Yubico Authenticator generates TOTP codes from secrets stored in a YubiKey’s secure element, not on the phone or computer. Each code generation requires the physical key to be present, making credential theft from a compromised device nearly impossible. The app itself is open-source under GPLv3 and works on Windows, macOS, Linux, and Android.
Yubico Authenticator
yubico.com/products/yubico-authenticator
Our take
Moving TOTP secrets off the device and into hardware is a meaningful security upgrade over any phone-based authenticator. If your phone is stolen or your computer is compromised, an attacker still cannot generate codes without the physical YubiKey. The catch is the dependency: you must own a compatible YubiKey, and losing the key without a backup means losing access to all accounts stored on it. That makes backup discipline non-negotiable. For users who already carry a YubiKey for passkeys or SSH, this is the obvious companion app; for everyone else, the hardware cost and backup requirement raise the bar compared to apps like Aegis.
GitHub at a glance
Yubico/yubioath-flutter
Stars
1,336
Last commit
5d ago
healthy
License
Apache-2.0
Latest release
7.4.0
6d ago
Listed in
Yubico Authenticator alternatives
ente Authenticator Features: End-to-end encrypted cloud backups and multi device synchronization. Offline mode and import & export tokens. It's the only open-source solution that is available for…
Aegis Authenticator Aegis Authenticator: Encryption, Organization and Backups for Android
2FAS Features: Device synchronization, modern user-interface and backups. The main advantages are the browser extensions that enable one-tap authentication and no need to switch…
Tofu Tofu: Easy-to-use and designed specifically for iOS
Raivo OTP Unlisted for now because Raivo was sold, and the new owner wasn't able to clarify concerns listed in the GitHub discussion. The warning will be removed once the situation is…
Yubico Authenticator license, in plain English
Apache-2.0 Permissive
Permissive like MIT, with an explicit patent grant and a requirement to flag any changes you make.
Permits
- Commercial use
- Modification
- Distribution
- Patent use
- Private use
Requires
- License and copyright notice
- State changes
Does not provide
- Trademark use
- Liability cover
- Warranty
Why it matters: Permissive licensing lets anyone reuse this, including inside closed products. That is freedom to build on, but no guarantee that downstream copies stay open.
Plain-language summary of the project's license, not legal advice. Read the full text for the exact terms.