Aegis Authenticator is the best two-factor authentication app for Android. It’s free, open source, stores everything in an encrypted local vault, and gives you full control over your backups — no cloud account required, no proprietary sync service, no vendor lock-in. This guide covers installation, initial setup, importing from Google Authenticator, creating encrypted backups, and understanding the difference between TOTP and HOTP.

Why Aegis Over Google Authenticator or Authy

Google Authenticator is the default recommendation for 2FA, but it has real weaknesses: no backup encryption, a history of no export functionality, and tight coupling to your Google account. Lose your phone without a backup, and you lose all your codes.

Authy adds cloud backup and multi-device sync, but your TOTP seeds are stored on Authy’s servers. If Authy is compromised or shuts down, you have a problem. Authy also requires a phone number to register.

Aegis stores all secrets in an AES-256-GCM encrypted vault on your device. The only way to decrypt it is with your chosen unlock method (password, PIN, or biometrics). Backups are encrypted files you control completely — export to your phone, copy to a USB drive, store in a Cryptomator vault on Google Drive. Aegis is transparent about its encryption scheme, and the code is auditable on GitHub.

Installing Aegis

F-Droid (recommended): Install F-Droid (f-droid.org) and search for “Aegis Authenticator” — you’ll find it at com.beemdevelopment.aegis. Installing from F-Droid avoids Google Play entirely and gives you updates via the F-Droid app.

Google Play: Aegis is also available on the Play Store if that’s your preferred distribution method. The app is identical.

After installation, open Aegis. You’ll be prompted to set up vault security.

Setting Up the Vault

On first launch, Aegis asks you to choose an unlock method:

Password is the most secure option. Your vault encryption key is derived from this password using scrypt, making brute-force attacks computationally expensive. Choose a strong passphrase — this protects all your TOTP secrets if someone gets hold of your phone.

PIN is a numeric code. Faster to enter but weaker than a full passphrase. Use at least 8 digits.

Biometrics (fingerprint or face) — Aegis can unlock via biometrics as a convenience layer. Critically, this does not change the underlying encryption; the vault key is still protected by your password/PIN, which is stored in Android’s hardware-backed Keystore. Biometrics unlock the keystore slot, not the vault directly. This is a sensible security model.

Recommended setup: Set a strong password as the primary unlock method, then enable biometrics as a secondary convenience method. You’ll use your fingerprint 99% of the time but can fall back to the password if needed.

Adding Your First Account

Tap the + button in the bottom-right corner. Aegis offers three methods to add an account:

Scan QR code — the standard method. When a website shows you a QR code during 2FA setup, tap this option and point your camera at the code. Aegis reads the otpauth:// URI embedded in the QR code, which contains the secret key, account name, issuer, and parameters. This is the fastest and most reliable method.

Enter manually — if you can’t scan a QR code (e.g., you’re on mobile and the QR code is on the same device), most services also display the secret as a base32 text string. Tap “Enter manually” and type or paste the secret.

Import — import an entire collection from a file (covered in the migration section below).

After adding an account, you’ll see it in your vault list with a 6-digit TOTP code that refreshes every 30 seconds, plus a countdown arc showing how many seconds remain.

Understanding TOTP vs HOTP

TOTP (Time-based One-Time Password) — the standard. Codes are generated based on the current time and your secret key. Both you and the server independently compute the same 6-digit code because you share the secret and agree on the current time. Codes expire after 30 seconds (or 60 on some services). TOTP is what almost every major service uses.

HOTP (HMAC-based One-Time Password) — counter-based rather than time-based. Each code is generated from the secret and an incrementing counter. Codes don’t expire — they’re valid until used, and both sides increment the counter after each use. HOTP is less common today but used by some hardware tokens and older services. Aegis supports both.

When adding an account manually, Aegis lets you choose TOTP or HOTP, set the period (default 30 seconds), and set digit count (6 or 8). Leave these at defaults unless a service explicitly specifies otherwise.

Importing from Google Authenticator

Google Authenticator added export functionality — it creates a QR code (or series of QR codes) containing your account data. To migrate to Aegis:

Open Google Authenticator on your Android device.
Tap the three-dot menu → Transfer accounts → Export accounts.
Select all accounts and tap Next. Google Auth displays one or more QR codes.
Open Aegis, tap + → Scan QR code.
Scan each QR code. Aegis recognizes the special otpauth-migration:// format and imports all accounts in batch.

After confirming all codes are working in Aegis, you can delete the accounts from Google Authenticator or remove the app entirely. Verify each imported account actually generates working codes on the corresponding service before removing anything.

Creating and Managing Encrypted Backups

This is where Aegis shines. Go to Settings → Backups.

Manual backup: Tap Export vault to create an encrypted .aegis_backup file. You’ll be prompted for a backup password (can be the same as your vault password or different). Save this file somewhere safe — a USB drive, your Nextcloud instance, a Cryptomator vault in cloud storage.

Automatic backups: Enable Automatic backups and set a backup location. Aegis will write an updated encrypted backup to that folder whenever your vault changes. The backup folder can be on internal storage, an SD card, or any location accessible via Android’s Storage Access Framework (including Syncthing-synced folders).

What the backup contains: The .aegis_backup file is a JSON file encrypted with AES-256-GCM. Without the password, it is completely unreadable. The structure is documented publicly if you want to verify.

Recovery from backup: On a new device, install Aegis, tap Import → Aegis backup during setup (or from Settings → Import & Export), select your backup file, enter the password, and all your accounts are restored instantly.

Keep at least two copies of your backup in different physical locations. Treat the backup file and its password as highly sensitive — anyone with both can access all your TOTP codes.

Organizing Your Vault

As your collection of 2FA accounts grows, organization helps. Aegis supports:

Icons: Long-press an entry → Edit → tap the icon to assign a logo. Aegis has a built-in icon pack and you can import custom icons.

Groups: Create groups (e.g., “Email”, “Finance”, “Work”) and assign entries to them. Access groups from the sidebar.

Search: Tap the search icon to filter by name instantly.

Sorting: Sort by name, account type, or last-used time.

Security Best Practices

Set screen timeout on your Android device to 30 seconds or less. Aegis locks when the screen locks.
Enable panic button in Aegis Settings — this lets you quickly lock and optionally wipe the vault with a special gesture.
Do not screenshot TOTP codes. Screenshots are often backed up to cloud services automatically.
Do not share your vault password with anyone. It grants access to every account protected by 2FA.
Store at least one backup copy offline — on a USB drive in a physically secure location. This protects against a scenario where your phone is lost and your cloud backup is inaccessible.

Aegis turns your Android device into a robust, self-contained 2FA vault. Combined with a password manager and strong unique passwords, it forms the core of a practical, privacy-respecting account security setup.