[Unmaintained][App][4.4+][Open source] andOTP - Open source two-factor authentication for Android

Search This thread

flocke000

Senior Member
Apr 26, 2014
339
325
Oberhausen
That is really strange, I will have to look into that. The problem is that I don't build the F-Droid release myself, that is done by F-Droid. So I will have to contact them to figure this out.
 

yourrealking

Senior Member
Jun 28, 2014
124
28
Is there any technical reason why the minimum Android version is 5.1, not 5.0? I am trying to use an old phone as a dedicated, offline OTP device, and its Android version is unfortunately 5.0.1. I looked up the API changes, and there did not seem to be much of a difference between 5.0 and 5.1.
 

yourrealking

Senior Member
Jun 28, 2014
124
28
I discovered that the Google Authenticator app now has "Transfer accounts" menu. It seems to be transferring existing entries to GA on another phone. I am not sure how exactly that works, but if GA is generating OTP using the same standards, can't your app use that information to import entries from GA? I have tried scan the "Export" QR code of GA with your app's QR scan feature, but it said "Invalid QR code".
 

CodeScrubber

New member
Feb 10, 2022
2
0
I forgot or misplaced my password. I am not sure I backed up the password, I cannot imagini would not.

If I did, where would I find the plaintext backup on my phone? Would it be on google drive,if so where?

How do I completely remove andOTP and any data it creates from my phone?
I tried uninstalling, rebooting and re-installing andOTP. It still asks for a password
I tried deleting all of the application's data, uninstalling, rebooting and re-installing andOTP. It still asks for a password
I do not have my phone rooted and have no interest in doing so.

Please help.
 

flocke000

Senior Member
Apr 26, 2014
339
325
Oberhausen
I forgot or misplaced my password. I am not sure I backed up the password, I cannot imagini would not.

If I did, where would I find the plaintext backup on my phone? Would it be on google drive,if so where?

How do I completely remove andOTP and any data it creates from my phone?
I tried uninstalling, rebooting and re-installing andOTP. It still asks for a password
I tried deleting all of the application's data, uninstalling, rebooting and re-installing andOTP. It still asks for a password
I do not have my phone rooted and have no interest in doing so.

Please help.

The backup file can be anywhere, you can choose the location when creating a backup.

If you want to delete all data from andOTP the easiest way would be to go to your phones settings: Apps -> andOTP -> Storage and cache -> Clear storage (this can be called slightly different depending on your phone). This needs to be done while andOTP is still installed.
After that you can set it up again with a new password.
 

CodeScrubber

New member
Feb 10, 2022
2
0
The backup file can be anywhere, you can choose the location when creating a backup.

If you want to delete all data from andOTP the easiest way would be to go to your phones settings: Apps -> andOTP -> Storage and cache -> Clear storage (this can be called slightly different depending on your phone). This needs to be done while andOTP is still installed.
After that you can set it up again with a new password.
Thanks, flocke000.

I tried deleting the data and cache, that did not work initially. I was also uninstalling and reinstalling the app as well as rebooting the phone.

Eventually, I just deleted the data and cache and nothing else, that worked.

One thing that would have helped me was a mention or link to the wiki near the top of the GitHub Home page. If one is not familiar with Github, the wiki tab is not obvious.

Sorry I didn't get around to deleting this post before you answered. Thanks for a nice app
 

IT-Mechanic

New member
Mar 12, 2022
2
0
Hi flocke000,

first thanks for your effort by developing with this app. I'm a little bit worried because I can't find the andOTP-App in the Play Store anymore. Did you replaced it with another app or has it been discontinued?

Would be glad to hear from you.

IT-Mechanic
 

flocke000

Senior Member
Apr 26, 2014
339
325
Oberhausen
It's not on the PlayStore anymore because Google made a mistake during the review. I submitted an appeal, but have not heard back from them yet. See this issue on Github: https://github.com/andOTP/andOTP/issues/954

But the development of andOTP has been stopped as well because of a lack of time on my side. I am currently working on a complete rewrite during the small amount of time I have.
 

flocke000

Senior Member
Apr 26, 2014
339
325
Oberhausen
Hello everyone,

I have a difficult announcement to make: I am going to stop maintaining andOTP and working on the rewrite for the time being.

