The New Oil

What is 2FA and Why Do You Need It?

2FA is an abbreviation for “two-factor authentication,” which is basically what it sounds like. Usernames and passwords are a form of authentication; if you don’t know the username and/or password, you cannot be authenticated, or prove that you are authorized to access whatever it is you’re attempting to access. Of course, that’s not totally true. Data breaches expose usernames and passwords all the time. Hence the need for more than one method of authentication at the same time. When you combine more than one form of authentication, you get “multifactor authentication,” or MFA. All 2FA is MFA, but not all MFA is 2FA.

2FA is one of the most powerful steps you can take to protect your account from unauthorized access. Microsoft claims that it stops 99.9% of unauthorized account access, and in a world where data breaches are beyond common, it’s important to have every advantage you can to protect your accounts. Even if your password gets exposed, your account is still safe.

While there are many forms of 2FA out there, I tend to focus on TOTP for most readers. These days, there are currently only two 2FA apps I recommend: Aegis for Android and Raivo for iOS. These apps are only available on their respective devices, so you can’t use Aegis for iOS or Raivo for Android. As such, this review should not be considered a “versus” but rather simply a review of the recommended 2FA apps, but combined for simplicity. For more information on why I recommend TOTP over other forms of 2FA (sort of) or what criteria we use to select our apps, please visit the website.

The Good

Courtesy of Aegis’ official website

Both of these apps have a plethora of positive features, though personally I think Aegis offers way more. Aegis starts off strong by asking you to encrypt your database from the get-go, either with a password or biometrics. Of course, you can select not to encrypt with no password, but this isn’t wise and you can always change your decision later if you want. Perusing the settings, I also saw some neat features such as a “panic trigger” to erase your vault under duress and the ability to pick a separate password for your exported vault that differs from you on-device unlock password. Aegis’ backup feature is particularly impressive. Backups can be set to automatic, and will update any time you make a change to your vault such as adding or deleting an entry. Additionally, you can allow for cloud-based backups for additional resilience, but only for encrypted vaults – which is probably a smart move anyways. Additionally, import and export were both smooth, intuitive experiences that were very self-explanatory (compared to Raivo, which I will discuss later).

Raivo offers a similar, but much more limited set of features for the iPhone. For starters, Raivo is also available on Mac, which means you can sync your codes securely between mobile and desktop. If you’re like me and strive to use your phone as little as possible at all times, this is great news. It means you can still enjoy the benefits of TOTP 2FA without having to pick up your phone when you’re at your computer (assuming you use a Mac and iPhone and not Windows and iPhone). When you sign up for Raivo, you will be prompted to pick a lock PIN or biometric lock, but unlike Aegis this is not optional. Raivo also offers cloud-based backups, but only over iCloud from what I could tell. In the past this was a huge dealbreaker for me as I strongly advised against using iCloud. Now, though, Apple has introduced end-to-end encryption for most of iCloud’s data, so while I’m still generally opposed to iCloud from a moral perspective, for most people the risks and concerns have been largely mitigated. Finally, Raivo allows you to pick whatever icon you wish to use for your codes, and they usually have multiple icons for each service. This is great. Using myself as an example, I have several Proton accounts – personal, The New Oil, and Surveillance Report (each one totally unique for maximum compartmentalization and scalability). The fact that there are multiple Proton icons (including the legacy ones) allows me to assign a new icon to each code so I can quickly and easily tell them apart.

The Bad

Courtesy of Raivo’s official website

Of course, as I always say, no service is perfect. While I do have some issues with both Aegis and Raivo, they are very, very minor issues that shouldn’t have any significant impact on usability or security. My main issue with Aegis is that there are no icons at all. All icons must be imported from file. While it’s great for privacy that the app doesn’t auto-pull favicons and equally great for customization that you can import icons, it’s a bit disappointing that there are none provided by default for popular services like Google, Apple, Proton, Tutanota, Bitwarden, etc or even the ability to pull them from the service if you choose to.

Raivo does offer a pretty decent number of icons in their repository – also not pulled online for privacy reasons – but fails to offer the ability to import custom ones like Aegis does. I’ve had services in the past that have no icon for this reason. A bigger flaw with Raivo is the lack of an import feature. While you can safely export your codes to keep good backups, re-importing them means you have to manually scan each and every QR code (or enter the seed manually) for every single account from your backup file. This is easy enough, but with a large number of accounts it becomes extremely tedious and time consuming. The only plus side there is that usually when you do this, the icon gets pulled in with the scan so you won’t waste as much time getting your vault set back up exactly how you wanted. I’m also still personally very disappointed by Raivo forcing me to use a lock on the app (if you have my unlocked iPhone, another lock on a specific app really won’t do much for me and my threat model, personally), and compared to Aegis’ auto-update feature it’s a bit disappointing that Raivo requires manual backups.

Conclusion

Aegis and Raivo are far from the only open source authenticators for either platform, but they are by far the most feature-rich and well-supported ones. If you’re not using TOTP 2FA yet, be sure to go download one of these two apps and get started immediately. It’s one of the best ways to secure your accounts and the convenience tradeoff is minimal.

You can download Aegis for free in the Play store here (or F-Droid here), and you can download Raivo for free in the Apple App Store here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.