When it comes to cybersecurity, one layer isn't enough. A complex password (or one created with a password manager) does a good job of protecting your data, but it can still be cracked. Two-factor authentication strengthens this by adding a second layer of security, giving you even more protection against online threats.
With two-factor authentication, also known as two-step verification or simply 2FA, the service you're logging into will require two things to authenticate you: something you know and something you have. Your password serves as "something you know," and the 2FA app provides the "something you have" aspect. With 2FA, you need to have either your phone (or for some, your computer) nearby to log in, making it harder for a hacker far away to access your account.
While this second layer isn't foolproof, it does improve your defenses drastically. Even if someone were to obtain your password, they'd also need physical access to your phone to retrieve a temporary passcode to unlock your account. Not all websites support this feature, but most popular sites already do, and you can check compatibility using Two Factor Auth.
However, not all 2FA is the same. Some websites only support sending the code via SMS or email. These are less secure options as someone can access these methods remotely. That's why your best bet is an option with a software-based token, and that's the method supported by each of the apps on our list.
- Offline Mode: Ability to generate 2FA codes without the need for the internet.
- Open Source: The source code is available to the public for anyone to audit. While open source does provide an advantage, no app on our list is open source (although some leverage several open source technologies).
- Encrypted Backups: The database of tokens are encrypted and backed up separately from your device. This way, if you upgrade your phone, you can easily bring your codes with you without having to register your new phone to all your accounts.
- Desktop Version: Whether the service has a desktop version, so you don't need your smartphone when logging into your accounts. Having a dedicated app is favorable over an extension, which limits you to one browser.
- Smartwatch Compatible: The service supports one (or more) of the major smartwatch operating systems. Wear OS is the Android-based smartwatch operating system, while watchOS is the iOS-based smartwatch operating system. If an app supports one of these OSes, you can retrieve the codes even when your phone is in your pocket.
- Passcode Protection: Built into the app is the ability to lock out intruders using some form of authentication. Both Authy and LastPass support either a PIN code, fingerprint scanner, Touch ID, or Face ID (depending on which iPhone model you are using).
- Multi-Device Sync: The ability to sync data across multiple devices with access to your tokens. Any account added or removed on one device will be added or removed on the other devices as well.
- Adjustable OTP Time: The ability to adjust the length of the one-time password's availability. Shorter times make it harder for hackers, but can too inconvenient. Typically, the default timer is anywhere between 15–30 seconds. For the two apps which support the feature, both require manual entries.
- Adjustable Code Length: The ability to adjust the size of the one-time password. For the two apps which support the feature, both require manual entries. Longer codes make it harder to hack.
- Push Notifications: Instead of having to input codes, some apps on our list support push notifications. Tokens are exchanged in the background without requiring you to copy the numbers, so all you need to do is accept or deny the request. However, the website must include support, which is limited for all the apps on our list.
- Security Notifications: The ability to send alerts whenever any changes are made to your accounts associated with the 2FA app. Microsoft Authenticator recently introduced this feature, where the app informs you if any changes happen to your account such as a password change.
To narrow down the field of 2FA apps on the iOS App Store and Google Play Store, we set some ground rules. As you can tell from the title of the article, we didn't believe it necessary to make a separate list for both Android and iOS. Because functionality is similar across both platforms, it seemed unnecessary to focus on one operating system over the other. Additionally, apps supporting both OSes will benefit more users as it is likely you are using one of these two mobile platforms (there are SailfishOS and technically Windows Phone users still out there, though).
Unfortunately, this decision did eliminate some great choices, including the open source andOTP, which is limited to only Android.
A second requirement was that each app had to be currently supported by their developers. Regular support assures that bugs and vulnerabilities will be dealt with in a timely manner and that any new updates to the mobile operating system (such as Autofill API on Android 8.0 Oreo and Password Manager API on iOS 12) can be taken advantage of. We eliminated any app which hadn't received an update in at least a year. For example, FreeOTP was eliminated from consideration because its last update on Android was in 2016, and on iOS in 2014.
Because most of us don't want to pay for apps, we focused solely on free 2FA apps. While there are solid paid options, with so many excellent free options, we felt it made little sense to not limit our list to those. This way, cost won't be a factor when deciding which of the apps on our list you should use.
