Welcome to Cloudwards.net’s guide to the best 2FA apps, where we’ll throw hardware and software solutions into the ring to determine which method reigns supreme. On the docket are Google Authenticator vs Authy and YubiKey vs Kensington VeriMark.
2FA, or two-factor authentication, is a common feature among secure cloud storage and online backup. Make sure to check out our cloud storage reviews and online backup reviews to find a solution there that’s right for you.
You’ll quickly see that we prefer Authy and YubiKey in their respective rounds, but that doesn’t mean Kensington VeriMark and Google Authenticator don’t have merit. In two sections, we’ll compare these hardware and software solutions and give a third honorable mention, as well.
Before we dive in and watch the blood bath ensue, let’s define two-factor authentication and why it’s the best way to add a layer of protection to your online accounts.
What is Two-Factor Authentication?
Two-factor authentication, or as it’s commonly abbreviated, 2FA, is a method of securing online accounts through multiple authentication rounds. In the case of 2FA, you’ll need two factors to successfully log in — something you know and something you own.
The basic form uses your password as your first factor (something you know) and a code sent via text or email as your second factor (something you own).
This makes it difficult for hackers to breach your account. Even if they’re able to crack your password, they won’t be able to log in without access to your second factor.
It’s a simple process, but there’s a lot of tech going on behind each protocol. Three of the most common are U2F, HOTP and TOTP. We’ll give you a brief description of each, but be sure to check out our article on what is two-factor authentication for more details.
U2F is hardware-based, with a key built into the device. The key is generated during the manufacturing process and tied to that piece of hardware for life. It allows you to authenticate an account without any release of personal information and is what we’d consider the most secure.
HOTP, or HMAC-based One Time Password, is a method of generating a single-use password for your account. This password remains valid until you attempt to log in again, so anyone who has access to that and your password will be able to log in to your account. This is the most common protocol for email and text authentication.
TOTP is preferred over HOTP. It’s the same method of authentication, but the beginning “T” stands for time-based, meaning this single-use code will expire after a set amount of time, not just when you log in next.
Any 2FA is better than none, but TOTP is ideal. Hardware-based U2F is even better.
How Safe is Two-Factor Authentication?
While 2FA goes a long way in securing your online accounts, it doesn’t come without issues. Hackers are adaptable little devils and 2FA isn’t a new method of online security.
In short, 2FA is safe, but not all forms of 2FA are made equally.
Most websites have some sort of multi-factor authentication built in. Dropbox, Google Drive and Rackspace are among the long list of sites that support it. However, these sites use email or SMS verification in most cases, which can leave your digital pants down.
All keys generated through this method of authentication are HOTP, meaning they’re single-use and don’t expire until you log in again. A hacker could intercept the text message while it’s being sent and find the code. This hacker would have to be actively seeking the text message, but it’s not out of the question.
The more offensive of the two is email verification. A lot of people use bad passwords for their accounts and, even worse, use them multiple times. If your PayPal and email share a password, then it’s a walk in the park for a hacker to log in to your email account, find your code and gain access to your PayPal.
We recommend a password manager like Dashlane (read our Dashlane review) to combat this. The best password managers will help you generate strong, unique passwords and store them all in a secure place.
HOTP methods are more secure than your password alone, but they aren’t free of risk. It’s important we get that out of the way before diving in, as the apps we’ll recommend use TOTP instead.
Even if the service provides 2FA, it’s better to use one of our suggested apps. These time-based codes leave far less wiggle room for hackers to snake their way in and breach your account.
The Best 2FA Apps
It’s time to run down our best 2FA apps. We’re looking for a few things from an application to separate it from the normal 2FA provided by Dropbox, Rackspace, etc. directly.
The most important is that the app is using TOTP instead of HOTP. It is more secure, only allowing a short window for hackers to use the code (usually a matter of seconds). U2F solutions are better, but those are hardware, not apps. We’ll address them in a separate section.
Anyone that has 2FA enabled knows the process can be unbearably annoying. Entering your passwords, then waiting (sometimes for minutes) for a text to arrive isn’t fun.
Because of that, we’re looking at ease of use and speed. We want our 2FA apps to quickly generate a code, so the pain of a second factor doesn’t hurt as much. We’ve heard of people disabling 2FA because it took too long, and that’s not where we’d like to see any of our readers.
