When to comes to cybersecurity, one layer isn't enough. A complex password (or one created with a password manager) does a good job of protecting your data, but it can still be cracked. Two-factor authentication strengthens this by adding a second layer of security, giving you even more protection against online threats.
With two-factor authentication, or 2FA, the service you're logging into will require two things to authenticate you: something you know and something you have. Your password serves as "something you know," and a 2FA app will prove the "something you have" aspect, requiring a device (such as your phone) to be present before anyone can log into your account.
While this second layer isn't foolproof, it does improve your defenses drastically. Even if someone were to obtain your password, they'd also need physical access to your phone to retrieve a temporary passcode to unlock your account. Not all websites support this feature, but most popular sites already do, and you can check compatibility using this link. And for every account that does support it, you should enable the feature, especially for those which support software-based tokens.
- Offline Mode: Ability to generate 2FA codes without the need for the internet.
- Open Source: The source code is available to the public for anyone to audit. While open source does provide an advantage, no app on our list is open source (although some leverage several open source technologies).
- Encrypted Backups: The database of tokens are encrypted and backed up separately from your device. This way, if you upgrade your phone, you can easily bring your codes with you without having to register your new phone to all your accounts.
- Desktop Version: Whether the service has a desktop version, so you don't need your smartphone when logging into your accounts. Having a dedicated app is favorable over an extension, which limits you to one browser.
- Smartwatch Compatible: The service supports one (or more) of the major smartwatch operating systems. Wear OS is the Android-based smartwatch operating system, while watchOS is the iOS-based smartwatch operating system. If an app supports one of these OSes, you can retrieve the codes even when your phone is in your pocket.
- Passcode Protection: Built into the app is the ability to lock out intruders using some form of authentication. Both Authy and LastPass support either a PIN code, fingerprint scanner, Touch ID, or Face ID (depending on which iPhone model you are using).
- Multi-Device Sync: The ability to sync data across multiple devices with access to your tokens. Any account added or removed on one device will be added or removed on the other devices as well.
- Adjustable OTP Time: The ability to adjust the length of the one-time password's availability. Shorter times make it harder for hackers, but can too inconvenient. Typically, the default timer is anywhere between 15–30 seconds. For the two apps which support the feature, both require manual entries.
- Adjustable Code Length: The ability to adjust the size of the one-time password. For the two apps which support the feature, both require manual entries. Longer codes make it harder to hack.
- Push Notifications: Instead of having to input codes, some apps on our list support push notifications. Tokens are exchanged in the background without requiring you to copy the numbers, so all you need to do is accept or deny the request. However, the website must include support, which is limited for all the apps on our list.
To narrow down the field of 2FA apps on the iOS App Store and Google Play Store, we set some ground rules. To make this list, apps had to support both iOS and Android, ensuring the highest amount of users could benefit from our list. This decision eliminated great choices such as andOTP, which is limited to only Android.
A second requirement was that each app had to be currently supported by the developers. Regular support assures that bugs and vulnerabilities will be dealt with in a timely matter, so we only included apps that had received updates within the last year. This eliminated another great choice, FreeOTP.
Third, we chose to only consider free 2FA apps. While there are some great apps that do require payment, the majority are free, so we felt there were enough options to avoid the paid tier of 2FA apps.
Finally, we wanted two-factor authentication apps which could be used with a large number of websites and services. The gold standard for this is Google Authenticator, which has one of the most extensive collections of supported apps. Therefore, we looked for apps which at least supported all the apps and services supported by Google Authenticator.
I learned about Authy after frustrations with Google Authenticator. When I first started using two-factor authentication, I did some quick research and settled for the one with the biggest name. However, as I switched phones, I discovered Google Authenticator's biggest weakness: You have to reestablish the app's connection with your services for the new phone. After doing this twice, I said "enough is enough" and really dug in to find the best 2FA app, which led me to Authy.
Only three apps on our list support encrypted backups, and Authy is one of them. However, Authy makes the process of restoring your account incredibly easy by associating your account with your phone number. While this does leave you open to some vulnerability, it is mostly exaggerated, and the service is safe to use.
Authy also understands that many of us have more than one device. Whether you own a tablet and smartphone or you live the two-phone life, Authy gives you access to your two-factor authentication with multi-device synchronization. Any changes you make on one device will sync across all your devices. This feature makes it easier to access your token since you get an up-to-date database on multiple devices, allowing you to grab whichever's closer to log in.
Authy is easily one of the best two-factor authentication apps available on both operating systems. The interface is easy to use, and adding a new account is as simple as scanning a QR code. Authy even provides you the choice of how the accounts are laid out to improve navigation. For every website which supports 2FA, we not only recommend turning on the feature but using Authy to enable the feature.
Though it grabbed our top spot, Authy doesn't really have a major advantage over LastPass Authenticator. The two apps share most features, except for two differences. And it's because of the two features LastPass is missing that led to its second-place ranking.
Just like Authy, LastPass supports encrypted backups. The only caveat is that it requires a LastPass account. While this isn't a big deal, it can be annoying to be forced to use a password manager you didn't wish to use in the first place. However, the password manager is free and easily one of the best on the App Store and Play Store. LastPass easily topped our list of the best password managers, and you can see some of the reasons using the link below.
