Security Guide
Stop Juggling Authenticator Apps
One app. One backup. Zero anxiety.
If you're like most developers, your two-factor authentication situation is a mess. You've got codes scattered across Google Authenticator on your old phone, Microsoft Authenticator for work, and maybe even a third app someone told you was "better." You live in quiet fear of losing your phone because you know — you just know — you'd lose access to half your accounts.
It doesn't have to be this way. In this guide, I'll show you how to consolidate every 2FA code into one open-source app, create a proper paper backup, and never worry about losing access again.
Why Your Current Setup is a Ticking Time Bomb
Here's what typically goes wrong:
- Phone dies or gets stolen — and Google Authenticator has no cloud backup (or you never enabled it). All codes gone.
- Switching phones — transferring codes between authenticator apps is painful. Google Authenticator's transfer feature is buggy and incomplete.
- Microsoft Authenticator lock-in — Microsoft's backup only restores to Microsoft Authenticator. The codes are encrypted and cannot be extracted. If you want to switch apps, you have to re-enroll every account from scratch.
- No backup strategy — most people never write down their TOTP secrets. When the phone is gone, so are the codes.
Enter Aegis Authenticator
Aegis Authenticator is a free, open-source 2FA app for Android that solves all of these problems. Here's why it's better than the alternatives:
| Feature | Aegis | Google Auth | MS Auth |
|---|---|---|---|
| Open source | ✓ | ✗ | ✗ |
| Encrypted exports | ✓ | ✗ | ✗ |
| Extract/export secrets | ✓ | Limited | ✗ |
| Biometric lock | ✓ | ✗ | ✓ |
| Password-protected vault | ✓ | ✗ | ✗ |
| Cross-device sync | Via file sync | Google account | MS account only |
| Custom icons | ✓ | ✗ | ✗ |
| Search & organize | ✓ Groups | Basic | Basic |
Step 1: Export Codes from Google Authenticator
Google Authenticator lets you export your codes as QR codes. Here's how:
- Open Google Authenticator on your phone
- Tap the three dots menu (⋮) → Transfer accounts → Export accounts
- Select all accounts (or the ones you want to transfer)
- The app will show one or more QR codes — screenshot each one
⚠️ Security Warning
These export QR codes contain ALL your TOTP secrets in plain text. Handle them with extreme care. Delete the screenshots from your photo library after you're done. Never share them, email them, or upload them to cloud storage.
Step 2: Extract the Secrets Using Our OTP QR Decoder
Now comes the key step. Those Google Authenticator export QR codes contain multiple accounts bundled in a proprietary protobuf format. To extract individual secrets, use our OTP QR Code Decoder tool.
- Open the OTP QR Code Decoder on your computer
- Upload or drag the screenshot of the Google Authenticator export QR code
- The tool will decode the QR code and display each account's details: issuer, account name, and most importantly, the secret key
- Write down each secret key (more on this in the next step)
Everything runs in your browser — no data is sent to any server. You can verify this by checking the network tab in your browser's dev tools.
Step 3: Create Your Paper Backup
This is the most important step that most people skip. Write down every TOTP secret on paper.
Get a dedicated notebook or sheet of paper and for each account, write:
--- GitHub ---
Issuer: GitHub
Account: [email protected]
Secret: JBSWY3DPEHPK3PXP
Algorithm: SHA1 | Digits: 6 | Period: 30
--- AWS ---
Issuer: Amazon Web Services
Account: your-iam-user
Secret: NBSWY3DPEHPK3PXQ
Algorithm: SHA1 | Digits: 6 | Period: 30
Store this paper in a safe, secure location — a home safe, a safety deposit box, or at minimum a locked drawer. This paper is your ultimate disaster recovery plan. If every device fails, you can re-enter these secrets into any authenticator app and regain access to your accounts.
💡 Pro Tip
Consider using a small exercise book instead of loose paper. Number the pages, use one entry per page, and keep a table of contents on the first page. This scales much better as you add more accounts over time.
Step 4: Import Everything into Aegis
Now set up Aegis as your single authenticator:
- Install Aegis from Google Play or F-Droid
- Set a strong master password during first launch — this encrypts your entire vault. Use a password you can remember but is at least 16 characters.
- Enable biometric unlock for convenience (Settings → Security → Biometrics)
- Add each account manually: Tap + → Enter manually → Input the issuer, account name, and secret key from your paper backup
- Alternatively, scan QR codes: If you still have the individual QR codes from when you originally enrolled (check your email/screenshots), scan those directly
Step 5: Create Encrypted Aegis Backups
Aegis stores its database in an encrypted file. Make multiple copies:
- Go to Settings → Backups in Aegis
- Enable automatic backups to a folder on your device
- Export a backup manually: Settings → Export → choose Encrypted → save the .json file
- Copy this encrypted backup file to multiple locations:
- A USB drive in your safe (alongside the paper backup)
- A second phone or tablet
- An encrypted cloud folder (the file is already encrypted by Aegis)
The Aegis backup file is protected by your master password. Without it, the file is useless to anyone who finds it. This gives you defense in depth: encrypted file + strong password + physical security.
The Microsoft Authenticator Problem
Here's the bad news: Microsoft Authenticator does not allow you to export your TOTP secrets.
Microsoft's cloud backup feature only works within Microsoft Authenticator itself — you cannot extract the underlying secrets to move them to another app. The backup is tied to your Microsoft account and encrypted in a way that only their app can restore.
This means for any accounts currently only in Microsoft Authenticator, you'll need to:
- Log into each account's security settings
- Disable 2FA
- Re-enable 2FA, this time scanning the QR code with Aegis and writing down the secret
- This is tedious but it's a one-time migration
This is exactly why proprietary authenticators are problematic — they create vendor lock-in with your security credentials.
Going Forward: The Right Way to Add New 2FA
From now on, whenever you enable 2FA on a new account:
- Don't scan the QR code yet! First, look for the "Can't scan?" or "Enter manually" option to reveal the text secret
- Write the secret in your notebook along with the issuer and account name
- Then add it to Aegis — either by scanning the QR code or entering the secret manually
- Verify the code works by entering the current TOTP code shown in Aegis
- You can also use our TOTP Code Generator to verify — paste the secret and confirm the codes match
This "write first, then scan" habit takes 30 seconds extra but saves you from disaster.
Syncing Aegis Across Devices
One of Aegis's strengths is that its database is a regular encrypted file. This means you can sync it across phones, tablets, and even desktops using file synchronization tools like Syncthing — a free, open-source, peer-to-peer file sync that doesn't use cloud servers.
Setting up Syncthing with Aegis deserves its own guide (with folder configuration, conflict resolution, and desktop TOTP readers), so I'll cover that in a dedicated follow-up blog post. Stay tuned.
Summary: Your New 2FA Workflow
- Single app: Aegis Authenticator (open-source, encrypted, exportable)
- Paper backup: Every secret written in a notebook, stored securely
- Digital backup: Encrypted Aegis vault copies on USB + cloud
- New accounts: Always write the secret first, then add to Aegis
- Regular exports: Update your backup files monthly or after adding new accounts
This setup gives you three layers of protection: the app on your phone, the encrypted backup file, and the paper backup. Even if you lose everything electronic, the paper backup lets you rebuild in minutes.
Stop living in fear of losing your phone. Consolidate your 2FA today.