stupid choices.

      • maniel
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        ditch Aegis altogether if they start making stupid choices.

        do you mean you can migrate directly from aegis to another app? for me it’s a flaw, that way your OTPs are less secure, Authy distinctly states it has no such feature because of security, many other apps don’t have export feature because of that yet Aegis developers boast about it

        • Eager Eagle@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          1 year ago

          that way your OTPs are less secure

          Aegis backups are encrypted. One could argue that storing OTP seeds in someone else’s server is even less secure, which is what Authy does.

          because of security

          Yeah, I read that too when choosing OTP managers and I’m not convinced. These security reasons they give to practice vendor lock-in just sound very convenient to them. They could very well add a secure bidirectional data import/export functionality like Aegis does. If they are really concerned about account takeover, they can confirm user identity, add delays with notifications before exporting, or add any similar bureaucracy. But if password managers allow exporting entire vaults, an MFA app can allow the same for OTPs.

          And I insist on this feature because manually resetting over 40+ MFA codes that I have because there is no export feature is a REAL PITA.

        • rufus@discuss.tchncs.de
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Aegis lets you choose if you want your keys exported/backed up/included in the android backup. You have to setup a password to encrypt the storage and it came with every backup option disabled when I installed it. So should be safe.

          Authy also has the option to backup to cloud. So you probably need to use Google Authenticator if you want to be locked out of your accounts in case you lose your phone.

        • clb92@feddit.dk
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I’d guess that it doesn’t make a huge difference in terms of security.

          Surely both apps encrypt the seeds they store, and surely you can’t export seeds from Aegis before decrypting them (pin, password or biometric). If someone has your credentials (or encryption keys) to both these apps, and especially if they have physical access to your phone too, there will be ways of accessing the seeds whether there’s an export function in the app or not.