Every app on our list supports Time-based One-time Password Algorithm (TOTP), the preferred method for software-based token 2FA. With this requirement, you can be sure that anywhere 2FA via software-based token is available, these apps will work.
I learned about Authy after frustrations with Google Authenticator, particularly one lacking feature. After switching my phone and setting up the new phone, I realized that while I could restore most of the data thanks to backups, I didn't have access to my token. Without my old phone, I would be unable to log into my accounts. After some research, I learned the only way to get my token was to log back into each account and use my new phone to set 2FA.
Well, after about two phone switches, I said "enough is enough" and looked for a better solution. And it is then that I found out about Authy.
My favorite feature of Authy is its encrypted backups. Anytime I switch phones, all I need to do is open Authy on the new phone and input my phone number. I am then presented with multiple options to connect accounts, including SMS, phone calls, and email. Because of the security risk of these options, I find the best choice is to use an existing device. A prompt appears on my old phone. After inputting the designated phrase, my tokens are transferred to my new device. But wait, there is more.
As previously stated, the backups are encrypted. Therefore, you need a passcode which the encryption is derived from. Without the password, I can see what website I have a token for, but I can't see the token itself. Additionally, you can limit which devices have access to your token.
For maximum security, after setting up your new phone, you should turn off "multi-device," which allows tokens to sync across devices. With this is turned off, even if someone use the other methods to access your account, they won't be able to receive the token. Even with this feature off, as long as you don't delete access to a device and the database is unlocked, you can continue to use it to log into your account. This means if you own a tablet and smartphone or you live the two-phone life, Authy let you grab whichever's closer to log in.
Authy also takes your security into consideration. Regardless of how well 2FA apps improve your account security, if they themselves can easily be bested, then the security improvement is minimal. With Authy, you are protected against phishing, malware, brute-force password guessing, and man-in-the-middle attacks.
The only major complaint I have for Authy is how devices are labeled. When sharing your database with multiple devices, Android phones are listed as just "Android," making it impossible to discern which one is which. However, iPhones and PCs are easily labeled based on their assigned names.
Authy is easily one of the best two-factor authentication apps available on both operating systems. The interface is easy to use, and you can transfer your tokens securely. You can even change the layout of the main page for easier navigation. 2FA is important, and for mobile users, there isn't any app offering a better experience.
LastPass Authenticator is nearly identical to Authy in its feature list. Both offer encrypted backups, multi-device synchronization, and support push notifications. However, the reason we can't recommend it before Authy is because of its lack of support for complementary devices such as smartwatches and desktop. While it may not be a deal breaker for everyone, it does hinder its ability to provide a seamless experience compared to Authy.
Just like Authy, LastPass supports encrypted backups. The only caveat is that it requires a LastPass account, which is typically used to store online passwords. While this isn't a big deal, you might find it annoying to be forced to use a password manager you didn't wish to use in the first place.
But what's even weirder is that both apps are separate from each other. There is no way to access the authenticator from the password manager and vice versa, so while both apps share the same account, there is no other connection. That being said, LastPass is the best password manager on both platforms, so if you don't have a password manager, this is a great way to kill two birds with one stone.
The big advantage LastPass Authenticator has over Authy is the ability to adjust parameters of the token. While it requires you to manually enter the code (instead of scanning a QR code), you can modify the duration the code is available and the length of the code itself. Depending on your need for security or convenience, this feature can be beneficial.
However, while this feature is helpful, it will probably not be used by the general public. What will be used is the desktop version, which LastPass doesn't have — the only app on our list which doesn't. Additionally, it is also the only app on our list which doesn't support smartwatches, another convenience regular users would appreciate.
You can flip a coin for whether you want Authy or LastPass Authenticator. Some individuals like their passwords separated from their tokens and prefer to use Authy. However, with your password manager and tokens encrypted, there is no real threat to relying on one company for both needs. Either way, LastPass Authenticator is a great choice for those looking for a solid second line of defense for their accounts.
Duo Mobile is designed for enterprise, offering multiple plans suited for multiple users. As a complete picture, Duo is a security platform to manage the access and authentication of multiple users. But, with the free version, it becomes an excellent 2FA app for consumers that is well designed and easy to use.
Besides supporting the same services that Google Authenticator supports, Duo Mobile (along with Authy) share better support for third-party services and social media sites. Duo Mobile is also consistently updated, with its last update mere weeks ago at the time of this writing.
