Authman - An Authy Alternative for TOTP 2FA

Cross-Platform Security TOTP 2FA Made Easy

Authman - An Authy Alternative for TOTP 2FA

In the modern internet environment, a simple username and password are no longer sufficient to protect people's accounts. Major websites have started to enforce two-step verification to prevent account theft.

In recent years, people have used two-step verification apps like Google Authenticator, OneAuth, and Aegis to help them pass TOTP authentication. People who needs cross-platform synchronization will choose Twilio Authy, which can sync accounts across iOS, Android, Mac, and Windows devices, eliminating concerns about restoring accounts after losing a phone.

However, some users consider Authy’s lack of export functionality a major concern for data autonomy. With Authy announcing the end of support for desktop applications (Mac, Windows) in March 2024, people started looking for alternatives. Currently, there are few 2FA software options that support both mobile and desktop applications and synchronization well. This brings us to the features of the Authman App we are introducing today (Which is released by our team).

Security is the Top Priority

During Authman's development, we decided to implement the strongest security mechanisms. We referenced the security mechanisms of password managers like 1Password and Bitwarden to design Authman’s encryption chain process.

First, all 2FA tokens are encrypted by your password (through the encryption chain), and your password is authenticated to the server using the Secure Remote Password (SRP) protocol, which means that the password is never transmitted to the server in plain text. This ensures that no Authman staff can see your account data. Even in the worst-case scenario where Authman’s database contents are leaked, hackers would be unable to decrypt your data. For this purpose, we even create and release our own modern SRP library and ES2020 bigint toolkit.

Next, we chose the most advanced encryption mechanisms available today, using Argon2 for key derivation and XSalsa20 for token encryption, reducing the chances of the encryption algorithm being cracked in the near future.

Additionally, Authman currently does not provide device detection and management to avoid leaking personal device information. However, it offers a global session expiration option, allowing you to log out of all devices with one click to prevent further damage from a lost device. (We do plan to implement device management via encryption mechanisms in the future, but it depends on that we can ensure that the device information can be fully de-identified.)

Finally, we painfully decided to give-up the password reset function (at least for now) to avoid social engineering attacks exploiting the password reset process.

Most importantly, Authman is open source, allowing anyone to review the code and encryption mechanisms to ensure no backdoors exist.

These mechanisms may not be as comprehensive as those of established password management companies, but as a newly launched small personal tool app, we believe it is capable of securing your accounts. For detailed encryption principles, please refer to the Authman FAQ.

Cross-Device Synchronization

Authman currently uses a simple REST API for communication between the app and server. Although it cannot be used offline effectively, all devices can synchronize the current account content from the server. You only need to download and install the mobile app and desktop software to enjoy the convenient account synchronization feature.

To further maintain account security, both the mobile and desktop versions have a screen timeout lock feature, requiring a password to unlock. To reduce the annoyance of the unlocking process, devices supporting biometric recognition (such as mobile phones or Mac Touch ID) can enable quick unlock via biometric recognition.

Currently, Authman supports Windows, macOS, iOS, and Android, with Linux support in our future plans.

Customization

Authman focuses not only on security but also aims to provide a pleasant user experience. All 2FA accounts can be customized.

After scanning the 2FA token, you can search for a FontAwesome icon or upload a picture to use as the account’s identification icon and change the icon color to quickly find the needed items among numerous tokens.

An interesting feature is that Authman supports pasting images from the clipboard. You can open a browser, search for the website’s logo, copy the image, and paste it into Authman, allowing users to create a beautifully organized account list.

Data Autonomy

Authman provides a complete account export and import functionality (though it does not yet support scheduled automatic backups). This means you don't have to worry about vendor lock-in; you can export all your 2FA tokens at any time and easily transfer them to other applications, or use them as a manual backup mechanism.

Another thoughtful feature of Authman is that we know some users register 2FA tokens with a secondary phone as a manual backup. Authman allows you to display the QR code for each 2FA token again, so you can immediately scan and back up each token with another phone.

Open Source and Self-Hosting

Authman is newly launched, and we have many tasks and to-do lists yet to be completed. Therefore, although we are open source, the installation documentation is not yet complete. Additionally, our team is still discussing and experimenting with how to replace necessary assets and variables like logos, titles, and API endpoints for self-hosting. Once these mechanisms are perfected, we will release detailed self-hosting documentation.

Of course, you can always clone the project and build it yourself if you can replace the necessary variables in the source code. And if you find any vulnerabilities or algorithm deficiencies or you want to suggest improvements, we welcome them.

For reporting or feature requesting, please goto GitHub Discussions or Issues.

Conclusion: Make Authman Your Account Security Tool

Although Authman, as a newly launched 2FA app, it is fully capable of daily use with its core 2FA TOTP authentication code feature. More importantly, it is one of the few 2FA apps on the market that supports cross-device synchronization with desktop software and has comprehensive encryption security mechanisms, making it a trustworthy choice. So don’t wait; try Authman now.

See also:

  • "Authman is a very convenient and useful solution that should be more than enough for most users." - Softpedia

  • "Authman, your companion for flawless 2FA" - Justgeek