Ente Auth

Ente Auth is an open-source two-factor authenticator that does the one thing Authy and Google Authenticator get wrong: it gives you end-to-end-encrypted, cross-device backups of your TOTP secrets without locking you into a closed ecosystem or handing the codes to a provider.

Background Built by the team behind Ente Photos, Ente Auth is a fully open-source TOTP/HOTP app available on Android, iOS, desktop, and web. It can be used entirely offline, or with optional E2E-encrypted cloud sync so your 2FA seeds survive a lost phone. It is free, with no ads and no account required for local-only use.

What you trust You trust open-source clients you can read and a zero-knowledge sync model: when backups are enabled, secrets are encrypted on-device before upload, so Ente's servers store only ciphertext. This is the key distinction from Authy, where the provider holds the trust. The crypto and apps are open to audit.

Operational specs Standard TOTP/HOTP, so it works with any service that issues a QR/secret. Imports from Google Authenticator, Aegis, 2FAS, and others — no lock-in. Offline-first; cloud sync is opt-in and E2E-encrypted. Tags, search, and a clean cross-platform UI. Self-hostable server stack for the truly independent.

Philosophy Ente Auth treats 2FA seeds as exactly what they are — long-lived secrets that should never leave your control in plaintext. It rejects the false choice between convenient backups and provider trust by making the backups encrypted and the code open, so you get resilience without surveillance.

Grade rationale Grade A. Open-source, E2E-encrypted backups, import/export freedom, and offline capability — it closes the gaps that make mainstream authenticators a privacy compromise. Graded as a best-in-class authenticator; the only reason to look elsewhere is if you want a hardware key (YubiKey) for phishing resistance TOTP can't provide.

Useful when You want 2FA with encrypted backups you actually control; you're escaping Authy/Google Authenticator lock-in; you want one authenticator across phone + desktop; you value open-source and optional self-hosting.

Caveats TOTP is not phishing-proof — a convincing fake site can still relay a live code; a hardware key is stronger for the highest-value accounts. Cloud sync, while E2E-encrypted, still means your (encrypted) seeds touch a server — local-only is the maximalist choice. Guard your Ente recovery key; lose it and encrypted backups are unrecoverable by design.