Why I switched from Google Authenticator to Aegis
For a long time, I used Google Authenticator for 2FA codes. It worked, so I did not think much about it. The code appeared, login worked, and that was it.
Until my phone died!
Fortunately, I managed to bring it back to life, but for a moment things became unpleasant. Suddenly, I realized that access to many accounts depended on one device and one application. As long as the phone works, everything feels convenient. When it stops working, you quickly start thinking about what you can still access, where your backup codes are, and what will happen if the device cannot be restored.
That was the moment when I decided it was time to move away from Google Authenticator.
The problem is not 2FA itself. Quite the opposite — two-factor authentication is very important. The problem starts when the second factor has no reasonable recovery plan. If your authentication app lives only on one phone, a broken phone can quickly become a problem with account access.
That is why I switched to Aegis.
Aegis stores TOTP codes in an encrypted vault. For me, the most important thing is that this vault can be exported and backed up. Thanks to that, 2FA is no longer tied only to a single phone. I still need to protect the vault and its password, but at least I have control over the backup.
In my case, I keep a copy of the Aegis vault in my local Nextcloud. It is not a complicated setup, but it gives me much more peace of mind. If my phone dies, gets lost, or needs to be replaced, I do not have to start from zero. I have a backup that I can restore on a new device.
Of course, such a backup must be treated seriously. This is not a file that should be stored carelessly anywhere. The Aegis vault should be encrypted, the password should be strong, and access to the backup location should also be properly protected. A 2FA backup is useful, but if it is stored carelessly, it can create a new risk.
The most important lesson from this situation is simple: it is worth testing your recovery plan before you actually need it.
Today, my setup looks like this:
- Aegis for 2FA codes,
- an encrypted application vault,
- a copy of the vault stored in my local Nextcloud,
- the awareness that a broken phone will not cut me off from everything.
It was a small change, but a very practical one. As long as the phone works, this kind of preparation may seem unnecessary. When the phone suddenly stops working, you quickly realize that backing up 2FA codes is not paranoia. It is just a normal part of keeping access to your accounts under control.