As you probably have noticed, andOTP hasn't been updated for about a year now.
I started andOTP when I was still in university and had a lot of time on my hand.
For the last 2.5 years I have been working full-time as software developer and found it increasingly hard to motivate myself to still do some coding in my free time after spending 8h/day coding at work.

The app will stay available on Google Play and F-Droid for the time being, but it won't be updated anymore.
The Github repository will always stay available, but the issues/pull requests will be locked and the repo will be archived.
Feel free to fork andOTP and develop your own app if you want, I just request that you use a different name and give the appropriate credit if you do so.

I might change my mind sometime in the future and resume development (at least of the rewrite), but I currently don't see that happen any time soon.

Thank you guys for all the support over the years and an especially big thanks to all contributors.

Jakob
 

pholklore

Member
Oct 25, 2011
6
1
Thanks for all the work!

But seriously, why lock/archive the repo instead of calling for help from others to carry the torch, keeping the project alive (without forcing a rename/fork)? A project should be able to outlive its founder.
 
  • Like
Reactions: trevtdogg

GalaxyA325G

Senior Member
May 11, 2021
333
51
Samsung Galaxy A32 5G
I am a noob. Please be gentle with me.
  1. My Android 12 is not rooted, and it has no Google Account
  2. For privacy reasons that everyone understands
  3. I used to get my email for years using the K9 MUA
  4. Using login/password authentication
  5. On May 30th, 2022 Google deprecated username/passwd
  6. Hence Android K-9 stopped working
  7. But Windows Thunderbird (with OAuth2 via the web) worked fine
  8. So I "thought (wrongly!) that OAuth2 would work on Android
  9. So I switched to FairMail because it supports OAuth2
  10. However, it CREATED a Google Account on the phone
  11. Which is no fault of the wonderful developer!
  12. The problem is it costs HIM money to support OAuth2 via web
  13. The FairMail developer suggested I use an "otp" program
  14. Because of 2FA/2SV/MSA/MSV privacy implications
  15. Because I do NOT want my phone number associated with email
  16. Which is what brought me to this thread. :)
    • andOTP - Android OTP Authenticator by Jakob Nixdorf
    • free, no ads, no gsf, rated 4.3, 100K+ installs
    • Google Play, F-Droid, GitHub, XDA
The problem is that I'm a noob, and that I was forced into use of 2FA/2SV/MFA/MSV which means I'm just trying to recover from Google's May 30th elimination of login/password authentication for 3rd-party MUAs on Android.
  • I was using login/password on Android until May 30th
  • Now I have to use "something else"
  • Almost every "something else" requires 2FA/2SV/MFA/MSV
  • Even "app passwords" do
  • And I don't have any hardware or USB token equipment
  • As I'm just a noob user who wants to read my email
  • Using a 3rd-party MUA (becuase GMail also CREATES an account)
So I'm resigned to have to use 2FA/2SV/MFA/MSV.
Hence I'm just trying to follow the FairMail developer's suggestion.
Of using an OTP app.

The issue with being a noob is I don't know how to USE an OTP app!
I haven't (yet) found a step-by-step tutorial for a user like me.
  • I don't have a Google Account on my phone
  • And I don't want one (so OAuth2 isn't available to me)
  • I just want to log into my Google email account
  • It seems that my only logical choice is 2FA/2SV/MFA/MSV
But I don't know what to put into the form when andOTP comes up.
And reading this thread didn't tell me what to put into the forms.

I guess I'm just supposed to know.
But I don't.

Flocke's nicely written andOTP asks for one of three things:
  1. Scan QR code
  2. QR code from image
  3. Enter details
Being a noob, but knowing "what" a QR code is, I first state that I have no idea whatsoever WHERE I'm supposed to GET that QR code; but luckily, there's that third option of manually entering the details.

The details Flocke's nicely written andOTP asks for are:
  1. Type = TOTP (available are TOTP, HOTP, MOTP & STEAM)
  2. Issuer = <blank> (editable)
  3. Label = <blank> (editable)
  4. Secret = <blank> (editable)
  5. Tags = <blank> (editable)
  6. Period 30 (editable)
  7. Digits = 6 (editable)
My question...

