Two-factor authentication (2FA) is one of the most important aspects of keeping your online accounts protected. Even with the best online security practices, you can always fall victim to a data breach. With 2FA, you don’t need to worry about that. In this guide, we’re going to run down the five best 2FA apps, as well as give some general information about what 2FA is and why it’s important.
In short, Authy is the best two-factor authentication app. Besides supporting time-based codes, Authy comes with encrypted backups and supports nearly every device on the market (including the Apple Watch). There are some alternatives, though, both in hardware and software form.
Authy is the best authentication app available. It supports TOTP, which most major websites support, and it comes with encrypted backups and multi-device sync.
Authy is better than Google Authenticator in a few ways. In addition to supporting the same list of websites and services, Authy also comes with free cloud backup and multi-device sync, allowing you to use 2FA no matter what device you’re on.
Two-step authentication can be hacked through man-in-the-middle attacks, though this is becoming increasingly less likely. More commonly, 2FA is vulnerable to account recovery attacks and phishing schemes.
What Is Two-Factor Authentication?
Two-factor authentication — or two-step verification — is a security feature that adds an extra layer of protection to your online accounts. Instead of using just a single factor to authenticate your identity, like a password, you use two different factors, usually your password and a one-time code sent via SMS or email.
By spreading the risk across two factors, it’s much less likely that an attacker will be able to unlock one of your accounts. For example, if you have a compromised password in a data breach, the attacker won’t be able to unlock your account with your password alone. They’ll also need your second factor.
Although multi-factor authentication tools like OneLogin consider everything from the IP address of the login attempt to the time of day, there are three main factors most online services use:
- Something you know: usually your password
- Something you own: your mobile device, a 2FA app or a 2FA hardware key
- Something you are: your fingerprint, face scan, etc.
Most websites support 2FA in some form, including Amazon, PayPal, Reddit and all major social media platforms. It works by combining two of the factors listed above, so you might use your password as your main factor and a 2FA app as a secondary factor.
There are some differences between factors, and there are even differences in how one-time codes are generated and sent to you. We have a deep dive into what two-factor authentication is if you need more information.
For the purposes of this guide, we’re focusing on 2FA apps like Microsoft Authenticator and Authy. These apps work on iOS and Android, usually providing you with single-use codes or push notifications on your mobile device. We’ll also briefly touch on hardware keys that use either a hardware token or fingerprint scanner to approve your login.
What Makes the Best 2FA Apps?
Two-factor apps use one-time passwords (OTP) as your second factor. Most apps work the same way. After turning on 2FA on your account, you can scan a QR code to tie that account to your app. Every time you log in, your app will automatically generate a code, which you’ll need to enter to unlock your account. The code is usually a six-digit time-based, one-time password (TOTP).
Before getting into how we chose them, here’s a rundown of our top five picks:
- Authy — Easy to use, feature-rich and supports multi-device sync
- Google Authenticator — A widely adopted standard across major websites
- andOTP — An open-source alternative that has more features than the competition
- LastPass Authenticator — Similar to Google Authenticator, but works within the LastPass ecosystem
- Microsoft Authenticator — Also similar to Google Authenticator, but works especially well with Microsoft services
Above all else, security is our main concern. Although 2FA apps are fairly simple — unlike the best password managers — there were still a few areas we paid attention to. We chose apps that include TOTP and HMAC one-time password (HOTP) support, as well as apps that include backups (read our description of encryption for more).
Website support is also important. Although most major websites support 2FA, not all of them do. Furthermore, among the sites and services that support 2FA, some only support specific apps.
Google Authenticator is really the baseline here, because nearly all sites that support 2FA support Google’s app as well. For example, LastPass Authenticator and Authy aren’t explicitly supported by as many sites and services. However, they still use TOTP, making them compatible with all services that support Google Authenticator.
Beyond that, we considered ease of use. 2FA works so well because it’s simple. You just need something you know and something you own. Anything beyond that can muddy the experience, and worse, potentially turn off some users. The goal is to add an extra layer of security to your online accounts with little to no hassle.
Otherwise, there are features like encrypted backups and multi-device sync. These features also heavily informed our rankings. It’s also worth mentioning that all of the apps below are free.
The 5 Best 2FA Apps
With the ground set, let’s run down the five best 2FA apps.
