[styanax]

I would recommend Aegis Authenticator [1] - available in the Play store or F-Droid. It's been featured on HN now and again. One thing it can do is import the data of all the other OTP apps, and create backup files (the seeds) which you can do whatever you want with.

[1] https://github.com/beemdevelopment/Aegis

[zeta0134]

I use this, but recently ran into an issue: I only have one Android device. It's great to be able to back up my secrets, but frustrating to need to spin up an emulator on my computer to run an Android app just to use the backups, if my primary device is offline for whatever reason. Is there a way to use the vault directly?

[styanax]

Very interesting question, I have no experience here. What I do instead is scan my QR codes into two apps on different devices when I make them (I do not make them very frequently so it's not a chore). Because I'm sort of pessimistic after a lifetime working in tech - everything that uses electricity breaks and fails. I build redundancy into all my (things) and just expect one of them to fail. Goes for email providers, hard drives and OTP codes - if I could have a backup washing machine, I would. :)

[BuildTheRobots]

> What I do instead is scan my QR codes into two apps on different devices when I make them

Amazingly, I'd never even considered this as a possibility. Thank you for the paradigm shift.

[magarnicle]

I do that too, but you don't really need to with Aegis as it has import/export.

Aegis also works very well on Android Go dumb-ish phones.

[xethos]

Aegis authenticator backups can be imported into Gnome Authenticator. I'm using it, I know it works, but I don't recall the format GA requires

[Freak_NL]

I just copy the OTP-URL from Aegis and place it into pass (passwordstore.org, with the pass-otp extension) on my desktop computer. That pass instance is backed up along with everything else which matters.

[Aachen]

If you move the secret tokens onto the same device (like in that emulator that presumably runs where your password manager also runs), we're again back to the oathtool solution that is described in the OP, that doesn't have the same security benefits as the original intent of supplying you with a 2FA token. Not saying you shouldn't do this, just something to be aware of when you use the export mechanism in this way

[s2l]

1. Aegis has a setting for creating secure backup on every change. 2. Autosync that backup directory via syncthing to your PC. 3. Run a compatible desktop software (e.g. linux has authenticator) to import aegis backup files manually.

Since totp addition is not a frequent activity, the last manual import step was not a hassle to do whenever needed.

[com2kid]

Keepass now supports 2fa tokens, just use that. Plenty of open source clients on different platforms and you can sync the encrypted database file using whatever mechanism you like, drop box, one drive, etc.

[styanax]

KeepassXC (Linux) can import Bitwarden files directly as well, as both programs support H/TOTP there's a solution here. Not what I do, but I can see the use case aligning to the GP's comment - using Bitwarden (e.g.) as the TOTP app could allow importing it's backups to KeepassXC if your main/only mobile device fails and you only have a laptop etc.