Q: What is the typical set of details above for a typical 3rd-party MUA to access a Google Email Account [for a user who has no accounts on his phone (not Google, not Samsung, not to any mothership)]?
 

Attachments

  • otp01.jpg
    otp01.jpg
    115.3 KB · Views: 42
  • otp02.jpg
    otp02.jpg
    146.9 KB · Views: 50
  • aurora10.jpg
    aurora10.jpg
    128.1 KB · Views: 42
  • galaxy01.jpg
    galaxy01.jpg
    94.3 KB · Views: 45
Last edited:

scientia_2

New member
Jul 4, 2022
1
0
Three days ago my entire list of accounts disappeared from the application. Using restore did nothing. I am sorry to hear that no further development is being made - I am a supporter of open-source technology and development for many, many years.
 

e5e197740b

Member
Apr 28, 2019
13
2
OTP standard have been finalized and static for years.
Saving files in a save and encrypted manor ond a smartphone is fairly worked out and unlikely to change anytime soon.

Therefore my question:

Can I still recommend AndOTP to friends who are not that tech savy?

I'd hate for them to use the Google, Microsoft variants or Authy. And the only other things seems to be FreeOTP and I never tried that and it has RedHat as a publisher.

I hope somebody carries the torch and makes a fork the community can come together on.
 
  • Like
Reactions: trevtdogg

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    So I'm resigned to have to use 2FA/2SV/MFA/MSV.
    Hence I'm just trying to follow the FairMail developer's suggestion.
    Of using an OTP app.

    Good news for those of us who do NOT want to lose your privacy with 2FA/2SV/MFA/MSV which is that the K-9 Mail and Thunderbird Mail teams worked together to release version 6.201 of K-9 Mail which is the first Android third-part MUA (that I know of) which will perform the OAUth2 authentication to Google email servers over the web WITHOUT resorting to the creation of a Google Mothership Tracking Account on the phone!
  • 25
    [Unmaintained] andOTP is currently unmaintained. See this post for more details.

    andOTP is a two-factor authentication App for Android 4.4+.

    It currently implements Time-based One-time Passwords (TOTP) like specified in RFC 6238.
    Simply scan the QR code and login with the generated 6-digit code.

    Features
    • Free and Open-Source
    • Requires minimal permissions:
      • Camera access for QR code scanning
      • Storage access for import and export of the database
    • Encrypted storage with two backends:
      • Android KeyStore
      • Password / PIN
    • Multiple backup options:
      • Plain-text
      • Password-protected
      • OpenPGP-encrypted
    • Sleek minimalistic Material Design with three different themes:
      • Light
      • Dark
      • Black (for OLED screens)
    • Great Usability
    • Compatible with Google Authenticator

    Download

    Original app

    This app is a fork of the great OTP Authenticator app written by Bruno Bierbaumer, which has sadly been inactive since 2015. All credit for the original version goes to Bruno.

    This is my first Android app and my first larger programming project in a while so the code might be a little bad right now. I appreciate every tip/fix I can get, so any developer with more experience can feel free to look at the code and criticize me ;)

    Contribute

    • Translation: If you want to help translate andOTP into your language head over to the Crowdin project
    • Bug reports and feature requests: You can report bugs and request features in the Issue tracker on GitHub
    • Discussion and support:
      • This XDA thread (please keep the off-topic to a minimum)
      • Telegram channel @andOTP


    XDA:DevDB Information
    andOTP, App for all devices (see above for details)

    Contributors
    flocke000, Bruno Bierbaumer
    Source Code: https://github.com/andOTP/andOTP


    Version Information
    Status:
    Stable
    Current Stable Version: 0.6.3
    Stable Release Date: 2019-10-06

    Created 2017-07-15
    Last Updated 2019-10-06
    7
    Release v0.5.0

    I just pushed a new release to Google Play and uploaded the APKs to Github. As always, the F-Droid release will most likely take a couple of days.