The big advantage LastPass Authenticator has over Authy is the ability to adjust parameters of the token. While it requires you to manually enter the code (instead of scanning the QR code), you can modify the duration the code is available and the length of the code itself. Depending on your need for security or convenience, this feature can be beneficial.
However, while this feature is helpful, it will probably not be used by the general public. What will be used is the desktop version, which LastPass doesn't have — the only app on our list which doesn't. Additionally, it is also the only app on our list which doesn't support smartwatches; another convenience regular users would appreciate.
You can flip a coin for whether you want Authy or LastPass Authenticator. Some individuals like their passwords separated from their token and prefer to use Authy. However, with your password manager and token encrypted, there is no real threat to relying on one company for both needs. Either way, LastPass Authenticator is a great choice for those looking for a solid second line of defense for their accounts.
Duo Mobile is designed for enterprise, offering multiple plans suited for multiple users. As a complete picture, Duo is a security platform to manage the access and authentication of multiple users. But, with the free version, it becomes an excellent 2FA app for consumers that is well designed and easy to use.
Besides supporting the same services that Google Authenticator supports, Duo Mobile (along with Authy) share better support for third-party services and social media sites. Duo Mobile is also consistently updated, with its last update mere weeks ago at the time of this writing.
It supports Apple Watch users with an official app for watchOS. It has an official application for both Windows and macOS so that you don't need your phone when logging from your desktop (or laptop).
It also supports backups which are encrypted. The device you're using will determine where the backups are stored. For iOS, the backups are stored on iCloud. For Android, the backups are stored on Google Drive.
While Duo Mobile does lack the ability to sync your accounts, being able to back up your database is helpful since you don't have to start over when you decide to upgrade your phone. However, its lack of passcode protection and synchronization ultimately led to its third-place rank on our list.
Similar to Google Authenticator, Microsoft Authenticator doesn't do cloud backups. However, unlike Google, it's better supported and offers push notifications. While the latter does require the user to be in the Microsoft ecosystem, it's still a great convenience to have and enough to recommend it over Google Authenticator.
One of the better features of Microsoft Authenticator is its support for push notifications. As long as you're using the app to authenticate a Microsoft or Azure Active Directory account, instead of having to type in a code, you are prompted with a notification asking you to approve or deny the token sent to your device. If the token on your device is the same as the one you see on your login screen, select "Approve" and you have identified. The process is much easier than typing in codes, and while three other apps do support the feature, the number of services supporting them is limited.
We went back and forth when deciding between Microsoft and Google Authenticator as to which should go ahead of the other. Ultimately, it came down to support and push notifications that advanced it over Google. With Microsoft Authenticator receiving multiple updates per month, compared to Google (more on that later), it made more sense to go ahead of Google even with its limited desktop support.
If you prefer the security of isolating your data to just one device and are tied to the Microsoft ecosystem, this is the authenticator for you. With its use of push notifications, along with a solid (well updated) app on multiple platforms, this is a great choice for those using both Microsoft and non-Microsoft accounts.
There are two main reasons for someone to use Google Authenticator over the other apps on our list: (arguably) better security and wide availability. While its limitations are the reason I switched to Authy, some could view this more as a strength, leading to them preferring Google Authenticator over our number one choice. And it because of these two reasons, it deserves a nod on our list.
Since Google Authenticator doesn't back up your database, it only exists on your device. Because of this, whenever you upgrade your phone, you have to reconnect the app to all your accounts on the new device. But if security is your only priority and convenience is not a consideration, this also protects you if your device is stolen.
Modern smartphones let you wipe your data remotely if your device gets stolen, which would protect your tokens whether you had Authy or Google Authenticator. However, Authy ties the database to your phone number, which can be easily obtained and potentially spoofed. If someone had control of your phone line and were to guess your password (and that's a big if), they would have full access to your tokens. With Google Authenticator, this isn't possible.
Google Authenticator is also the standard for two-factor authentication via an app. However, it appears Google is slowly abandoning the app. The last update for Google Authenticator came two years ago on iOS. If it weren't for the September 2017 update for Android, it wouldn't even have made our list.
Google Authenticator is limited to a Chrome extension for desktop users. While it does limit users to using Google's browser, it is accessible on all desktop platforms, including Chrome OS, unlike the other apps on our list. It is also the only 2FA app on our list that officially supports Wear OS (formerly known as Android Wear).
Honestly, the main reason to choose Google Authenticator is that you are afraid that backing up your data to the cloud isn't safe. Despite the inconvenience, you are worried about your privacy, and therefore, Google Authenticator makes sense. However, for the majority of users, there are better options.
Let us start by saying everyone should use 2FA. We understand that it's time-consuming, and especially for the websites which don't support apps, having to receive a code via a phone number is an inconvenience. Even text messages are troublesome since it isn't easy to copy from the message (iOS 12 and Android Pie do help this). But 2FA can protect you and your data from unauthorized access, which is well worth the inconvenience.
The best choice for 2FA right now is clearly Authy. It is easy to use, easy to transfer to a new device, and offers password protection. Or, if you're already a LastPass password manager user and don't mind trusting your passwords and 2FA tokens to the same company, LastPass Authenticator is a close second.