More details about Authy:
- Pricing: Free
- Website: authy.com
- Apple Watch support
- Includes encrypted backups
- Supports crypto wallets
- Not open-source
Authy combines all the elements we want to see in a 2FA app under one roof. It’s totally free, automatically syncs across your devices and it works without an internet connection. It’s also very easy to use, with widget support on Android and support for the Apple Watch. If you’re looking for a 2FA app that does it all, Authy is for you.
As far as website support goes, Authy 2FA tokens work with any service that accepts TOTP-based authenticator apps. Authy even maintains a database of services it supports, complete with step-by-step instructions for how to enable 2FA on those services. In addition to password managers like Keeper, cloud storage like Box and encrypted email services like ProtonMail, Authy also supports cryptocurrency wallets.
Security is excellent, too. Authy supports encrypted backups for free, allowing you to store your account data in the cloud and sync it across your devices. That way, you can always restore your account, even if you get a new device. If you decide not to backup your data, Authy has a recovery system in place, too.
Authy also works without an internet connection, generating codes directly on your device and automatically flushing them every 30 seconds. Furthermore, Authy does all of that for free — not because it serves ads but because it charges businesses a fee for generating tokens. Authy does just about everything right, so it takes an easy first place and is our pick for the best 2FA app overall.
2. Google Authenticator
More details about Google Authenticator:
- Works with most major services
- Very easy to use
- Lacking features
Google Authenticator is the app that started it all, and it still works well to this day. The app generates tokens on your device without an internet connection. Plus, it’s easy to link accounts through a QR code and nearly all websites that accept TOTP-based apps support Google Authenticator explicitly. It’s the baseline.
It’s just the baseline, though. Compared to Authy, Google Authenticator is missing a lot of features. It doesn’t tie to your Google account, which is good for security but bad for account recovery, and it doesn’t support syncing across multiple devices or backups. Thankfully, you can transfer your data between devices by scanning a QR code.
Google Authenticator is an old workhorse. It’s reliable, supports basically everything and is easy to use. However, it’s missing some key features compared to other 2FA apps. We suggest Google Authenticator if you want a simple, no-nonsense 2FA app. If you’re looking for a little more functionality, there are other options.
More details about andOTP:
- Pricing: Free
- Website: Find it on GitHub
- Supports HOTP
- No iOS support
andOTP is a free and open-source app for generating TOTPs and HOTPs. Like our other options, it doesn’t need an internet connection, and it supports any service that supports TOTP. Although andOTP doesn’t do much differently than the other options on this list, it’s open-source, and that’s usually a good sign.
Over Google Authenticator, in particular, andOTP supports encrypted backups. The app backs up your data on your device and encrypts it with a password you set. If you ever need to restore your account, you can decrypt your data using a tool from the andOTP community or through OpenPGP.
Additionally, andOTP has a number of internal security features including tap-to-reveal and a panic button. The panic button is an interesting addition, allowing you to wipe everything on your device with a single tap. andOTP is an excellent 2FA app, but it only supports Android. Thankfully, it supports all versions of Android, as well as rooted devices.
4. LastPass Authenticator
More details about LastPass Authenticator:
- Pricing: Free
- Website: lastpass.com/auth
- Encrypted backup support
- Push notification verification
- Missing some app features
LastPass Authenticator stands out mostly because it comes from LastPass, which is easily the best free password manager on the market. In addition to supporting TOTPs, LastPass Authenticator also supports push notification–based verification for Amazon, Evernote, Google, Dropbox and Facebook — a first among 2FA apps.
Additionally, it supports backups through the LastPass servers. We’ve already vetted LastPass’ security system — just see our LastPass review — so we know these backups are safe. You can also adjust the timing of codes in the app, either extending or reducing the window in which the code is valid.
If you don’t have a password manager already, LastPass is the best option if you’re not interested in spending money. Plus, LastPass Authenticator is a perfect pairing with the password manager. Although it’s not as feature-rich as Authy or Microsoft Authenticator, LastPass Authenticator offers everything you need to add an extra layer of security to your online accounts.
5. Microsoft Authenticator
More details about Microsoft Authenticator:
- Pricing: Free
- Website: www.microsoft.com/authenticator
- Supports passwordless authentication with Microsoft apps
- Supports certificate-based authentication
- Not open-source
Microsoft Authenticator is a deceptively simple app. It supports every service that supports TOTPs, automatically generating codes on your device with or without an internet connection. There’s a little more going on under the hood, though.
