I'd been a happy user of andOTP for many years, unaware until now that it had been abandoned and that I therefore needed ro replace it. I looked through the recommendations posted here and came to the conclusion that Aegis indeed was the best recommendation.
Migrating from andOTP to Aegis by exporting an encrypted backup file from andOTP to the local filesystem and importing it in Aegis worked flawlessly.
One thing that I really liked in andOTP that Aegis doesn't have was the PGP export, it was just very nice to get encrypted backup files that I could decrypt directly using standard software that I already have and know how to use, entirely independent from any particular app. Aegis instead provides the decrypt.py script to decode and decrypt its own encrypted backup file format and while I've tested and verified that this works fine, simply using standard PGP was nicer.
But that's a minor detail. All in all, Aegis seems to do everything I need, and does it well.
It depends on your risk profile, but yes, it's less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.
I see how 2FAS cross-device sync works, but there is no mention for Aegis on their site how they do it? For me, not having good sync across my Android devices and Linux desktop is a showstopper.
Bitwarden and it's fully cross-platform. I like that it auto copies the 2FA pin to clipboard after filling in login - cuts out extra clicks and copy movements.
I think it is more about passwords being accessible after hacks etc. What you are referring to, is if Bitwarden were to be hacked, both are accessible. Online Bitwarden has securely hashed all the data, so that is pretty useless if anyone gets it. On my devices I use biometric login, and on desktop a Yubiky as 2FA into Bitwarden. I also have it set to request login every time the browser is restarted, just in case someone were to steal the session data from the browser.
But your point is very valid if a user were to have a weak password for their Bitwarden, or not to have a good 2FA for their Bitwarden login. You want to keep that basket of eggs as safe as you can.
"Authenticator key (TOTP) storage is available to all accounts. TOTP code generation requires premium or membership to a paid organization (families, teams, or enterprise)."
I personally use KeePassXC (KeePassDX on android), it can have TOTP code generation for 2FA for any service. And since it's a password manager, it's secured by a master password.
I actually try to use authenticator apps as little as possible. Having to unlock your phone and open the app each time is too much hassle.
Instead I have four Yubikeys, not security keys, that I store my OTP 2FA codes on. One for personal codes, one for work codes, and the other two as backups for the first two. The backups protect me from hardware failure, the keys being stolen, or lost. One downside of the backup plan is having to scan the QR code twice, once per Yubikey.
Each Yubikey can store 32 OTP codes on the smart card part of the Yubikey. The 32 code limitation is why I have personal and work codes on separate keys. I did run into this limit.
This isn't the cheapest solution. In addition you could argue it also isn't the most secure, but that depends on the attack vector and circumstance.
With this setup I can use the Yubico Authenticator desktop to copy and paste the codes into the browser. While mobile I can use the mobile form of the same app. Also all my Yubikeys have NFC, so I can use that method if I want instead of just USB.
As mentioned in a different comment I highly recommend not storing 2FA codes in password managers like Bitwarden. It creates an all eggs one basket problem, which is exactly what 2FA codes are trying to avoid.
When it comes to proprietary apps Authy is nice, it offers synchronisation between devices, but yeah, it involves cloud (someone's computer) and you need to give them your phone number, so that's for privacy, in the end you might as well use Google authenticator, it syncs between devices to, it's about who you trust more
I know it is an unpopular opinion, but it is a huge headache in general. I don't think the theoretical benefits (which make total sense) actually pay off in reality and are worth the extra headache. I'm not saying they should not have it at all, but it should be at least opt-out instead of forced.
In the case of github, I think it is part of their long drawn out plan of data collection and proprietary lock down. Next they are going to require your house address and government ID. I feel better using an free and open source platform anyway.
I see aegis supports automatic backups. I don't see it explicitly saying 'encrypted' backups though
I too use andOTP but didn't realize it's not regularly maintained. I may check out aegis as it does support import from andOTP
I am not a big fan of storing the passwords and 2fa together since if it is compromised, you lose both layers at the same time. But the alternative is not so convenient. But then in security, it is always a balance between the two.