Who makes this? How do I know it is trustworthy? I know its supposed to be open source, but when you install from the app store you don't really know what you are installing. I trust Twilio's Authy a tad more than a random app with a nice home page.
> When you use our app we collect: Your phone number, device information, and email address.
> When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if your account is compromised or may be compromised.
> We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
> Your information will be transferred to the U.S.
> Your personal information may be transferred to the United States, and possibly other countries where we or our service providers operate.
> In addition, we may share your information with third parties as follows: Compliance with Laws. We may disclose your personal information to a third party if (i) we reasonably believe that disclosure is compelled by applicable law, regulation, legal process or a government request (including to meet national security or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose personal information to assist in preventing a death or serious bodily injury.
> Business transfers. If we go through a corporate sale, merger, reorganization, dissolution or similar event, personal information we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. Any acquirer or successor may continue to use the personal information as described in this notice.
I would trust Aegis over Authy any day. As you can see from the source code, Aegis does not expose users to these privacy risks. Even though Aegis has automatic encrypted backup features, Aegis itself does not request the internet access permission.
SendGrid does not support the TOTP standard (or any authenticator apps other than Authy), because as you mention, SendGrid and Authy are both owned by Twilio:
It is also available on f-droid, and they compile the apps themselves instead of distributing compiled apps. So if you trust f-droid, you know it is the same as the open source code.
F-Droid does check code before privacy violations for accepting it. Any potential privacy violations are labeled as "anti-features" and apps that don't meet F-Droid's inclusion criteria are rejected:
Aegis doesn't even request the internet permission. Compare that with Authy, which logs users' IP addresses, login activity, phone numbers, and email addresses, and states that users' data and personal information will be shared with third parties for any reason Authy wants to:
Twilio has had 2 data breaches this year, and the second one involved Authy. Since Authy does not use end-to-end encryption, hackers were able to obtain 2FA credentials from any Authy account, and they compromised the accounts of 93 Authy users:
On top of that, Authy is closed source and its code has never been audited, not even by F-Droid. There is no way to use Authy without sending your personal information to a service that states it will not promise to keep it private.
There is no good reason to trust Authy over Aegis.