The app supports passwordless authentication for Microsoft apps, including OneDrive and Office 365. With the app, you can approve your login using your phone’s fingerprint scanner, a face scan or any other way you can prove that you are who you say you are on your device. Microsoft Authenticator supports cloud backup, too, either through Microsoft’s own servers on Android or through iCloud on iOS.
There are also some upsides for businesses, the most important of which is certificate-based authentication. Businesses can use a certificate on a device to authenticate a login attempt rather than a one-time password. You can also lock your app, hiding your 2FA codes and services until you authenticate with biometrics or some other means.
Overall, Microsoft Authenticator is the clearest competitor to Google Authenticator. It has more features and it’s just as easy to use. That said, if you don’t use Microsoft apps or services, you might get more use out of an app like Authy or LastPass Authenticator.
Two-Factor Authentication Apps We Don’t Recommend
There aren’t many 2FA apps with glaring security issues, and if they show up, the App Store and Google Play are usually quick to shut them down. So, although we can’t point to specific apps you should avoid, we can tell you about some best practices.
Two-step verification systems aren’t built equally, and although it’s better to have 2FA than to not have it, some systems provide little to no extra security. Any two-step systems that use the same factor twice are problematic. For example, your password and a code sent to your email are both things you know — the only thing protecting your email is a password, after all.
Although it’s becoming less common, security questions still show up as a strange form of 2FA. We always recommend lying on these questions, then jotting down your response in a password manager like 1Password (read our 1Password review). Between social media and other online services, it’s usually not hard for an attacker to figure out the answers to your security questions.
The only apps we wouldn’t recommend are paid ones. For example, Authenticator Plus on Google Play is rife with issues, and it costs $2.99. There are plenty of free options available, and if you don’t trust the likes of Google and Microsoft, there are open-source options like andOTP and FreeOTP.
The Best 2FA Hardware
The earliest forms of 2FA used hardware keys instead of software, and there are still hardware keys available today. Instead of using TOTP, most devices use the Universal Second Factor (U2F). These devices authenticate with a unique hardware token, and they’re generally origin-bound, making them safer overall.
Although we still recommend software 2FA for most users, there’s a place for hardware keys. Here are our three favorite options.
1. Yubico YubiKey 5
More details about Yubico YubiKey 5:
- Pricing: $20-$70
- Website: www.yubico.com
- Supports multiple protocols, including TOTP & U2F
- Multiple connection options available
Yubico is synonymous with hardware 2FA. Its YubiKey line includes a range of multi-protocol, USB drive–like devices for a variety of different connections (including USB-C, USB-A and Lightning). The multi-protocol bit is what makes YubiKeys stand out. In addition to U2F, YubiKey also supports HOTP and TOTP, allowing you to use the hardware with most online services.
In most cases, all you need to do is plug in the YubiKey and tap to authenticate your login — no messing about with codes or anything else. SomeYubiKey devices support NFC, too, allowing you to authenticate mobile logins with a tap.
The big reason to buy a YubiKey, though, is that they’re origin bound. That means the token inside is directly bound to the destination site or service, bypassing any issues with phishing. If you’re targeted in a phishing scheme, YubiKey simply won’t authenticate the login.
The downside is cost. Even among hardware 2FA devices, YubiKeys are expensive. Prices start at $45 for the YubiKey 5 range and go up to $70 based on the connection and features you want. There are some cheaper options in Yubico’s Security Key line, though they’re not as feature-rich as the YubiKey alternatives.
If you’re interested in hardware 2FA and don’t have the cash for a YubiKey, consider a Thetis 2FA device instead. They’re around $20, though they only support U2F (as well as its new version, FIDO2).
2. Kensington VeriMark USB
More details about Kensington VeriMark USB:
- Pricing: $49.99
- Website: www.kensington.com
- Includes a fingerprint scanner
- Works with Windows Hello
- Doesn’t support macOS
- Only supports U2F
The Kensington VeriMark USB is a small USB fingerprint reader that supports U2F. That’s important to note, as the device is a fingerprint reader first and a 2FA device second. Unlike the YubiKey, it’s not meant to replace your 2FA app. Rather, it’s meant to provide a layer of security to Windows devices and U2F-compatible apps.
The device itself is a mini USB adapter with a fingerprint reader on the side. Out of the box, it works with Windows Hello, allowing you to add biometric authentication to your Windows device. It only works with Windows, however; macOS isn’t supported.
