I generally agree to this argument: but there is often a dangerous misunderstanding everyone has to be aware of: the security advantage of open source is public review / external tests (at the best, both massively). However, open source does not imply that there is any review/test. Too often people use some “nice things” they found on any GitHub repo, developed with limited background knowledge by (widely unknown) single users (and thus, not deployed much and thus, not reviewed/tested), which is possibly less secure than proprietary solutions. Just some thoughts to have in mind 
Another alternative for “true” 2FA (implying both factors on independent devices to avoid “single points of vulnerability” such as the os):
It implements RFC 6238 and RFC 4226.