Wiki Wiki Web

Two-Factor Authentication (2FA) – Sovereign & Backup-Friendly Options

This guide covers how to handle authenticator apps securely in a minimalist sovereign setup, with focus on backup strategies and Linux-friendly alternatives to Google Authenticator.

Google Authenticator – The Common Default

Google Authenticator is simple and widely supported, but it has serious limitations for anyone who values device independence and backup.

Main Problems

  • No built-in cloud sync on Android/iOS (unless you enable Google account sync – which defeats privacy goals)
  • No easy export in the classic version
  • If you lose your phone or factory reset → all 2FA codes are gone unless you saved recovery codes or set up transfer beforehand
  • Very hard to migrate to a new device without per-service re-setup

How to Back Up Google Authenticator (to Avoid Disaster)

  1. During initial setup of each service

Always save the backup / recovery codes (usually 8–10 single-use codes) in your password manager or encrypted offline storage.

  1. Export option (Android only – since ~2023/2024 update)
    • Open Google Authenticator → tap menu (⋮) → Transfer accounts → Export accounts
    • Scan the generated QR code with your new phone or take a secure screenshot/photo of it
    • Store this QR code/photo encrypted (e.g. in your password manager’s secure note or encrypted drive)
  1. Manual method (works everywhere)

When adding a new account:

  • Take a screenshot of the QR code before scanning it
  • Immediately move the screenshot to encrypted storage (VeraCrypt, Cryptomator, Bitwarden secure note, etc.)
  • Or write down the secret key (the long Base32 string) if shown

Bottom line: Google Authenticator is only safe if you religiously save either recovery codes or the QR code/secret at setup time.

Aegis Authenticator – Best Open-Source Android Alternative

Aegis is the most recommended open-source 2FA app for Android users who want control and proper backups.

Key Advantages

  • Fully open source (GPLv3) – audited, no telemetry
  • Encrypted vault (AES-256) protected by password and/or biometric
  • Built-in encrypted export (.aes file) – easy & secure backup
  • Supports automatic backups to any folder (e.g. your self-hosted Nextcloud, Syncthing, local SD card)
  • Import/export from/to most other apps (including Google Authenticator)
  • Very active development (2026)

How to Back Up Aegis (Recommended Workflow)

  1. Set a strong password for the vault (or use biometrics + password)
  2. Go to Settings → Export → Encrypt the vault

→ Choose a strong export password (can be different from vault password)

  1. Save the .aes file to your sovereign storage:
    • Self-hosted Nextcloud / ownCloud
    • Syncthing folder (syncs to multiple devices)
    • Encrypted USB drive or external SSD
    • Bitwarden / KeePassXC secure attachment
  2. Automate backups (optional but recommended):
    • Settings → Import & export → Auto-export → set interval & location
    • Point it to a synced folder (e.g. Nextcloud)

Restore: Just import the .aes file on a new device and enter the export password.

Result: Losing your phone is no longer catastrophic — you recover everything in ~2 minutes.

Gnome Authenticator – Good Linux Desktop Option

Gnome Authenticator (or Authenticator by the same team) is a clean, native GTK app for GNOME desktops (also works on many other Linux environments).

Main Features

  • Open source (GPLv3)
  • Supports importing from Google Authenticator QR codes / screenshots
  • Stores tokens locally (no cloud)
  • Simple encrypted backup via flatpak export or manual copy of ~/.local/share/com.belmoussaoui.Authenticator

Backup Method (Simple)

  1. Install via Flatpak:

```bash flatpak install flathub com.belmoussaoui.Authenticator ```

  1. Add your tokens (scan QR or import .otpauth URI)
  2. Backup:
    • Copy ~/.var/app/com.belmoussaoui.Authenticator/data/authenticator (Flatpak path)
    • Or export each token individually (Settings → Export)
    • Store in your encrypted password manager or sovereign cloud folder
  3. Restore: Copy the folder back or re-import tokens

Tip: Many people use Aegis on phone + Gnome Authenticator on Linux and keep both in sync via encrypted export files stored in Nextcloud/Syncthing.

Quick Recommendation Table (2026)

GoalBest ChoiceBackup EffortPrivacy / Control
Zero hassle, already using GoogleGoogle Authenticator + manual QR saveMedium–HighLow
Best Android sovereigntyAegisVery LowExcellent
Linux desktop / GNOMEGnome AuthenticatorLowExcellent
Cross-platform minimalistAegis (phone) + Gnome Authenticator (desktop)LowVery High

Bottom line for sovereign setup: Switch to Aegis on Android and use Gnome Authenticator on Linux. Back up encrypted vault exports regularly to your self-hosted storage. You’ll never fear losing a device again.

Happy authenticating!