When it comes to cyber security, a layer is not enough. A complex password (or one created with a password manager) does a good job of protecting your data, but it can still be cracked. Two-factor authentication reinforces this by adding a second security layer, giving you even more protection against online threats.
With two-factor authentication, also known as two-step verification or simply 2FA, the service you sign in will require two things to verify you: something you know and something you have . Your password works as "something you know" and the 2FA app gives "something you have" aspect. With 2FA you have to either have your phone (or for someone, your computer) nearby to log in, making it harder for a hacker far away to access your account.
While this second layer is not idiotic, it drastically improves your defense. Even if someone would get your password, they would also need physical access to your phone to retrieve a temporary password to unlock your account. Not all sites support this feature, but most popular sites already do so, and you can check compatibility with this link. But not all 2FAs are the same. Some sites only support sending the code via SMS or email. These are less secure anyone can access these methods remotely. The reason why your best bet is an option with a software-based token, and that's the method supported by all apps on our list.
Table of Contents
- Offline Mode: Ability to Generate 2FA- codes without the need for internet.
- Open Source: ] The source code is available to the public for anyone to review. While open source provides an advantage, no app on our list is open source (although some claim multiple open source technologies).
- Encrypted backups: The tokens database is encrypted and backed up separately from your device. This way, if you upgrade your phone, you can easily bring your codes without having to register your new phone to all your accounts.
- Desktop version: If the service has a desktop version, so you do not need your smartphone when you log in to your accounts. Having a dedicated app is beneficial over an extension, which limits you to a web browser.
- Smartwatch Compatible: The service supports one (or more) of the major smartwatch operating systems. Wear OS is the Android-based smartwatch operating system, while watchOS is the iOS-based smartwatch operating system. If an app supports one of these operating systems, you can download the codes even when the phone is in your pocket.
- Passcode Protection: Built into the app is the ability to unlock intruders with some form of authentication. Both Authy and LastPass support either a PIN, a fingerprint scanner, an ID or a face ID (depending on the iPhone model you use).
- Multiple Device Synchronization: The ability to synchronize data across multiple devices with access to your tokens. All accounts added or deleted on a device are added or deleted on the other devices.
- Adjustable OTP Time: The ability to adjust the length of the one-time password availability. Shorter times make it harder for hackers, but can also be uncomfortable. Usually, the default clock is somewhere between 15-30 seconds. For the two apps that support the function, both manual entries are required.
- Adjustable code length: The ability to adjust the size of the one-time password. For the two apps that support the function, both manual entries are required. Longer codes make it harder to hack.
- Push Notifications: Instead of having to enter codes, some apps print on our list of support notifications. The token is replaced in the background without having to copy the numbers, so all you have to do is accept or deny the request. However, the site must contain support, which is limited to all apps on our list.
- Security notification: The ability to send alerts at any time changes are made to your accounts linked to the 2FA app. Microsoft Authenticator recently introduced this feature, where the app notifies you of any changes to your account, such as a password change.
To limit the field of 2FA apps on the iOS App Store and the Google Play Store, we set some basic rules. As you can tell from the title of the article, we didn't think it was necessary to create a separate list for both Android and iOS. Since functionality is similar on both platforms, it seemed unnecessary to focus on an operating system over the other. In addition, apps that support both operating systems will benefit more users because it is likely that you are using one of these two mobile platforms (where is SailfishOS and technically Windows Phone users still out there.)
Sorry, this decisions eliminated some good choices, including open source andOTP, which is limited to Android only.
Another requirement was that each app should be supported by the developers at this time. Regular support ensures that errors and vulnerabilities are managed on time and that any new updates to the mobile operating system (eg, Autofill API on Android 8.0 Oreo and Password Manager API on IOS 12) can be exploited. We eliminated any app that had not been updated in at least one year. For example, FreeOTP was eliminated from it because its latest update on Android was 2016 and on iOS 2014.
Since most of us don't want to pay for apps, we focused only on free 2FA apps. While there are solid paid options, with so many good free options, we felt that it was a little meaningful not to limit our list to them. That way, the cost will not be a factor when deciding which of the apps on our list to use.
Each app on our list supports Time-based One-Time Password Algorithm (TOTP), the preferred method for software-based token 2FA. With this requirement, you can be sure that anywhere 2FA via software-based token is available, these apps will work.