    Changelog
    • New feature: Intro screen when staring the app for the first time to setup encryption and authentication
    • New feature: Broadcast receivers to trigger backups from Tasker (PR #115)
    • New feature: Add support for using Android Backup (Issue #109, PR #111)
    • New feature: Optionally append date to backups (PR #124)
    • New feature: Check if entries are valid when entering manually (Issue #135, PR #136 by Björn Richter)
    • New feature: Offer different options when using the tag selection (Issue #133, PR #134)
    • New feature: Show a warning before changing the encryption
    • Bug fix: Fix crash when saving an empty label (Issue #138, PR #139 by Björn Richter)
    • Bug fix: Fix visibility of thumbnails in dark themes (Issue #88, PR #90)
    • Bug fix: Don't require credentials again after screen rotation (Issue #152)
    • Thumbnails: new thumbnails (see the wiki)
    5
    Changelog

    v0.6.3
    • Security: Improved password derivation for the password protected backups
    • New feature: Prevent screencapture in the Authentication and QR scanner screen (Issue #378, PR #386 by @Schwedenmut)
    • New feature: Color navbar according to the theme (Issue #284, PR #371 by @HarryJohnso)
    • Bug fix: Fix "all tags" only selecting visible tags (Issue #333, PR #350 by @RichyHBM)
    • Bug fix: Focus the password/PIN input field on start (Issue #356, PR #357 by @Schwedenmut)
    • Bug fix: Fix spelling of "QR code" (PR #368 by @Yegortimoshenko)
    • Bug fix: Always use arabic numerals for the tokens (Issue #359)
    • Bug fix: Refactor storage access code to allow importing and exporting from cloud storage directly
    • Bug fix: Hardcode the black background color to avoid strange behaviour on some custom ROMs
    • Bug fix: Force English locales for saving AuthMethod
    • Misc: Update donation links (PR #351)
    • Thumbnails: Lots of new thumbnails
    • Translations: Hungarian


    v0.6.2
    • Bug fix: Proper handling of RTL layouts by forcing LTR for the tokens (PR #280 by @ahangarha)
    • Internal: Image compression (thanks to @Peppernrino)
    • Thumbnail: Add a LOT of new thumbnails (thanks to everybody that contributed)
    • Translation: New Arabic, Traditional Chinese, Japanese, Persian and Swedish translations (thanks to all contributors on Crowdin)

    v0.6.1
    • New feature: Enable Android Backup by default if available and using the password encryption
    • Bug fix: Fix crash in the manual entry dialog on KitKat
    • Bug fix: Fix thumbnail generation on KitKat
    • Thumbnail: Add MediaWiki

    v0.6.0
    • New feature: HOTP support
    • New feature: Settings item to activate Broadcast backups
    • New feature: Re-locking of the app on screen off is now optional (Issue #28)
    • New feature: Allow PGP backups with only a public key (Issue #31)
    • New feature: Show individual timeout bars on the cards for non-default periods
    • New feature: App shortcuts to add new entries (Issue #185)
    • New feature: Ask for the backup password if it's not available (Issue #182)
    • New feature: Allow installation on external storage (PR #206 by @leggewie)
    • Bug fix: Avoid crash on empty PIN/Password an API 23 (Issue #159, PR #160 by magnus anderssen)
    • Bug fix: Honor the system accessibility settings for the font size (Issue #71, PR #192 by @mbertram)
    • Bug fix: Make the new entry dialog scrollable (Issue #196)
    • Bug fix: Fix autofill of the password fields (Issue #215, PR #218 by @z3ntu)
    • Bug fix: Extend thumbnail generation to non-latin letters and digits (PR #234 by @JeanDeaual)
    • Bug fix: Show new entries at the top of the list when using last used sorting (Issue #211)
    • Bug fix: Fix a crash on the settings page (Issue #197)
    • Internal: Replace custon FAB menu with Floating Action Button Speed Dial library (Issue #155 and #186)
    • Style/UI: Use AboutLibraries instead of LicenseDialog and rework the About section (Issue #155)
    • Style/UI: Show a disclaimer about the included thumbnails in the About screen
    • Update: ZXing Android Embedded (3.6.0), Constraint Layout (1.1.2) and all support libraries (27.1.1)
    • F-Droid: Add the feature graphic and some screenshots (PR #117 by @jaller94)
    • Thumbnails: lots of new thumbnails (see the wiki)