Unfortunately, platform support is what holds the VeriMark back most. There are some services that support U2F — including Twitter, Brave, Facebook and GitHub — but the list isn’t nearly as long as services that support TOTP.
The VeriMark USB is a good way to add biometric authentication to your Windows device with the upside of 2FA on certain platforms. You’ll probably still need to use an app to protect everything, though.
3. Google Titan Security Key
More details about Google Titan Security Key:
- Pricing: $25-$50
- Website: Find it on the Google Play store
- Origin bound
- Multiple connection options
- Only supports U2F
Like the VeriMark USB, Google’s Titan Security Key only supports U2F. However, it has some unique upsides, particularly for businesses. Titan works with Google Cloud and Google’s Advanced Protection Program, allowing system administrators to require company-wide 2FA through Google’s hardware.
For personal use, the Titan Security Key isn’t much different on the surface. It supports U2F through USB-A, USB-C, Bluetooth and NFC (depending on the device you purchase). Under the hood, the chip that manages your hardware token has a custom firmware from Google, which constantly monitors for any physical tampering.
Like YubiKeys, Titan Security Keys are origin bound, too. Beyond just checking the URL, Titan keys use a cryptographic process to verify that the service requesting the security token already has that token on record and that you registered it with the service in question.
2FA Hardware vs Software
When it comes to security, hardware 2FA devices are more secure, even compared to the best two-factor authentication apps. That’s because most 2FA keys are origin bound, so phishing schemes aren’t a problem, and they’re hardware-based, so the attacker would need physical access in order to unlock your account.
That’s not to say that hardware 2FA is better overall, though. Keys are expensive and inconvenient. It’s also much easier to lose a USB key on your keychain than it is to lose your phone, and most phones offer remote device wipe anyway.
Support is also a problem. Far fewer services support U2F compared to TOTP, and of the list of U2F-compatible services, most of them are targeted at businesses.
There isn’t a one-size-fits-all solution for two-factor authentication. Software 2FA is the best solution for personal use in most cases, though. It’s free, convenient and offers a huge boost to your online security. However, hardware keys still have their place, particularly if you’re a personal user who’s extra careful online or if you want higher security on business apps.
How Safe Are Two-Factor Authentication Apps & Devices?
It’s always best to turn on 2FA if you can, so although there are vulnerabilities in 2FA apps and devices, that doesn’t mean you shouldn’t use them. Cyber security is generally an odds game, so the harder you can make it for an attacker to hack your account, the less likely you’ll be to fall victim. Still, there are some things you should know about the security of 2FA apps.
Most importantly, they don’t protect you from all forms of cybercrime. A common workaround for 2FA is to use a phishing email or text message. Under the assumption that you’re logging into a trusted service, an attacker can set up a fake website that looks and acts like the real thing. That includes generating a code with your authenticator app, which the attacker can swipe along with your password.
Additionally, hackers can perform targeted attacks like a SIM swap, giving them access to your phone and, in most cases, your online accounts (even Twitter CEO Jack Dorsey fell victim to a SIM swap attack). Account recovery is problematic, too. Some services disable 2FA during account recovery, giving an attacker with your email and password a chance to crack your account.
Then there are network-based attacks. Public WiFi is notoriously insecure, so any apps or devices that rely on an internet connection to generate a password are vulnerable to a man-in-the-middle attack. If you frequently borrow the bandwidth of your local coffee shop, make sure you have a VPN to protect you.
Even with all the potential risks we mentioned, none of them are tied directly to a 2FA app or device. They’re all vulnerable points whether you have 2FA enabled or not. Because of that, it’s always better to have 2FA turned on. A lot of services are cracking down on these vulnerabilities, too.
Webmail services like Gmail are getting better at detecting phishing emails, and there are plenty of encrypted email providers, too. Since the Jack Dorsey attack, mobile carriers are also becoming privy to SIM swap attacks, and a lot of online services are starting to require recovery tokens whenever you forget your password. In short, having 2FA is more secure than not having it, even if the system isn’t totally secure.
You’re better off using any of the options above — hardware or software — than not using 2FA at all. However, out of the lot, we recommend Authy most. It combines the best elements of the other 2FA apps and is the best option for most people.
That said, LastPass Authenticator, Google Authenticator and Microsoft Authenticator are solid alternatives if you already use those services. Similarly, andOTP is a great choice if you have an Android device and want an open-source 2FA app.
What app are you using? How important is two-factor authentication to you? Let us know in the comments below and, as always, thanks for reading.