App 1: Authy
I learned Authy after frustrations with Google Authenticator, especially a missing feature. After switching my phone and configuring the new phone, I realized that I could not access my token when I was able to restore most data due to backups. Without my old phone, I couldn't log in to my accounts. After some research I learned that the only way to get my token was to log in to each account and use my new phone to set up 2FA.
Well, after about two switches I said "enough" and looked for a better solution. And that's when I found out about Authy.
My favorite feature in Authy is its encrypted backups. When I switch phones, all I need to do is open Authy on the new phone and enter my phone number. I am then presented with several options for connecting accounts, including SMS, phone calls and email. Because of the security risk for these alternatives, I think the best choice is to use an existing device. An instant message appears on my old phone. After entering the specified phrase, my token is transferred to my new device. But wait, there's more.
As mentioned earlier, the backup is encrypted. Therefore, you need a password from which the encryption originates. Without the password, I can see which site I have a token for, but I can't see the token myself. In addition, you can limit which devices have access to your token.
To get maximum security, you should turn off "multi-device" after configuring your new phone, allowing tokens to synchronize over devices. With this being turned off, even if someone uses the other methods to access your account, they will not be able to receive the token. Even with this feature, as long as you do not remove access to a device and the database is unlocked, you can continue to use it to log in to your account. This means that if you own a tablet and a smartphone or if you live in two phones, you can take what happens when you log in.
Authy also takes your security into account. No matter how good 2FA apps improve your account security, if they can easily be spent, security improvement is minimal. With Authy, you are protected from phishing, malware, cruel guesswork and man-in-center attacks.
The only major complaint I have for Authy is how devices are labeled. When you share your database with multiple devices, Android phones are listed as just "Android", making it impossible to distinguish which one is. But iPhones and computers can easily be labeled based on their assigned names.
Authy is easily one of the best two-factor authentication apps available on both operating systems. The interface is easy to use, and you can transfer your tokens safely. You can also change the main page layout for easier navigation. 2FA is important, and for mobile users there is no app that gives a better experience.
LastPass Authenticator is almost identical to Authy in its function list. Both offer encrypted backups, multi-device synchronization, and support push messages. But the reason we cannot recommend it before Authy is because there is no support for supplementary units such as smartwatches and desks. While it may not be an interruptor for everyone, it prevents its ability to provide a seamless experience compared to Authy.
- Install LastPass Authenticator: Android (free) | IOS (free)
Like Authy, LastPass supports encrypted backups. The only approach is that it requires a LastPass account, which is usually used to store online passwords. Although this is not a big deal, you may find it annoying to have to use a password manager that you don't want to use first and foremost.
But what is really great is that both programs are separate from each other. You cannot access the authenticator from the password manager and vice versa, so when both programs share the same account, there is no other connection. That being said, LastPass is the best password manager on both platforms, so if you don't have a password manager this is a great way to kill two birds with one stone.
The great advantage LastPass Authenticator has over Authy is the ability to adjust the parameters of the token. While it is required that you manually enter the code (instead of scanning a QR code), you can change the length of the code available and the length of the code itself. Depending on your need for safety or convenience, this feature may be helpful.
But this feature is helpful, but it is not usually used by the public. What is to be used is the desktop version, which LastPass does not have – the only app on our list that does not. In addition, it is also the only app on our list that does not support smartwatches, another convenience that ordinary users would appreciate.
You can turn a coin if you want Authy or LastPass Authenticator. Some people like their passwords separated from their tokens and prefer to use Authy. But with your password manager and tokens encrypted, there is no real threat to relying on a company for both needs. In any case, LastPass Authenticator is a good choice for those looking for a solid line of defense for their accounts.
App 3: Duo Mobile
Duo Mobile is designed for business and offers several plans that suit multiple users. Duo is a complete image as a security platform for managing multiple user access and authentication. But with the free version, it becomes an excellent 2FA app for consumers who are well designed and easy to use.
In addition to supporting the same services as Google Authenticator, Duo Mobile (along with Authy) supports sharing better support for third-party and social media services. Duo Mobile is also consistently updated with its latest update a few weeks ago when writing.
It supports Apple Watch users with an official watchOS app. It has an official application for both Windows and MacOS so you do not need your phone when logging from the desktop (or laptop).