    v0.5.0
    • New feature: Intro screen when staring the app for the first time to setup encryption and authentication
    • New feature: Broadcast receivers to trigger backups from Tasker (PR #115)
    • New feature: Add support for using Android Backup (Issue #109, PR #111)
    • New feature: Optionally append date to backups (PR #124)
    • New feature: Check if entries are valid when entering manually (Issue #135, PR #136 by Björn Richter)
    • New feature: Offer different options when using the tag selection (Issue #133, PR #134)
    • New feature: Show a warning before changing the encryption
    • Bug fix: Fix crash when saving an empty label (Issue #138, PR #139 by Björn Richter)
    • Bug fix: Fix visibility of thumbnails in dark themes (Issue #88, PR #90)
    • Bug fix: Don't require credentials again after screen rotation (Issue #152)
    • Thumbnails: new thumbnails (see the wiki)

    v0.4.0
    • New feature: Password-based encryption (a big thanks to all the testers)
    • New feature: Enforce a minimum password / PIN length (Issue #107)
    • New feature: Add an additional unlock button to the authentication (Issue #87)
    • New feature: The thumbnail toggle is now in the size selector (Issue #98, PR #102)
    • New feature: Split the tokens into blocks (Issue #83, PR #83 by DanielWeigl)
    • New feature: Account name is now shown in the removal confirmation (Issue #84)
    • New feature: Advanced options are now hidden in the manual entry dialog (Issue #85)
    • New special feature: Clear the KeyStore (use with caution)
    • Bug fix: Change the format used to store and set the language (Issue #112)
    • Bug fix: Add some extra padding the the RecyclerView (Issue #95)
    • Bug fix: Remove gradients from vector thumbnails (Issue #103, PR #97)
    • Thumbnails: a lot of new thumbnails (check the wiki for details)
    • Translation: Catalan (ca-rES) thanks to isard

    v0.3.1
    • Move: the Github repository was moved from flocke/andOTP to andOTP/andOTP for better organization of collaborators
    • New feature: assign (predefined) images to entries (Issue #14, PR #75, again thanks to [URL="https://github.com/richyhbm" @RichyHBM[/URL] for the implementation)
    • New feature: sort labels locale-sensitive (PR #74 by carmebar)
    • New feature: re-hide the revealed entries after a configurable timeout (Issue #77)
    • New feature: add sorting by last usage (Issue #67)
    • New feature: improved error messages during the import of backups
    • New feature: make the replace switch default to false (Issue #80)
    • New special feature: disable Special features again
    • New special feature: enable screenshots in the main Activity
    • Bug fix: use sp for font sizes (to make them scalable)
    • Bug fix: disable the save button in a manual entry until label and secret are not empty (Issue #82)
    • Style/UI: better description of the replace switch
    • Update: Android SDK 27 (Issue #76)
    • Update: Android Gradle plugin 3.0.1
    • Translation: Chinese Simplified (zh-rCN) thanks to Cp0204

    v0.3.0
    • New feature: tagging support (Issue #37, PR #64, big thanks to [URL="https://github.com/richyhbm" @RichyHBM[/URL] for actually implementing this)
    • New feature: settings option to scroll overlong labels instead of just truncating them
    • New feature: option to append entries during import instead of just replacing everything
    • New feature: in-app language switcher (Issue #53)
    • Bug fix: convert secrets to upper case when importing from JSON (Issue #55)
    • Bug fix: some layout fixes for certain translations (Issue #58)
    • Style/UI: new adaptive icon for Android 8+ (Issue #65)
    • Style/UI: remove card elevation
    • Update: Android Studio 3
    • Update: Gradle 4.1 / Android Gradle Plugin 3.0

    v0.2.8
    • New feature: store authentication credentials hashed (Issue #49)
    • New feature: store backup password encrypted (Issue #49)
    • New feature: set a static backup dir to disable the file selector (Issue #52)
    • New feature: special features (see wiki)
    • New special feature: SteamGuard tokens (Issue #38)
    • Style/UI: black theme (Issue #47)
    • Bug fix: keep authentication settings when receiving a Panic Trigger (Issue #50)
    • Bug fix: progress bar animation with default duration scale
    • Translation: Czech (cs-rCZ) thanks to Picard0147