It supports Apple Watch users with an official app for watchOS. It has an official application for both Windows and macOS so that you don't need your phone when logging from your desktop (or laptop).
It also supports backups which are encrypted. The device you're using will determine where the backups are stored. For iOS, the backups are stored on iCloud. For Android, the backups are stored on Google Drive.
While Duo Mobile does lack the ability to sync your accounts, being able to back up your database is helpful since you don't have to start over when you decide to upgrade your phone. However, its lack of passcode protection and synchronization ultimately led to its third-place rank on our list.
Similar to Google Authenticator, Microsoft Authenticator doesn't do cloud backups. However, unlike Google, it's better supported and offers push notifications. While the latter does require the user to be in the Microsoft ecosystem, it's still a great convenience to have and enough to recommend it over Google Authenticator.
One of the better features of Microsoft Authenticator is its support for push notifications. As long as you're using the app to authenticate a Microsoft or Azure Active Directory account, instead of having to type in a code, you are prompted with a notification asking you to approve or deny the token sent to your device. If the token on your device is the same as the one you see on your login screen, select "Approve" and you have identified. The process is much easier than typing in codes, and while three other apps do support the feature, the number of services supporting them is limited.
Recently, Microsoft introduced security notifications. This feature sends an alert to your phone whenever an important event occurs with one of your accounts. This includes if your password was changed, a sign in from a new device, or a sign in from a new location. This way, you are immediately aware if an unauthorized action occurred and can take the correct course of actions.
We went back and forth when deciding between Microsoft and Google Authenticator as to which should go ahead of the other. Ultimately, it came down to support and push notifications that advanced it over Google. With Microsoft Authenticator receiving multiple updates per month, compared to Google (more on that later), it made more sense to go ahead of Google even with its limited desktop support.
If you prefer the security of isolating your data to just one device and are tied to the Microsoft ecosystem, this is the authenticator for you. With its use of push notifications, along with a solid (well updated) app on multiple platforms, this is a great choice for those using both Microsoft and non-Microsoft accounts.
There are two main reasons for someone to use Google Authenticator over the other apps on our list: (arguably) better security and wide availability. While its limitations are the reason I switched to Authy, some could view this more as a strength, leading to them preferring Google Authenticator over our number one choice. And it because of these two reasons, it deserves a nod on our list.
Since Google Authenticator doesn't back up your database, it only exists on your device. Because of this, whenever you upgrade your phone, you have to reconnect the app to all your accounts on the new device. But if security is your only priority and convenience is not a consideration, this also protects you if your device is stolen.
Modern smartphones let you wipe your data remotely if your device gets stolen, which would protect your tokens whether you had Authy or Google Authenticator. However, Authy ties the database to your phone number, which can be easily obtained and potentially spoofed. If someone had control of your phone line and were to guess your password (and that's a big if), they would have full access to your tokens. With Google Authenticator, this isn't possible.
Google Authenticator is also the standard for two-factor authentication via an app. However, it appears Google is slowly abandoning the app. The last update for Google Authenticator came two years ago on iOS. If it weren't for the September 2017 update for Android, it wouldn't even have made our list.
Google Authenticator is limited to a Chrome extension for desktop users. While it does limit users to using Google's browser, it is accessible on all desktop platforms, including Chrome OS, unlike the other apps on our list. It is also the only 2FA app on our list that officially supports Wear OS (formerly known as Android Wear).
Honestly, the main reason to choose Google Authenticator is that you are afraid that backing up your data to the cloud isn't safe. Despite the inconvenience, you are worried about your privacy, and therefore, Google Authenticator makes sense. However, for the majority of users, there are better options.
Let us start by saying everyone should use 2FA. We understand that it's time-consuming, and especially for the websites which don't support apps, having to receive a code via a phone number is an inconvenience. Using text messages or phone calls is less secure than a dedicated app, as your phone number can easily be spoofed, allowing someone to access your account remotely. With a software-based token, outside of extraordinary situations, someone needs access to your phone or computer. This additional layer protects you if your password becomes compromised, preserving your data in the process.
The best choice for 2FA right now is clearly Authy. It is easy to use, easy to transfer to a new device, and offers password protection. Or, if you're already a LastPass password manager user and don't mind trusting your passwords and 2FA tokens to the same company, LastPass Authenticator is a close second.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.