Lastly, we want the apps to be free. No one should have to pay for a more secure online experience, given how dangerous the internet is. We’re relating it to your first factor, your password. If any online service charged you to set a password, that’d be absurd, and we see no difference between that and your second factor.
For 2FA, no app comes close to Authy. It’s convenient, responsive and feature-packed, making it an obvious first choice on our list. It’s free and available for Windows, Mac, iOS, Android and Chrome.
Any site that supports Google Authenticator supports Authy, as well. You use your phone to scan the QR code provided by sites such as Amazon, Google and Facebook to add your new account to the Authy interface. If you’re using a non-mobile version of the application, you can enter the authentication key manually.
Authy generates a code each time you open the app. You’ll have 20 seconds to log in after which Authy will move on and generate a new code.
Twenty seconds doesn’t sound like a long time, and the ticking expiration timer is anxiety-inducing. After some use, though, we like how short the time span is. It’s easy to adapt to and speeds up the 2FA process.
The interface is nice to look at, too. Authy takes up the full screen on your mobile device to display your code, fit with the color scheme of the site your authenticating and a logo. Your accounts are displayed in a row on the bottom, so switching between them is simple.
There are two things that make Authy stand out from other authentication apps: backups and multi-device sync. One of the daunting things about 2FA is what happens when you lose your device. For rudimentary methods, it means being completely locked out of your account.
Authy allows an optional, encrypted backup of your accounts in the cloud. If you lose your phone or can’t gain access to Authy, you can use your backup password to download and restore your accounts.
This works in conjunction with multi-device sync. Unlike many 2FA applications, Authy is available on mobile and desktop operating systems. You can sync your accounts across devices, so you don’t need to dig for your phone when logging in on your laptop. Like backups, this is an optional feature.
Google Authenticator is another great choice for 2FA. Authy borrows its list of supported websites, which is large. However, it lacks the punch in features that Authy has, despite the supported websites and a free price tag.
This app is mobile-only, so you’ll need to have your phone handy at all times. It’s a small nuisance as most people have their phones on command anyway. Google Authenticator is available for iOS and Android.
The interface is more to-the-point than Authy’s. Instead of utilizing the whole screen with a single code, Authenticator lists your accounts, each with a time-based code. It doesn’t have the flair of Authy, but it still works.
Like Authy, Google Authenticator uses TOTP, meaning you have a small window of time to use the generated key before it expires. It generates keys as you tap on items in your window, which is strange coming off of Authy’s interface.
Adding new accounts is the same process. When you install the app, you’ll be met with a screen to add new accounts through a QR code or by manually entering the security key.
Google Authenticator slacks behind Authy in two areas. The classic form of 2FA doesn’t offer multi-device sync or backups for your account. Multi-device sync hurts from an ease of use standpoint, but isn’t as concerning as the lack of backups.
There is a form of account restoration, but it’s more old-fashioned than Authy’s implementation. Authenticator gives you a list of backup codes you can use if you lose your device. It’s a workable form of restoration, but not as elegant as Authy.
Transferring to another device is also a hassle. Since Authenticator is tied to a single device, you have to manually change it in your Google settings when you switch phones. Changing to a new device only produces a new token for Google, not for all the accounts in Authenticator.
You’ll have to disable and re-enable 2FA manually for those accounts.
It’s difficult recommending Google Authenticator over Authy. While the app gets the job done, it doesn’t come with the bells and whistles or excellent user experience that Authy does. However, since both are free, it’s worth it to download them and see which you like more.
Honorable Mention: LastPass Authenticator
LastPass Authenticator is a separate tool from LastPass (read our LastPass review), one of the top-rated free options among our password manager reviews. It sits between Authy and Google Authenticator, with backups and multi-device sync, but a dated interface.
It’s not as dated, however, as Google Authenticator. It shows a similar looking list of accounts, fit with TOTP codes. When you tap on one, it’ll pull up a timer for three minutes. You’ll have that long to log in to the site and enter your code.
You have the same list of supported apps, as well. Anything that offers Google Authenticator 2FA can be entered into LastPass Authenticator. Pull up the QR code and scan it with your phone or enter the authentication number to add an account.
