The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,915 other followers

GitHub – andOTP/andOTP: Open source two-factor authentication for Android

Posted by jpluimers on 2021/01/05

[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.

A few highlights:

  • andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
  • OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
  • BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
    • org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
    • org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
  • All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!

PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play

•  Free and Open-Source
•  Requires minimal permissions:
•  Camera access for QR code scanning
•  Storage access for import and export of the database
•  Encrypted storage with two backends:
•  Android KeyStore (can cause problems, please only use if you absolutely have to)
•  Password / PIN
•  Multiple backup options:
•  Plain-text
•  Password-protected
•  OpenPGP-encrypted
•  Sleek minimalistic Material Design with three different themes:
•  Light
•  Dark
•  Black (for OLED screens)
•  Great Usability
•  Compatible with Google Authenticator

Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers

Check out @Jaykul’s Tweet:

Instead of Google authenticator and Authy


Related :

Nope. It’s just a secret encoded in a QR code.

Here’s the docs on the format of the URI in the QR code:

The QR code delivers a simple, durable, shared secret.

Use U2F if you can. It is much safer, as it cannot be phished or copied.

Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.

Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: