When it comes to cybersecurity, one layer isn't enough. A complex password (or one created with a password manager) does a good job of protecting your data, but it can still be cracked. Two-factor authentication strengthens this by adding a second layer of security, giving you even more protection against online threats.
With two-factor authentication, also known as 2FA, the service you're logging into will require two things to authenticate you: something you know and something you have. Your password serves as "something you know," and the 2FA app provides the "something you have" aspect. With 2FA, you need to have either your phone (or for some, your computer) nearby to log in, making it harder for a hacker far away to access your account.
While this second layer isn't foolproof, it does improve your defenses drastically. Even if someone were to obtain your password, they'd also need physical access to your phone to retrieve a temporary passcode to unlock your account. Not all websites support this feature, but most popular sites already do, and you can check compatibility using Two Factor Auth.
However, not all 2FA is the same. Some websites only support sending the code via SMS or email. These are less secure options as someone can access these methods remotely. That's why your best bet is an option with a software-based token, and that's the method supported by each of the apps on our list.
- Offline Mode: Ability to generate 2FA codes without the need for the internet.
- Open Source: The source code is available to the public for anyone to audit. While open source does provide an advantage, no app on our list is open source (although some leverage several open source technologies).
- Encrypted Backups: The database of tokens are encrypted and backed up separately from your device. This way, if you upgrade your phone, you can easily bring your codes with you without having to register your new phone to all your accounts.
- Desktop App: Whether the service has a desktop version, so you don't need your smartphone when logging into your accounts. Having a dedicated app is favorable over an extension, which limits you to one browser.
- Smartwatch App: The service supports one (or more) of the major smartwatch operating systems. Wear OS is the Android-based smartwatch operating system, while watchOS is the iOS-based smartwatch operating system. If an app supports one of these OSes, you can retrieve the codes even when your phone is in your pocket.
- Passcode Protection: Built into the app is the ability to lock out intruders using some form of authentication. Both Authy and LastPass support either a PIN code, fingerprint scanner, Touch ID, or Face ID (depending on which iPhone model you are using).
- Multi-Device Sync: The ability to sync data across multiple devices with access to your tokens. Any account added or removed on one device will be added or removed on the other devices as well.
- Adjustable OTP Time: The ability to adjust the length of the one-time password's availability. Shorter times make it harder for hackers, but can too inconvenient. Typically, the default timer is anywhere between 15–30 seconds. For the two apps which support the feature, both require manual entries.
- Adjustable Code Length: The ability to adjust the size of the one-time password. For the two apps which support the feature, both require manual entries. Longer codes make it harder to hack.
- Push Notifications: Instead of having to input codes, some apps on our list support push notifications. Tokens are exchanged in the background without requiring you to copy the numbers, so all you need to do is accept or deny the request. However, the website must include support, which is limited to all the apps on our list.
- Security Notifications: The ability to send alerts whenever any changes are made to your accounts associated with the 2FA app. Microsoft Authenticator recently introduced this feature, where the app informs you if any changes happen to your account such as a password change.
- Password Manager: The ability to store user names and passwords for your various online accounts. While not necessary for an authenticator, having a one-stop-shop for your first line of defense is convenient.
- Autofill & Log In: The ability to automatically fill in and submit your login credentials. Unique to SAASPASS on our list, you can open an app and log in without touching anything.
To narrow down the field of 2FA apps on the iOS App Store and Google Play Store, we set some ground rules. As you can tell from the title of the article, we didn't believe it necessary to make a separate list for both Android and iOS. Because functionality is similar across both platforms, it seemed unnecessary to focus on one operating system over the other. Additionally, apps supporting both OSes will benefit more users as it is likely you are using one of these two mobile platforms (there are SailfishOS and technically Windows Phone users still out there, though).
Unfortunately, this decision did eliminate some great choices, including the open-source andOTP, which is limited to only Android.
A second requirement was that each app had to be currently supported by their developers. Regular support assures that bugs and vulnerabilities will be dealt with in a timely manner and that any new updates to the mobile operating system (such as Autofill API on Android 8.0 Oreo and Password Manager API on iOS 12) can be taken advantage of. We eliminated any app which hadn't received an update in at least a year. For example, FreeOTP was removed from consideration because its last update on Android was in 2016, and on iOS in 2014.
Because most of us don't want to pay for apps, we focused solely on free 2FA apps. While there are solid paid options, with so many excellent free options, we felt it made little sense to not limit our list to those. This way, the cost won't be a factor when deciding which of the apps on our list you should use.
Every app on our list supports the Time-based One-time Password Algorithm (TOTP), the preferred method for software-based token 2FA. With this requirement, you can be sure that anywhere 2FA via software-based token is available, these apps will work.
When I started researching for this list, I wasn't aware of SAASPASS. I came across it on the App Store and was intrigued by its stellar ratings. After installing the app to test it, I quickly learned why it deserved the rave reviews.
SAASPASS is one of the only authenticators on our list to require PIN protection. During initial setup, you're prompted to create a four-digit PIN code that you can change to six digits in the app's settings. You also have the option to use either fingerprint or facial recognition (currently limited to Apple's Face ID) after the initial setup.
I do wish SAASPASS would allow for stronger passcodes, particularly because one of its best features is the password manager, meaning SAASPASS allows you to store your online user names and passwords. Combine that with the basic 2FA token functionality and you can log in and authenticate in one action.
SAASPASS supports over 60 thousand websites, so chance are most (if not all) of the services you use will support it. You can even use it to remotely lock and unlock your computer.
SAASPASS also has the most extensive OS support on our list. On the mobile side, there's an app for BlackBerry alongside Android and iOS. For the desktop, you can use their macOS app and Windows app (Windows 7 and newer), and you can use it on any operating system where Google Chrome is available.
SAASPASS also lets you use multiple devices by scanning a secure QR code from the first device you set up. Once scanned, you can then access your token on both devices. This is one of the safest restore methods, as it eliminates the possibility of interception while exposed on the web.
There is also an option to recover your account in case you no longer have access to the phone number you registered with. This number can further be protected using a customized security question.
Whether you are new to 2FA or have been using it for years, this is the app for you. It makes the process incredibly easy with its autofill and auto-login feature. I will admit it isn't the prettiest app in the world, but it does get the job done, and it is customizable to a degree. With its broad device support and the ability to unlock your computer, there is no better option available.
The next two options on our list are close in features. The biggest advantage of LastPass Authenticator is its integration with LastPass Password Manager. But if you're not already a LastPass Password Manager user and/or don't plan to be, the choice is a bit harder.
LastPass supports encrypted backups. The only caveat is that it requires a LastPass account, which is typically used to store online passwords. You also have to enable multi-factor authentication on your LastPass account (which can not be done within the app) either via LastPass authentication, another authentication app, or another factor (such as a hardware key). While this isn't a big deal, you might find it annoying to be forced to use a password manager you didn't want to use in the first place.
But what's even weirder is that both apps are separate from each other. There is no way to access the authenticator from the password manager and vice versa, so while both apps share the same account, there is no other connection. That being said, LastPass is the best password manager on both platforms, so if you don't have a password manager, this is a great way to kill two birds with one stone.
The reason we would recommend opting for LastPass Authenticator over the other options on our list is the ability to adjust parameters of the token. While it requires you to manually enter the code (instead of scanning a QR code), you can modify the duration the code is available and the length of the code itself. Depending on your need for security or convenience, this feature can be beneficial.
However, while this feature is helpful, it will probably not be used by the general public. What will be used is the desktop version, which LastPass doesn't have — the only app on our list which doesn't. Additionally, it is also the only app on our list which doesn't support smartwatches, another convenience regular users would appreciate.
If you want more control over the software token, LastPass Authenticator is your best bet. It also a great option if you're already a LastPass Password Manager user. But you're kind of forced into the LastPass ecosystem, so if you don't want this, look elsewhere.
I learned about Authy after frustrations with Google Authenticator, particularly one lacking feature. After switching my phone and setting up the new phone, I realized that while I could restore most of the data thanks to backups, I didn't have access to my token. Without my old phone, I would be unable to log into my accounts. After some research, I learned the only way to get my token was to log back into each account and use my new phone to set 2FA.
Well, after about two phone switches, I said "enough is enough" and looked for a better solution. And it is then that I found out about Authy.
My favorite feature of Authy is its encrypted backups. Anytime I switch phones, all I need to do is open Authy on the new phone and input my phone number. I am then presented with multiple options to connect accounts, including SMS, phone calls, and email. Because of the security risk of these options, I find the best choice is to use an existing device. A prompt appears on my old phone. After inputting the designated phrase, my tokens are transferred to my new device. But wait, there is more.
As previously stated, the backups are encrypted. Therefore, you need a passcode which the encryption is derived from. Without the password, I can see what website I have a token for, but I can't see the token itself. Additionally, you can limit which devices have access to your token.
For maximum security, after setting up your new phone, you should turn off "multi-device," which allows the tokens to sync across devices. With this is turned off, even if someone uses the other methods to access your account, they won't be able to receive the token. Additionally, even with multi-device disabled, you can still access your database on multiple devices such as a tablet or computer. And when you want to remove access to your software-based tokens from these secondary devices, simply select the device underneath "Allow multi-device" and choose "remove device." This button will prevent that device from updating the database to the correct tokens, blocking access to your protected account.
Authy also takes your security into consideration. Regardless of how well 2FA apps improve your account security, if the app can easily be bested, then the security improvement is minimal. With Authy, you are protected against phishing, malware, brute-force password guessing, and man-in-the-middle attacks.
The only major complaint I have for Authy is how devices are labeled. When sharing your database with multiple devices, Android phones are listed as just "Android," making it impossible to discern which one is which. However, iPhones and PCs are easily labeled based on their assigned names. On the plus side, tokens are labeled wonderfully with an automatic icon finder that can also be manually triggered when an icon changes.
Authy is one of the best two-factor authentication apps available on both operating systems. The interface is easy to use, and you can transfer your tokens securely. You can even change the layout of the main page for easier navigation. While it didn't come in first place, it wasn't far behind either.
Microsoft Authenticator has transformed a lot since our last testing. It added cloud backups, a big complaint we had previously. It also offers push notifications and is the only authenticator on our list which gives up to date security alerts. While we are not a fan of its implementation for password protection, it has emerged as a great option beyond those who are fully ingrained in the Microsoft ecosystem.
One of the better features of Microsoft Authenticator is its support for push notifications. As long as you're using the app to authenticate a Microsoft or Azure Active Directory account, instead of having to type in a code, you are prompted with a notification asking you to approve or deny the token sent to your device. If the token on your device is the same as the one you see on your login screen, select "Approve" and you have identified. The process is much easier than typing in codes, and while three other apps do support the feature, the number of services supporting them is limited.
Recently, Microsoft introduced security notifications. This feature sends an alert to your phone whenever an important event occurs with one of your accounts. This includes if your password was changed, a sign in from a new device, or a sign in from a new location. This way, you are immediately aware if an unauthorized action occurs and can take the correct course of action.
We went back and forth when deciding between Microsoft and Google Authenticator as to which should go ahead of the other. Ultimately, it came down to support and push notifications that advanced it over Google. With Microsoft Authenticator receiving multiple updates per month, compared to Google (more on that later), it made more sense to go ahead of Google even with its limited desktop support.
If you prefer the security of isolating your data to just one device and are tied to the Microsoft ecosystem, this is the authenticator for you. With its use of push notifications, along with a solid (well updated) app on multiple platforms, this is a great choice for those using both Microsoft and non-Microsoft accounts.
Duo Mobile is designed for enterprise, offering multiple plans suited for multiple users. As a complete picture, Duo is a security platform to manage the access and authentication of multiple users. But, with the free version, it becomes an excellent 2FA app for consumers that is well designed and easy to use.
Besides supporting the same services that Google Authenticator supports, Duo Mobile (along with Authy) share better support for third-party services and social media sites. Duo Mobile is also consistently updated.
It supports Apple Watch users with an official app for watchOS. It has an official application for both Windows and macOS so that you don't need your phone when logging from your desktop (or laptop).
It also supports backups that are encrypted. The device you're using will determine where the backups are stored. For iOS, the backups are stored on iCloud. For Android, the backups are stored on Google Drive. It also recently added the ability to restore third-party accounts, requiring the creation of a recovery password to protect your information.
Where Duo Mobile shines is when used within an organization that has already implemented the service. This opens access to Duo Push, their take on a software token that replaces the need to input (or copy) passcodes with a prompt. However, this feature isn't available on most popular web services.
With encrypted backups and the ability to restore third-party accounts, Duo Mobile has addressed one of its biggest downsides. While it lacks some of the features of the other authenticator apps on our list, it's just as easy to use and versatile thanks to its support of security keys.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.