FreeOTP+ Review: The Privacy-First 2FA App for Offline Security
Read our FreeOTP+ review. A strictly local, open-source 2FA app with no cloud sync. See features, backup tips, and how it compares to Aegis and Authy.
What is FreeOTP+?
FreeOTP+ is a free, open-source two-factor authentication app for Android and iOS. It’s a community-driven fork of Red Hat’s original FreeOTP, created by developers who wanted more control over features and updates. The core philosophy: no accounts, no cloud sync, no telemetry. Every secret stays on your device, encrypted at rest. This FreeOTP+ review will show you exactly what sets it apart.
Why Fork FreeOTP?
The original FreeOTP by Red Hat was fine for basic 2FA, but it stagnated. No dark mode, limited export options, no unlock timeout. The FreeOTP+ fork fixed those gaps. The developers added: – A native dark theme (finally). – Image-based QR code export for safer backups. – A configurable unlock timeout (lock after 30 seconds or never). – Encrypted backup files (AES-256-GCM) you control.
All code is on GitHub, and commits are regular. As of January 2025, the latest release is v2.4.1, with active issue tracking and community contributions.
The Trade-Off You Must Accept
No cloud sync means no recovery if you lose your phone unless you manually export your secrets. That’s the deal. You trade convenience for total privacy. If you want automatic backups, look at Authy or Google Authenticator. But if you distrust cloud services and prefer a local-first approach, FreeOTP+ is a strong pick.
Who Should Use It?
Privacy purists, FOSS enthusiasts, and anyone who already manages their own backups. If you’re comfortable exporting encrypted QR codes to a USB drive or offline password manager, FreeOTP+ gives you complete ownership. If you want “set and forget,” this isn’t for you.
Standout features
FreeOTP+ keeps its feature list deliberately short, and that’s exactly what makes it work. But to understand why you’d choose it over the competition, you need to see how it stacks up against the other local-first heavyweights: Aegis (version 3.4, free) and andOTP (version 0.8.6, free). Both offer more features, but FreeOTP+ wins on simplicity and a tighter security surface.
Core token support: TOTP and HOTP
All three apps handle TOTP and HOTP. Aegis adds Steam Guard tokens and even supports importing from Google Authenticator’s QR codes. andOTP includes a token grouping feature for organizing accounts by category. FreeOTP+ gives you neither – just flat lists of tokens sorted by name. If you have 50+ accounts, you’ll feel the lack of folders. But for the 10-15 tokens most people actually use, the flat list is fine.
Encrypted exports: the killer feature, with a catch
This is where FreeOTP+ separates itself from the pack. The export workflow is dead simple, but you need to do it right. Here’s the step-by-step backup process:
- Open FreeOTP+ and tap the three-dot menu in the top right.
- Select “Export tokens” and choose “Encrypted export.”
- Enter a strong password – at least 12 characters, mix of letters, numbers, and symbols. This password encrypts your entire token file using AES-256.
- The app generates a
.jsonfile. Save it to your phone’s storage. - Immediately transfer that file to at least two locations: an encrypted USB drive and a cloud storage service you trust (like Cryptomator or Tresorit).
- Delete the file from your phone’s local storage – leaving it there defeats the purpose of encryption.
The recovery pitfalls are real. If you forget that export password, your tokens are gone forever – no recovery email, no password reset. If you lose the file, same result. Aegis offers a similar encrypted export, but adds a “plaintext backup” option that’s easier to lose control of. andOTP requires you to manually enable encrypted backups in settings – it’s not on by default, which catches new users off guard.
Biometric lock and auto-lock timer
FreeOTP+ lets you lock the app with your phone’s fingerprint or face unlock, then auto-lock after 15 seconds, 1 minute, or 5 minutes. Aegis offers the same, but adds an option to lock immediately when the app goes to the background – a nice touch for paranoia. andOTP also has biometric lock, but its auto-lock timer maxes out at 10 minutes, which is too generous for a security app. FreeOTP+ hits the sweet spot with its 15-second minimum.