    v0.2.7
    • New feature: require authentication again after screen lock (Issue #28)
    • New feature: make response to Panic Trigger configurable (Issue #35)
    • Bug fix: prevent adding duplicate entries (Issue #41)
    • Update: Android SDK 26 (Oreo)
    • Update: Apache Commons Codec 1.10
    • Code: lot of internal changes (mostly due to the Android 26 update)
    • Translation: French (fr-rFR) thanks to Johan Fleury
    • Translation: Durch (nl-rNL) thanks to T-v-Gerwen and rain2reign
    • Translation: Galician (gl-rES) thanks to Triskel
    • Translation: Russian (ru-rRU) thanks to Victor Nidens, Ilia Drogaitsev and Dmitry

    v0.2.6
    • New feature: custom password preference with confirmation (Issue #26)
    • New feature: use an individual password or PIN to lock the app (Issue #23)
    • New feature: support for Panic Trigger (PR #27 by carmebar)
    • New feature: support for variable digits lenths (PR #30 by SuperVirus)
    • Bug fix: OpenPGP with security token (Issue #20, PR #25 by carmebar)
    • Style/UI: add Contributors, Translators and Translate to About
    • Code: internal refactoring
    • Translation: German (de-rDE) thanks to SuperVirus

    v0.2.5
    • New feature: sort the entries by label (Issue #12)
    • New feature: add support for SHA256 and SHA512 (Issue #24)
    • Bug fix: show current theme in the settings
    • Bug fix: don't show FloatingActionMenu when scrolling while searching
    • Code: lots of internal refactoring
    • Translation: Polish (pl-rPL) thanks to Daniel Pustuła
    • Translation: Spanish (es-rES) thanks to Carlos Melero

    v0.2.4
    • New feature: make the font size of the labels configurable (Issue #18)
    • Style/UI: Dark theme (Issue #3)
    • Bug fix: make the backup activity scrollable (Issue #15)
    • Bug fix: remove swipe-to-dismiss to avoide accidental deletions (Issue #13)
    • Bug fix: use the whole card for tap-to-reveal, not just the token (Issue #10)
    • Code: internal changes (as always)

    v0.2.3
    • New feature: encrypted backups with password
    • New feature: show a warning about backups on the first launch
    • Style/UI: rename Export and Import to Backup and Restore
    • Bug fix: don't require device authentication again after screen rotation (Issue #7)
    • Bug fix: hide the FloatingActionMenu on scroll (Issue #8)
    • Bug fix: rename the apps launcher icon to "andOTP" (Issue #6)
    • Bug fix: restrict the label size so they don't overlap with the buttons (Issue #9)
    • Code: lots of internal refactoring

    v0.2.2
    • Bug fix: resume import and export after permission request
    • Bug fix: implement a working hashCode function for the Entry class
    • Code: add missing copyright headers
    • Code: fix some tests
    • Code: remove outdated tests

    v0.2.1
    • New feature: encrypted backups using OpenPGP
    • Style: new about screen
    • Style: new backup screen
    • Code: a lot of refactoring

    v0.2.0
    • New feature: copy token to clipboard
    • New feature: device credentials to unlock app
    • New feature: manually enter account details
    • New feature: search
    • New feature: settings activity
    • New feature: tap to reveal
    • Style: replace FAB with a custom FloatingActionMenu
    • Style: replace all Snackbars with Toasts
    • Update: ZXing Android Embedded v3.5.0
    • Code: a lot of internal fixes and refactoring
    • Code: initial groundwork to support different types of OTP tokens (e.g. HOTP)

    v0.1.0
    • Initial release (beta) of the fork
    4
    I see andOTP is not updated since 2018, it's still developed?

    Not really at the moment. I just don't have a lot of free time to spend on it.
    But I am planing on publishing a new release with some minor fixes and a lot of new icons later this week.

    There won't be any more major update to andOTP though, as I am spending most of my time writing a new 2FA app entirely from scratch.
    I wrote a little bit more on the reasons behind that on the Github wiki: https://github.com/andOTP/andOTP/wiki/The-Rewrite
    3
    @flocke000 can i request a thumbnail icon for Reddit please? Reddit just released 2FA. Source.

    We just released a new version which includes an icon for Reddit ;)
    It is already on Google Play and should hit F-Droid in a few days.