Aegis is a solid choice for local 2FA, especially if you're looking for something actively maintained that doesn't rely on cloud sync. Several comments like uyzstvqs and gethly point this out, and I've seen it perform well in practice. For the absolute highest security tiers, though, consider moving towards hardware keys. While it adds a bit more friction than an app, the security posture is far superior for critical accounts.

Aegis (local) https://github.com/beemdevelopment/aegis

Bitwarden Authenticator (local) https://bitwarden.com/products/authenticator/

Ente (encrypted cloud backup) https://ente.com/auth/

Google auth, first and the only 2FA authenticator I ever used.

Because some auth provider recommended it as the only app to use. While it is a good app, it does backup into Drive.

While it’s not a perfect solution, you can export and backup your data with QR codes, so you can back it up without cloud.

That's been pending for a while, I'll just stop contributing code.

You don't need an app if you don't want one.

In a CLI, oath lets you calculate a TOTP.

But it's maybe a bit more insecure if you use the same machine.

Why? You’re against 2FA? You couldn’t contribute without an account before, could you?

I'd had a GH account for ages under my own name, I closed that as soon as Microsoft took it over, moved all my repos to GitLab, good move. I opened a new GH account under a silly name [1] so I could collaborate with people still on it. Now I'm not really against 2FA, but don't use it myself, it adds friction, adds risk (what if you lose it), it seems too "theatrical" for my liking. You want to use 2FA? be my guest, live and let live etc. What I don't like is being told what to do with my account, particularly by someone like MicroSlop. I won't add 2FA to my GH account, so I'll not contribute any code to GH based projects, ho hum. As I understand it, I'll still be able to raise issues without 2FA, fine, and when 2FA becomes mandatory for that, I'll stop doing that too.

[1] https://github.com/noproblemwiththat

> adds risk (what if you lose it)

Lose what exactly? Decent 2FA setups make you confirm you've recorded a set of backup codes somewhere (they often recommend print and store in a safe, I find a secure note in a password manager works well) before activating it.

Furthermore plenty of TOTP applications offer secure backup and syncing features.

So again, what specifically do you think you're going to "lose"?

> What I don't like is being told what to do with my account

All of the arguments against 2FA here could be made against requiring passwords longer than 8 characters.

It’s not secure. The fix is easy, effective, and has almost no downsides.

Google Authenticator. Surely I can look for something better but why to complicate things and spend time searching for better alternatives.

Microsoft showing 2FA down everyone's throat is quite painful. I don't for a second believe they are only using my phone number for authentication. They are storing the data and they are correlating it with other apps they force 2FA on.

So don't give them your phone number.

Arguing against 2FA is like arguing that they shouldn't bash your password because it means you can't see your password to help remember it.

Um, no? Arguing against 2fa is I don't want to cede even more PII with the American tech oligopoly which, no doubt, will share said PII with the American regime.

What PII?

You store a TOTP secret on your <device>....

It's less PII than an ssh public key because it's literally just a random string, that *they* generated, and you only need it for the web UI.

So please tell me how the Americans are going to track and identify you through a fucking TOTP secret.

My phone number dumbo.

Why would you use a phone number for 2FA. It's like saying you only use md5 hashing for passwords.

s/bash/hash/

Authy but I’m considering moving to Apple Passwords so it’s all together.

Same. To add some details, I used Authy because at the time it was the only app that would just work after upgrading my iphone. I never enabled their cloud mode, so only local 2FA codes.

Yubikeys with fallback to Google authenticator.

I only use google and Microsoft, it might be a good idea for me to look into this deeper for the future.

I use a passkey that is in iCloud Keychain.

Using GitHub MFA via the app on my iPhone.

yea. I'm pretty sure they want separate authenticator app or browser extension

So now I need my damn phone to push something. Great. What's next, my national ID?

If by need you mean, can choose to use, and if by push you mean, login to the GitHub web ui, then sure.

lmao welp. that is the path other apps are going so i wouldnt be surprised

Checkout Ente Auth

KeepassXC

iCloud Keychain

Honestly, the safest for me has always been the boring one: Microsoft authenticator

There has been a review of these apps some time ago. I know google/ms were worst and Aegis was on the top of the list(among few others whom i do not remember). I have been using Aegis for aeges :D

on phone: 2FA Manager from OpenStore on UBports phone

on work laptop: 1PW

I still use Authy tbh

Totp.app