Authenticator apps are mobile applications that generate Time-based One-Time Passwords (TOTP) for two-factor authentication. Major options: Aegis (Android, open-source, Predaxia default), Raivo (iOS, open-source), Tofu (iOS, simple), Authy (cross-platform with cloud sync, owned by Twilio, deprecating standalone use in 2025), Google Authenticator (cross-platform with optional Google sync), Microsoft Authenticator (cross-platform with Microsoft sync). The middle tier of 2FA: stronger than SMS, weaker than hardware keys.
What it means in practice
The structural choice is between offline-first and cloud-synced. Offline-first (Aegis, Raivo, Tofu): the TOTP seeds live only on the device, encrypted with a passphrase or biometric, with backup the user’s responsibility. Cloud-synced (Authy, Google Authenticator with sync, Microsoft Authenticator): the seeds live in the vendor’s cloud tied to the user’s account, with backup automatic but the cloud account becoming the new master key. The 2022 Authy breach (Twilio’s parent infrastructure compromise) illustrated the cloud-sync risk: thousands of users had their TOTP seeds exposed because the centralized backup was the central target. The Predaxia recommendation: offline-first apps with the user-managed encrypted backup, accepting the slight inconvenience of explicit backup discipline in exchange for the elimination of the cloud-account attack surface.
Where it shows up
Required by: most modern services as the recommended 2FA option (Google, Microsoft, Apple, GitHub, Facebook, the entire SaaS ecosystem), banks and brokerages where SMS 2FA is being deprecated under regulatory pressure (SEC and FFIEC guidance increasingly favor non-SMS 2FA), and high-value accounts where users have decided to stop using SMS as the second factor. The phishing resistance of TOTP is partial: real-time phishing kits (Evilginx2, EvilProxy) can intercept TOTP codes within the 30-second validity window, defeating TOTP against sophisticated phishing campaigns. Hardware keys remain the structural answer for phishing-resistant authentication; TOTP is the right answer for accounts where hardware keys are not yet supported.
What you can change today
Three actions. First, install Aegis (Android) or Raivo (iOS) and migrate TOTP codes from your current authenticator one account at a time: open the existing app, view the QR code, scan into Aegis, verify the new code matches the existing for one rotation, delete from the old app. Second, set a passphrase for the Aegis vault distinct from any other you use, and back up the encrypted vault to Proton Drive or your password-manager attachments storage; test restore on a different device before relying on the backup. Third, where the service supports hardware keys, prefer hardware keys over TOTP; reserve TOTP for the accounts where hardware keys are not yet an option.
