Open Source Alternatives for Two Factor Authentication (2FA) Across Multiple Devices

Update 14 Feb 2024: Twilio Authy no longer supports desktop devices. Even more reason to switch to open source.

Two Factor Authentication (2FA) is a security paradigm whereby two pieces of evidence are required for authentication. For online accounts these are typically a password (something the user knows) and a code demonstrating possession of a known device (something the user has). As an emergency backup for the loss of the device, recovery codes are provided, or perhaps a manual process of identity verification.

Google and Apple have proprietary 2FA solutions for Android and iPhone devices, but these create a dependency on a single device: lose it or break it, and you’ll be jumping through identification hoops with Google or Apple to access your accounts again. Twilio Authy is a popular alternative that supports multiple devices and can synchronize between them, but the desktop version reaches end of life on 19 March 2024—too bad if you don’t have multiple phones.

Open source is the answer. By supporting standard file formats for import and export, accounts can be copied between different 2FA apps on multiple devices. As long as at least one of those devices is available, authentication is possible. Now you need to lose or break all of your devices to be locked out—but you should still have your recovery codes stored safely somewhere!

Some options include:

1. Gnome Authenticator on a Gnome-based Linux desktop.
2. Keysmith on a KDE-based Linux desktop.
3. Aegis Authenticator on an Android phone (available from both F-Droid, a catalog of free and open source software for Android phones, and Google Play Store).
4. 2FAS for either Android or iOS.

All of these apps can import and export some common file formats, allowing accounts to be copied between them. Here is a suggested approach using Gnome Authenticator and Aegis Authenticator:

1. Set up Gnome Authenticator on the desktop first. Visit each online account and (re-)enable 2FA. Typically a QR code is displayed for quick setup. With Gnome Authenticator, click the add button in the top left, then in the dialog that appears, the Scan QR Code icon in the top right. Select Screenshot and take a snapshot of the QR code. It will then import. After setting up all accounts, go to the Pictures folder in your home directory and delete the screenshots. Also save the recovery keys for each account as you go.

2. Once all accounts are set up in Gnome Authenticator, export the keys to a file. Click the menu item in the top right and select Preferences > Backup/Restore. Under Backup select Authenticator to export to a plain text file. Keep the file somewhere accessible from all devices, e.g. cloud storage.

3. On each other device, import the file. For an Android device, install Aegis Authenticator, then click the menu icon in the top right, Settings > Import & Export > Import from file, choose Plain text as the file type and select the file. For another desktop use Gnome Authenticator again: Preferences > Backup/Restore, then under Restore select Authenticator and choose the file.

You now have multiple devices configured for 2FA. As long as you have at least one of those devices available you will be able to authenticate. Keep a printout of recovery codes; you will need them to restore access if all devices are lost.