Use Aegis Authenticator if you want maximum privacy (open-source, zero cloud, local backups only) and don’t mind manual backups to a vault or desktop drive. Use 2FAS if you want privacy-first with optional encrypted cloud backup ($0-8/year) and offline-first operation. Use Raivo if you’re on iOS and need a smooth interface with encrypted cloud backup. Use Authy only if your workplace requires it or you need desktop app sync; Authy is less private (Twilio collects device metadata). This guide compares these four apps across privacy, backup recovery options, open-source transparency, and ease of use.
Why 2FA App Privacy Matters
Your 2FA authenticator stores the master secrets that unlock your email, bank account, and crypto wallets. If your authenticator’s backup is compromised, attackers gain 2FA bypass access to every account. The difference between apps is stark:
- Cloud-backed (Authy): Secrets synced to company servers; company collects device metadata
- Encrypted cloud (2FAS, Raivo): Secrets encrypted before leaving your device; company cannot read them
- Local only (Aegis): Secrets never leave your device; you manage all backups
Most people wrongly assume all authenticator apps offer equal privacy. They don’t. Authy, despite Twilio’s assurances, is fundamentally less private than Aegis or 2FAS.
Aegis Authenticator: Maximum Privacy, Manual Backups
Aegis is open-source, requires zero internet, and stores all secrets locally. Backups are encrypted and saved locally (your device, computer, or USB drive). You control everything.
Installation:
Android: Google Play Store or F-Droid (free)
iOS: No official Aegis app (Apple restrictions limit local-only apps)
Desktop: Windows, macOS, Linux (Aegis Desktop via GitHub releases)
Setup:
- Download Aegis
- Create master password (20+ characters recommended)
- Scan QR code or enter manual seed from your account (e.g., GitHub, Google)
- Secret is encrypted and stored locally
Example setup flow (GitHub 2FA):
GitHub Settings → Security → Two-Factor Authentication
Click "Setup authenticator app"
GitHub displays QR code
In Aegis:
+ button → Scan QR code
GitHub 2FA code now shown in Aegis
(secret stored locally, encrypted on disk)
Save backup immediately:
Menu → More → Export vault
Save encrypted backup file to external drive or cloud (but separately from Aegis)
Backup and Recovery:
Aegis offers several backup options:
- Encrypted vault backup (strongly recommended):
Menu → More → Export vault as encrypted archive Password-protect the vault file (separate password from Aegis master password) Save to: external drive, USB stick, or separate cloud account Recovery: Menu → Import vault → Select backup file - Plaintext export (not recommended):
Menu → More → Export vault (plaintext JSON) Contains all secrets in readable format; extremely sensitive Only export for transition to another device - Biometric recovery codes: Some services (GitHub, Google, 1Password) give recovery codes when enabling 2FA. Store these separately from Aegis (printed, in password manager). These bypass 2FA entirely if you lose your authenticator.
Strengths:
- Open-source: anyone can audit the code (github.com/beemdevelopment/Aegis)
- Zero cloud dependency
- Fully encrypted; even your device cannot access secrets without master password
- Supports 40+ account types (TOTP, HOTP, Steam, Twitch)
- Perfect sync between devices: export from one, import to another
Limitations:
- Manual backup process; forgetting backups means account lockout risk
- No iOS app (Apple doesn’t allow offline-only authenticators easily)
- Requires discipline: master password must be memorable and strong
Cost: Free (open-source)
Best for: Security-conscious users, developers, anyone who values open-source code review
2FAS: Privacy with Optional Cloud Backup
2FAS is open-source and privacy-first, with optional encrypted cloud backup. Secrets are encrypted client-side; 2FAS servers cannot read them. You can also use it completely offline (no cloud at all).
Installation:
Android: Google Play Store (free, open-source)
iOS: App Store (free, open-source)
Web: https://web.2fas.com (browser-based)
Desktop: Windows, macOS, Linux
Setup:
- Download 2FAS
- Optionally create account (for cloud backup; backup is encrypted)
- Scan QR code or enter seed
- Secret encrypted and stored locally
Cloud Backup (Optional):
Settings → Backup
- Enable Cloud Backup (optional; off by default)
- Secrets encrypted with your password before leaving device
- 2FAS cannot read your secrets (they're encrypted)
- Free tier: 3 encrypted backups per month
- Premium: Unlimited backups ($8/year)
Offline-First Workflow:
Most users never enable cloud backup. Instead:
Settings → Export Backup
(downloads encrypted backup file to your device)
Manually save to: external drive, separate cloud account, or email to yourself
This is simpler than Aegis because the app generates backup files automatically.
Recovery:
If you lose your phone:
Install 2FAS on new phone
Settings → Restore from Backup
Select encrypted backup file
Enter backup password
All secrets restored
Strengths:
- Open-source (auditable; github.com/twofas/2fas-server)
- Works offline completely; cloud is optional
- Cloud backups are encrypted (2FAS cannot read them)
- Automatic backup file generation (easier than Aegis)
- Same app on iOS and Android (consistent experience)
- Free with generous premium ($8/year)
Limitations:
- Cloud backup still means secrets leave your device (encrypted, but still)
- Web client is browser-based (less secure than native app)
- Premium features are limited ($8/year is cheap, but some want fully free)
Cost: Free (cloud backup $8/year optional)
Best for: Privacy-conscious users who want optional backup convenience without sacrificing security
Raivo: Privacy on iOS, Encrypted Cloud Backup
Raivo is iOS-native, beautifully designed, and offers encrypted cloud backup. Secrets are encrypted before leaving your device.
