Aegis Authenticator is an open-source TOTP authenticator for Android, developed by beemdevelopment since 2017. Encrypted vault, offline-first, no cloud sync, exportable. Predaxia’s default recommendation for journalists and operators who do not want their TOTP codes living in Authy or Google Authenticator. Available on F-Droid (preferred for the GrapheneOS ecosystem) and Google Play.
What it means in practice
The differentiator is what Aegis does not do. No cloud sync (the codes live on your device, period), no phone-number requirement (Authy requires one, which is the SIM-swap weakness Authy was supposed to defend against), no Google account dependency (Google Authenticator added cloud sync to a Google account in 2023, eroding the offline guarantee), no proprietary backup format (Aegis exports a JSON-encrypted file you control). The vault encrypts at rest with a passphrase or biometric. Migration from Authy or Google Authenticator works via QR-code re-enrollment (per-account, time-consuming on the first pass; permanent afterward). For iOS users, the equivalent recommendation is Raivo (open-source, no cloud) or Tofu (Apple-only, simple).
Where it shows up
Used by: GrapheneOS users (default TOTP recommendation in the GrapheneOS user community), security professionals who want the seeds offline, journalists protecting source-contact accounts, and the broader F-Droid privacy ecosystem. Not used by: most consumers, who default to whatever the service recommends at 2FA setup (Authy, Google Authenticator). The trade-off Aegis makes explicit: backup is your responsibility (you must export the encrypted vault to safe storage; if your phone dies and you have no backup, the seeds are gone). The alternative trade-off (cloud sync) makes the seeds reachable to a compromise of the cloud account. The right choice depends on which threat is higher in your model.
What you can change today
Install Aegis from F-Droid or Google Play. On first launch, set a passphrase for the vault (a Diceware-style 5-word passphrase distinct from any other you use). Migrate TOTP codes from your current authenticator one account at a time: open the existing app, view the QR code, scan it into Aegis, verify the code matches the existing app for one rotation, delete from the old app. After migration, export the Aegis vault to encrypted file storage (Proton Drive, your password manager attachments, or an encrypted USB stick stored offline). Test the restore process on a different device or fresh install before deleting the original; the worst time to discover a backup is corrupt is after the original is gone.