One feature that sets LastPass Authenticator apart is one-touch login. For some accounts, you can tap to confirm within the app as your second factor, instead of entering the time-based code. The list of supported sites includes the best note-taking apps such as Evernote and Google Keep.
Other notable inclusions are Amazon, Facebook and Dropbox.
Unfortunately, LastPass Authenticator doesn’t integrate with LastPass. While we’re not sure how the technology would work, it would be nice if LastPass could import the accounts from your vault. Any way to tie the two together would set this authenticator above the rest.
It makes an appearance in our honorable mention slot for that reason. LastPass Authenticator doesn’t do anything more than what Google Authenticator or Authy can. It’s just another option.
Best Hardware 2FA Keys
If you’re focused on security, hardware-based U2F is the best way to go. We’ll compare software to hardware at the end of this section, but, for now, we’re going to run down the best hardware 2FA keys.
Once a physical object is introduced, the criteria change. Instead of ease of use, we’re looking at size as a primary factor. We want small hardware keys that don’t take up much space or run the risk of being broken in a laptop mishap.
Additionally, we’re looking for strong keys. Usually, one of these devices will live on a keychain, rattling around with other pieces of metal. It needs to stand up to whatever beating your keys can take (or dish out).
While ease of use isn’t our primary factor, it is a concern. Hardware-based keys help in security, but also come with a bump in user-friendliness. NFC-enabled keys and automatic authentication are things we’re looking for.
For all the extras hardware keys bring, they also carry a price tag. As with all our pricing evaluations, we’re looking at value over cost. If the key has enough features, the cost isn’t as relevant.
YubiKey is the best recommendation for hardware 2FA keys. It’s such a popular solution that the name has become synonymous with hardware-based U2F authentication. While keys aren’t cheap, YubiKey satisfies all our criteria with honors.
We’re using YubiKey as an umbrella term for all authentication keys Yubico offers. There are a few different options, with changes in form factor, authentication method and connection type. For our overview, we’re going to look at the YubiKey 4.
This baseline key is offered in four flavors. There are keys for USB-C and USB-A in full-size or nano. Nano sizes will protect against a laptop fall, but look like they need a pair of pliers to get out.
If you go with a full-size variant, falling shouldn’t raise many issues. YubiKeys are resilient. The keys have no batteries or moving parts and are built to withstand water, dirt and brute force.
We’ve talked about the FIDO U2F protocol for these hardware-based keys, but YubiKey supports many different protocols. You have OTP, HOTP, TOTP, Challenge and Response, PIV Smart Card, Open PGP, U2F and static passwords.
Static passwords are the most interesting inclusion. It’s intended for legacy systems that can’t be fixed up with a second form of authentication. It randomly generates a 38-character static password for any application log-in.
That flexibility is what makes YubiKey special. It’s the de facto choice for individuals concerned with their security, journalist’s protecting their privacy and businesses that want to add another layer of protection to their infrastructure. Google even uses YubiKey to secure its employees accounts.
Yubico also offers YubiKey NEO, an NFC-enabled key for mobile devices. You can tap it on the back of your phone once it’s set up to authenticate automatically.
YubiKey supports a lot of applications out of the box, including Windows, macOS, Twitter, Facebook and Google. Outside of those accounts, we recommend using it with a password manager. Some of the supported ones are Dashlane, LastPass and Keeper (read our Keeper review).
You can use YubiKey with a VPN, as well, but this method of 2FA is intended for a VPN in a corporate environment. Yubico has a guide on how to use YubiKey with a corporate VPN using a custom solution.
Kensington is a big name when it comes to security. The VeriMark USB Fingerprint performs a similar function to YubiKey, but lacks the customization. Even so, it adds a fingerprint scanner into the equation, protecting against a lost or stolen key.
It’s a compact design, slightly larger than the nano offering from Yubico. The butt of the USB authenticator has the fingerprint scanner with full, 360-degree readability and anti-spoofing protection. The fail rate is low, too, with a false rejection coming in at 3 percent and a false acceptance at two ten-thousandths of a percent.
