Your 2FA codes.
Offline.
Tokn is a free, open-source authenticator for Android. Your one-time codes stay on your device, encrypted. No account, no cloud, no analytics.
TOTP and HOTP codes, generated offline on Android. No account stands between you and your 2FA.
Private by design
No sign-up, zero telemetry, and no Google Play Services on your device.
Encrypted vault
Stored in an SQLCipher database, unlocked with biometrics or a password.
Fully offline
Codes are generated locally on your phone. Nothing is sent anywhere.
Open source
GPL-3.0, source on GitHub, and published on F-Droid.
Features
Everything you need, nothing that phones home
A polished Material 3 vault with the controls you would expect, and a few that other authenticators leave out.
- Encrypted vault
- Your tokens live in an SQLCipher database. Unlock with a fingerprint, your face, or a password.
- Device-to-device sync
- Move accounts to a new phone over local Wi-Fi, Wi-Fi Direct, or an animated QR code. The handshake is end-to-end encrypted and never leaves your network.
- Backup and restore
- Encrypted backups for migrating phones or just keeping a copy you control.
- Import from anywhere
- Bring accounts over from Aegis, 2FAS, Stratum, Google Authenticator, or any otpauth URI.
- Organize with groups
- Sort accounts into custom groups, more than one per account, and order the list your way.
- Material You
- Material 3 design with light, dark, or system themes and optional dynamic color.
Security
Locked down by default
Most authenticators hand over your tokens the moment you open them. Tokn keeps them sealed until you prove it is you.
- Encrypted at rest
- Tokens live in an SQLCipher database. Without your key, the vault is just noise.
- Biometric or password unlock
- Open the vault with a fingerprint or your face, with a password as the fallback.
- Screenshot protection
- Optionally keep codes out of the recents preview and block screen capture.
- Standards based
- TOTP and HOTP per RFC 6238 and RFC 4226, with SHA-1, SHA-256 and SHA-512.
Sync
Move to a new phone without a server
No cloud account is involved. Pick how the two devices talk, scan to pair, and your accounts come across. The handshake is end-to-end encrypted and nothing leaves the local network.
Local Wi-Fi
Both phones on the same network pair and transfer directly.
Wi-Fi Direct
No shared network needed. The devices connect to each other.
Animated QR
Fully offline. An animated QR carries the encrypted payload across.
Switching over
Coming from Aegis, Stratum, Authy, or Ente Auth?
Tokn is a free, open-source authenticator in the same spirit as Aegis and Ente Auth, and a fully offline alternative to cloud apps like Authy and Google Authenticator. Wherever your old app lets you export, Tokn reads the format directly, so you are not re-adding every account by hand. Keep an encrypted backup while you are at it.
Works with any service that supports standard TOTP or HOTP two-factor authentication
How it compares
Tokn next to the apps people switch from
The honest version. Aegis is a close cousin and 2FAS is solid too. Where Tokn pulls ahead is moving accounts to a new phone with no server in the middle.
| ToknTokn | AegisAegis | GAuthGoogle Auth | 2FAS2FAS | StratumStratum | AuthyAuthy | |
|---|---|---|---|---|---|---|
Open source | Yes | Yes | No | Yes | Yes | No |
No secrets in the cloud No account sync of your tokens | Yes | Yes | Partial | Partial | Yes | No |
Encrypted vault at rest Encrypted on disk with a key only you can unlock | Yes | Yes | Partial | Yes | Yes | Partial |
Biometric / app lock Gate access with a fingerprint or PIN | Yes | Yes | Yes | Yes | Yes | Yes |
No Google Play Services Runs on de-Googled phones, on F-Droid | Yes | Yes | No | Partial | Yes | No |
Local network sync Move accounts over Wi-Fi, Wi-Fi Direct or an animated QR code | Yes | No | No | No | No | No |
Self-controlled backups Export an encrypted copy you own | Yes | Yes | No | Yes | Yes | No |
Import from other apps Bring tokens over from other authenticators | Yes | Yes | No | Yes | Yes | No |
Custom icons & icon packs Pick your own images, or import Aegis-style packs | Yes | Yes | No | Yes | Yes | Partial |
Organize with groups Sort into custom groups, more than one per account | Yes | Yes | No | Yes | Yes | No |
Material You theming Dynamic color, light / dark / system | Yes | Yes | Yes | Partial | Partial | No |
Compared with Google Authenticator and Authy, Tokn is open source, keeps your tokens off the cloud, and lets you export an encrypted backup you control instead of locking you into an account. Aegis, Stratum and 2FAS share most of that privacy-first foundation. What sets Tokn apart is moving your accounts to a new phone with no server in the middle, over the local Wi-Fi network, Wi-Fi Direct, or an animated QR code.
FAQ
Questions, answered
How is Tokn different from Google Authenticator or Aegis?
Against Google Authenticator the gap is wide: your codes sit in an encrypted vault behind biometrics or a password instead of being on screen the second you open the app, it is open source, runs without Google Play Services, and you can export, back up, and move your accounts yourself. Aegis is a close cousin, also open source, encrypted, and offline. What Tokn adds is moving accounts to a new phone without a server, over local Wi-Fi, Wi-Fi Direct, or an animated QR code.
Where are my codes stored?
Only on your device, inside an SQLCipher-encrypted database. There is no account and no server. Codes are generated locally per RFC 6238 (TOTP) and RFC 4226 (HOTP), with SHA-1, SHA-256, and SHA-512 support.
I am switching from another app. Will my accounts come over?
Yes. Tokn imports from Aegis, 2FAS, Stratum, Google Authenticator, and standard otpauth:// URIs. Load an encrypted backup or export from one of those apps, scan a QR code with the camera, pick a QR image from your gallery, or type a secret in by hand.
How do I move to a new phone?
Two ways. Use an encrypted backup file, or sync device to device over local Wi-Fi, Wi-Fi Direct, or an animated QR code. The sync handshake is end-to-end encrypted and nothing leaves the local network.
Does Tokn need an account or internet access?
Neither. Tokn works fully offline. The optional internet permission is only used if you opt in to fetching service icons, and it is disabled by default.
Is it really free, and can I help?
Tokn is free software under the GPL-3.0. The code, releases, and issue tracker are on GitHub. Feature ideas, bug reports, and pull requests are all welcome.
Where can I report a bug?
Open an issue on the GitHub issue tracker at github.com/fthomys/tokn/issues. Include your Android version, how to reproduce it, and what you expected to happen. If you would rather not use GitHub, email us instead:
Get Tokn
Install the app, add your first account in a few seconds, and keep your second factor where it belongs: with you.