Which 2FA application for Qubes?

I have long preached non-SMS 2FA in general and Authy in particular. A couple days ago I got a notice that sunset for the Authy desktop will be March 19th. I’ve been looking around, trying to decide what’s next, and I thought it would be better to ask all of you.

The specifications are pretty simple - the 2FA can start with a phone, but it has to run on a desktop w/o the phone being online at the time.

The three that seemed possible are:

  • 2FAS
  • FreeOTP
  • Google Authenticator

Zooming out just a bit, I’m on the lookout for a $550 gig that will fund the acquisition of a Google Pixel 8 for the purpose of migrating to GrapheneOS. So any phone involvement must be an Android app that will behave with Graphene.

One thing I’ve noticed is that doing this will probably mean a manual sync procedure, it’s not like Authy where the phone and desktop are automatically kept updated.

These things being said, which app works best for Qubes?

KeePassXC has TOTP.


yeah either set up keepass with the database hosted on a cloud instance somewhere (many free hosting options available for say a nextcloud install) or install https://www.passbolt.com/ or GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs on a web hoster (both of which have apps and both of which also do TOTP).

1 Like

I was under the impression that KeePassXC is just a password keeper. I think I really need 2FA on a per site basis, as I do have a little shadow that periodically tries to reset passwords on various services I use.

As stated above, KeePassXC can generate TOTP passwords.

Ideally, you should have your KeePassXC with TOTP in a different qube than the KeePassXC used for password manager (otherwise, it’s not really a 2FA).

I recommend to always enable 2FA on services that propose it, it’s way more secure than just login + password, and better for privacy than 2FA through SMS or Email.

1 Like

I am wired such that passwords are kept in my head :slight_smile:

OK, so KeePassXC is the thing to start with, see how that’s going to work across the board.

Because ideally I’ll get to something like Authy - works on Android/iOS, Linux/Mac/Windows, and then I have just one answer for everybody and one thing to support.

Aegis is arguably the best TOTP app for Graphene OS. I also agree with using KeepassXC in a Qubes vault. Both can be configured to have no internet access. For redundancy, I enter the TOTP key into each of these apps whenever I create a new 2fa.


I will show my n00b skills in this area.

Is it possible to export from Aegis and use the same config in KeePassXC?

I focus on continuity for all the things I do.

Losing a phone and losing access would be disaster. Losing a phone and needing to get another to install Aegis would be a nuisance, but not intolerable.

And I hate that the end of Authy is the end of a one size fits all solution. Roughly half of the security conscious folk in my world have purchased Apple products and they will not budge from that position. The other half are not likely to shift from Android OS, even if they can get a Pixel 8 from their carrier.

Anyway, thanks for the advice, I’m going to give KeePassXC a try before I call it a night.

TOTP is using the secret key to generate the codes so you’ll use the same keys in Aegis and KeePassXC.
You’ll need to manually setup the same TOTP key for service in both Aegis and KeePassXC. I don’t think there is a way to export/import all the keys at once between these apps.

There are also KeePass apps with TOTP for android and ios if you want to easily export/import configs between devices.

Agreed, I usually scan the QR code into Aegis and manually type the key into KeepassXC (to avoid copying into my vault). Then I verify that each of these apps are showing the same TOTP code.

1 Like

That is precisely the sort of hands on advice I need.

KeePassXC has WAY too many visible controls. Forget about giving this to muggles, I’m not even sure I should be operating it …