Installation:
iOS: App Store ($1.99 one-time)
Android: No official app (third-party Raivo ports exist but not recommended)
Desktop: No desktop app
Setup:
- Download Raivo ($1.99)
- Create master password (biometric unlock available)
- Scan QR code
- Secret stored locally, encrypted on device
Cloud Backup (encrypted):
Settings → Backup & Restore
- Enable iCloud Sync (optional; enabled by default)
- Secrets encrypted with your iCloud key
- Raivo cannot decrypt backups (encrypted client-side)
- No subscription: backups free on iCloud
Recovery:
If you upgrade to a new iPhone:
Install Raivo on new iPhone
Raivo automatically restores from iCloud
All secrets present with one tap
No manual intervention needed
Strengths:
- iOS optimized: smooth interface, biometric unlock
- Encrypted cloud backup to iCloud (free)
- One-time purchase ($1.99; no subscription)
- Supports 30+ account types
- Auto-fill integration with Safari
Limitations:
- iOS only (no Android)
- Not open-source (proprietary code)
- Relies on iCloud (if Apple’s security fails, backups compromised)
- No desktop app (must use phone to retrieve codes)
Cost: $1.99 one-time
Best for: iOS users who want encrypted backup without ongoing subscription
Authy: Least Private, Avoid If Possible
Authy is maintained by Twilio and backs up secrets to their servers with device metadata collection. While Authy doesn’t read your secrets (they’re encrypted), Twilio collects extensive metadata about your devices and backup patterns.
Installation:
iOS: App Store (free)
Android: Google Play Store (free)
Desktop: Windows, macOS (free)
Web: https://web.authy.com (browser)
Backup and Sync:
Secrets automatically backed up to Authy servers (encrypted)
Secrets synced across all your devices (phone, tablet, desktop)
Twilio receives:
- Device identifiers (IMEI, Android ID, etc.)
- Installation timestamps
- Uninstall events
- Backup frequency and size
- Geographic location (inferred from IP)
What Twilio Collects:
From Authy’s privacy policy:
“We collect device identifiers, device manufacturer, IP address, device operating system, and application version”
This metadata reveals patterns:
- If your backup frequency changes → you’re likely traveling
- If you install Authy on a new device → you bought a new phone
- If you uninstall → you’re abandoning Authy for another app
Metadata is less sensitive than secrets, but still invasive.
Strengths:
- Desktop and mobile sync (convenient)
- Backup is automatic (no manual intervention)
- Works across platforms (iOS, Android, Windows, macOS)
Weaknesses:
- Metadata collection by Twilio
- Cloud-dependent; offline use requires setup
- Secrets stored on Twilio servers (encrypted, but centralized)
- Encourages device sync (more devices = more metadata points)
Cost: Free (Twilio subsidizes it)
When to use Authy:
- Your employer mandates Authy for corporate accounts (no choice)
- You need seamless desktop/mobile sync and don’t care about metadata
- Otherwise: avoid in favor of Aegis, 2FAS, or Raivo
Comparison Table: Privacy and Features
| Feature | Aegis | 2FAS | Raivo | Authy |
|---|---|---|---|---|
| Open-source | Yes | Yes | No | No |
| No cloud (default) | Yes | Yes | No (uses iCloud) | No |
| Encrypted backup | Yes | Yes | Yes (iCloud) | Yes (encrypted) |
| Metadata collection | None | None | Minimal (Apple) | Extensive (Twilio) |
| iOS support | No | Yes | Yes | Yes |
| Android support | Yes | Yes | No | Yes |
| Desktop app | Yes | Yes | No | Yes |
| Auto-fill (Safari/Chrome) | No | Limited | Yes | Yes |
| Cost | Free | Free ($8/yr backup) | $1.99 | Free |
| Master password required | Yes | Yes | Yes | Optional |
| Offline operation | Yes | Yes | Limited | No |
Setup Guide: Privacy-First 2FA
Step 1: Choose your authenticator:
iOS user: Choose Raivo ($1.99) or 2FAS (free)
Android user: Choose Aegis (free, open-source) or 2FAS (free)
Both: 2FAS (works on both, encrypted cloud backup optional)
Step 2: Create strong master password:
20+ characters
Mix: uppercase, lowercase, numbers, symbols
Example: "Tr0p1c@lSunset!2026Apr"
Don't use personal information or dictionary words
Save in password manager, not in notes
Step 3: Add your first account (GitHub example):
GitHub.com → Settings → Security → Two-Factor Authentication
Click "Setup authenticator app"
Scan QR code with your 2FA app
Store first backup (external drive or USB stick)
Test: GitHub asks for 6-digit code from 2FA app
Enter code; GitHub confirms "2FA enabled"
Save recovery codes in separate password manager
Step 4: Backup strategy:
Aegis/2FAS: Export encrypted backup monthly
Save to: external hard drive + separate cloud account
Raivo: iCloud backups automatic; also export backup monthly to external drive
Authy: Cloud backup automatic (but prefer Aegis/2FAS/Raivo)
Step 5: Test recovery (once per year):
Simulate: I lost my phone. Can I recover my accounts?
- Retrieve backup from external drive
- Install authenticator on new device
- Restore backup
- Confirm all 2FA codes appear
Do this annually to ensure backups are recoverable
Migration Between Authenticators
From Authy to Aegis:
Authy → Export (plaintext)
Aegis → Import from file
Advantages: Open-source, no metadata collection
Disadvantages: Manual process, requires careful handling of plaintext export
From Google Authenticator to 2FAS:
Google Authenticator has no built-in export.
Instead: Re-add codes manually (scan QR codes again) or
Export as plaintext JSON from Google (requires Google Takeout)
2FAS → Import from JSON file
From any app to Raivo:
Most apps lack direct export; re-add accounts manually
Raivo has built-in importer for Authy backups
Best practice: Set up new device alongside old, gradually migrate accounts