It also supports backups that are encrypted. The device you use determines where the backups are stored. For iOS, the backups are stored on iCloud. For Android, the backups are stored on Google Drive.
While Duo Mobile lacks the ability to synchronize your accounts, being able to back up your database is helpful because you don't have to start over when You decide to upgrade your phone. But its lack of password protection and synchronization finally led to its third place on our list.
Like Google Authenticator, Microsoft Authenticator does not make cloud backups. But unlike Google, it is better supported and offers push notifications. While the latter requires the user to be in Microsoft's ecosystem, it's still a great convenience to have and enough to recommend it through Google Authenticator.
- Install Microsoft Authenticator: Android (free) | IOS (free)
One of the better features of Microsoft Authenticator is its support for push messages. As long as you use the app to authenticate a Microsoft or Azure Active Directory account, instead of having to enter a code, you will be notified that you accept or deny the symbol sent to the device. If the token on your device is the same as the one you see on your login screen, select "Accept" and you have identified. The process is much easier than typing in codes and while three other apps support the feature, the number of services that support them is limited.
Recently, Microsoft introduced security notifications. This feature sends a warning to your phone whenever an important event occurs with one of your accounts. This includes whether your password has been changed, a new device login, or a new site login. This way, you are immediately aware of an unauthorized action and can take the right action.
We went back and forth when we decided between Microsoft and Google Authenticator about who should go past the other. In the end, it came down to supporting and driving messages that advanced it over Google. With Microsoft Authenticator receiving multiple updates monthly, compared to Google (more on that later), it was more meaningful to move on with Google even with the limited desktop support.
If you prefer the security of isolating your data to just one device and tied to Microsoft's ecosystem, this is the authentication tool for you. With the use of push notifications, along with a solid (well-updated) app on multiple platforms, this is a great choice for those who use both Microsoft and non-Microsoft accounts.
App 5: Google Authenticator
There are two main reasons why someone uses Google Authenticator over the other programs on our list: (probably) better security and broad availability. While its limitations are the reason why I switched to Authy, some might see this as a strength, leading them to prefer Google Authenticator over our number one choice. And because of these two reasons, it deserves a nick on our list.
- Install Google Authenticator: Android (free) | IOS (free)
Because Google Authenticator does not back up your database, it is only on your device. Because of this, you need to reconnect the app to all your accounts on the new device as you upgrade your phone. But if security is your first priority and convenience is not considered, you also protect yourself if your device is stolen.
Modern smartphones allow you to wipe your data remotely if the device gets stolen, which would protect your tokens if you had Authy or Google Authenticator. However, Authy binds the database to your phone number, which can easily be obtained and possibly spoofed. If someone had control over your phone line and would guess your password (and it's a big deal) they would have full access to your tokens. With Google Authenticator, this cannot be possible.
Google Authenticator is also the standard for two-factor authentication via an app. However, it seems that Google is slowly abandoning the app. The latest update for Google Authenticator came two years ago on iOS. If it wasn't for the September 2017 update for Android, it wouldn't even have made our list.
Google Authenticator is limited to a Chrome extension for desktop users. While restricting users to using Google's browser, it is available on any writing platform, including Chrome OS, unlike other apps on our list. It is also the only 2FA app on our list that officially supports the Wear OS (formerly known as Android Wear).
Honestly, the main reason for choosing Google Authenticator is that you are afraid to back up your data to the cloud is not "safe. Despite the inconvenience, you are worried about your privacy and therefore Google Authenticator makes sense. But for most users have better options.
Let's start by saying that everyone should use 2FA, we understand that it is time consuming, and especially for those sites that do not support apps, to have to receive a code via a Using text messaging or phone calls is less secure than a dedicated app, because your phone number can easily be spoofed, so someone can access your account remotely, with a software-based token, beyond extraordinary situations, someone needs access to your phone or computer, this extra layer protects you if your password is compromised and preserves your data in process n.
The best choice for 2FA right now is clear Authy. It is easy to use, easy to transfer to a new device and offers password protection. Or, if you're already a LastPass password manager and don't mind trusting your passwords and 2FA tokens to the same company, LastPass Authenticator is a close second.
This article was produced under the Gadget Hacks special coverage of smartphone privacy and security. Watch the entire privacy and security series.
Don't miss: The best password managers for Android & iPhone