Dark and light themes
FreeOTP+ finally added a dark theme in version 1.2.0 – something the original FreeOTP never bothered with. Aegis has been doing dark mode since day one, with five different color accents to boot. andOTP offers both themes plus an “amoled black” option that saves battery on OLED screens. FreeOTP+ is catching up, but it’s still behind on customization.
Manual token entry and import
The original FreeOTP only scanned QR codes – a frustrating limitation. FreeOTP+ fixes this with manual key entry, which is essential for services that display setup keys as text (looking at you, some enterprise VPNs). Aegis goes further: it can scan QR codes from screenshots on your phone, which is a lifesaver when you’re migrating from another app. andOTP lets you import from Google Authenticator, Authy, and even plaintext files. FreeOTP+ only imports from its own encrypted exports – that’s the trade-off for simplicity.
The feature set is lean by design. You get no cloud sync, no multi-device management, no browser extension. Aegis offers a “sync via file” feature that lets you share your backup file between devices manually. andOTP has a similar setup. FreeOTP+ gives you nothing – you own the file, you manage the transfer. That’s the point. For the user who wants absolute local control and doesn’t trust any third-party sync mechanism, FreeOTP+ delivers exactly that – no more, no less.
Pricing
FreeOTP+ costs exactly $0.00 — no in-app purchases, no ads, no premium tier. It’s fully open source under Apache 2.0. The developers accept donations via GitHub Sponsors, but everything is included in the single free download. This is the simplest pricing model in any FreeOTP+ review, and it’s a direct reflection of the tool’s philosophy: no data collection, no monetization of your security.
| Feature | FreeOTP+ | Google Authenticator | Authy |
|---|---|---|---|
| Price | Free | Free | Free |
| In-app purchases | None | None | None |
| Ads | None | None | None |
| Open source | Yes (Apache 2.0) | Partial (core only, not all components) | No |
| Donation model | GitHub Sponsors | N/A | N/A |
That zero price tag isn’t a gimmick — it’s a promise. FreeOTP+ has no incentive to track you, sell your data, or lock you into a proprietary sync service. The real cost is the responsibility it places on you. Because there’s no cloud backup, no account recovery, and no device migration wizard, you are the sole guardian of your 2FA secrets. Lose your phone without a backup? You lose access to every account protected by those codes.
This trade-off is the core value proposition: you trade convenience for control. You pay with your time — setting up encrypted exports, storing offline QR codes, and testing your recovery workflow — not with your privacy. For anyone who distrusts cloud-synced authenticators or wants to audit every line of code that handles their secrets, that’s a bargain.
Who should use FreeOTP+?
FreeOTP+ is not for everyone – and that’s fine. This app is built for a specific user: the privacy absolutist who trusts no one with their 2FA secrets, not even a cloud provider. If you lose sleep over Authy’s proprietary sync or Google Authenticator’s account linkage, FreeOTP+ is your escape hatch.
The ideal user profile: You’re technically comfortable. You understand that “no cloud sync” means you are the backup system. You’re willing to manually export encrypted token files, store them offline (USB drive, encrypted note), and test your recovery process. You value auditability – FreeOTP+ is fully open source on GitHub, unlike Authy’s closed code.
The wrong user: Anyone who wants multi-device sync, automatic cloud backups, or a polished onboarding experience. FreeOTP+ has a barebones UI. No account recovery. No password manager integration. If you lose your phone without a backup, those 30 tokens are gone forever. Casual users should stick with Authy or Google Authenticator.
This FreeOTP+ review confirms its niche: a privacy-first tool for FOSS enthusiasts who accept the DIY burden. For that crowd, it’s peerless. For everyone else, it’s a risk.
Bottom line
This FreeOTP+ review confirms it’s the privacy purist’s choice: a strictly local, open-source 2FA app that rejects cloud sync entirely. You get zero accounts, zero telemetry, and a clean interface. The trade-off is brutal but honest: lose your phone without an encrypted backup, and you lose every token.
For users willing to manage manual exports, FreeOTP+ delivers unmatched control. But if you want one-click recovery or multi-device convenience, look at Aegis (more features) or Authy (cloud sync). FreeOTP+ isn’t for everyone – it’s for those who prioritize sovereignty over simplicity.