The VeriMark only supports U2F, so it’s not as flexible as the YubiKey. However, this protocol is ideal in most situations. The key is Windows-only, with support for account login on Windows 10, 8.1 and 7. It comes with a Windows password manager as well, but it’s not exciting and only supported on Windows 10.
We’d recommend using another password manager with this key, and it seems Kensington would, too. The device supports leading password managers like Dashlane, LastPass, Keeper and RoboForm (read our RoboForm review).
The key is plastic, similar in size and construction to a USB Bluetooth receiver, though slightly fatter on the backend. It doesn’t come with a keyhole built into the device like YubiKey does.
Instead, it uses a cover to attach to your keyring. The cover is plastic as well, but does protect the connection from the elements.
Still, it’s not the ideal solution that YubiKey is. The VeriMark can fall out of the cover if bumped and the fingerprint scanner can be mucked up from being outside. From a physical standpoint, it’s not as durable or secure as the YubiKey.
Its small form factor does protect against a laptop drop, though.
The Kensington VeriMark isn’t as robust as the YubiKey, but adds a layer of security with the fingerprint scanner. It’s a simple and secure way of 2FA that allows you to add biometric entry to Windows and your online accounts. Mac and Linux users are better off with the YubiKey, though.
Compatibility with Windows is one of the key’s strong points. It makes logging in and using Windows a fluid experience with support for Windows Hello. It’s a small edge over the YubiKey that warrants a second place slot for hardware keys.
Honorable Mention: Thetis
Thetis isn’t the best U2F key available. We’d use YubiKey or VeriMark over it if given the option. It makes our list as a honorable mention because it’s less than half the price of either of those devices and performs a similar function.
It’s a FIDO U2F security key, meaning you don’t have the different protocols or encryption methods offered by YubiKey. For a device used strictly for 2FA, though, it suffices.
Any application that supports U2F authentication is fair game for Thetis. Some websites include Google, Facebook, Dropbox, Github and Salesforce. You can use the key for logging into Windows, macOS and Linux, as well.
The design is similar to a rotating USB drive with a keyring hole at the top. The shroud is made out of aluminum, but the key is constructed of a semi-opaque plastic.
It has about the same rigidity as a USB drive, meaning it’s not durable. It doesn’t run the risk of falling off your keyring like the Kensington VeriMark, but could break if accidently swiveled out or dropped while in a laptop.
For a cheap key, there isn’t much to complain about with Thetis. It bumps up the security of a software-based solution without costing too much. If you’re looking for a business solution or something with a few more options, we still recommend YubiKey, though.
Hardware or Software?
Now that we’ve shown you our first picks in the hardware and software realms, the question becomes which you should choose. There are pros and cons to both, but for the security-minded, we’d recommend a hardware-based solution.
You have access to a greater number of protocols, the most important of which is U2F. The code is hard baked into the key, meaning it’s impossible for anyone to authenticate your accounts without access to it.
It’s unlikely you’ll lose the key, too, at least, more unlikely than losing your phone. These keys are meant to live next to your house and car keys, meaning if you lose it, you probably have more to worry about than your online accounts. If you do lose it, disassociate it from your accounts and add a new one.
The extra security comes with a price tag, which is where software solutions pull ahead. If you’re using no 2FA or relying on text messages and emails, then Authy or Google Authenticator are still upgrades. It’s not as secure as a hardware solution, but, for ultra-tight budgets, it’s better than nothing.
It’s clear that hardware keys are a more secure and convenient method of 2FA. The only restricting factor is price. If you’re wallet doesn’t have the cash to shell out, go software, but if you can cough up the $50 or so, you should be using a hardware key.
Two-factor authentication, for all the problems it has, is still better to have than not. We don’t recommend SMS or email verification, but a mobile-based application or U2F hardware key will work in securing your online accounts.
Out of the options presented, we’d recommend YubiKey overall, with Authy taking a close second place. These two solutions are leaders in their respective areas and offer an extra layer of security and convenience at two different price points.
2FA is only one step in security, though. There are a lot of different ways to keep yourself protected online, from secure cloud storage and online backup to using a VPN. Check out our lists of the best cloud storage, best online backup and best VPN to make sure you cover all your digital bases.
What method of 2FA are you using? Let us know in the comments below and, as always, thanks for reading.