Leaks and hacks have made it clear that passwords alone are not enough to protect your online accounts. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds an extra layer of protection. PCMag has been covering security software for over 30 years. All of our in-house experts frequently encourage our readers to use MFA. Using an authenticator app is one of the easiest and most secure ways to do this. It's more secure than one-time codes sent via SMS. One-time codes sent via SMS are riskier than people think. We don't recommend LastPass Authenticator because its online backups were compromised in the LastPass breach last year. We also don't recommend Authy because it's vulnerable to SIM swapping attacks. After our list of the best authenticator apps, we'll go into more detail about how they work and what criteria you should consider when choosing one.
Explore: Handpicked Recommended Products
Great for privacy and backups
2FAS
2FAS is a simple yet full-featured app with all the features you need in an authenticator app. You can add your online accounts manually or using a QR code. It can create cloud backups of your registered accounts to iCloud on Apple devices or Google Drive on Android, which is important if you lose your phone or get a new one. Backups are encrypted and can only be accessed through the 2FAS app. 2FAS does not require a phone number or the creation of an online account, making it immune to SIM swap fraud. You can set a PIN to access the app, or use FaceID or TouchID on iPhone. It's always available with a widget on your home screen.
Best for Android
Aegis authentication device
Aegis Authenticator is a free, open-source option for Android users. It's available from Google Play or the open-source F-Droid catalog. Authentication tokens are encrypted at rest and require password or biometric unlocking to be accessed. Aegis automatically provides encrypted backups to your online storage provider of choice, as long as the provider supports Android's Storage Access Framework (most major cloud storage services do). Aegis lets you import accounts from your existing authenticator, and the app offers great organization tools, including custom icons for accounts, custom login groups, and search.
Perfect for the workforce
Duo Mobile
Duo Mobile is specifically made for business users, but can also be used for personal logins, now that it's part of Cisco's portfolio. Duo Mobile comes with enterprise features like multi-user deployment options and provisioning, one-tap push authentication, and one-time passcodes. It's a simple authenticator app, and if you use it, you'll appreciate the ability to back up your login information using Google Drive on Android and iCloud KeyChain on iPhone.
Great for backing up to Google Drive
Google Authenticator
Google has enhanced its authenticator app to include the all-important backup feature. To enable this backup, you need to sign in with your Google account, but Required Signing in to your accounts is a good thing, but it's a double-edged sword: signing in backs up your login information, but if that account is hacked, all of your accounts protected by Google Authenticator can also be hacked.
When you use Google Authenticator to log into your Google account, you enter a six-digit code that appears in the authenticator app, just like you would when logging into any other service. And if you have an old phone, you can use the app to import your login info from your old phone to your new one. Google Authenticator doesn't even have an Apple Watch or Android Wear app.
Perfect for your Microsoft account
Microsoft Authentication System
In addition to providing a standard time-based one-time passcode, Microsoft Authenticator includes optional secure password generation and lets you log into your Microsoft account with the press of a button or by tapping a two-digit number in a push notification. It is available for both Android and iOS. The app allows you to enroll your device at school or work. If you use the app, you can turn on account recovery, so that when you get a new phone, you'll see the option to recover by signing into your Microsoft account and providing additional verification. For added security, you can require that you unlock your phone with a PIN or biometrics to show the code. Password management options are located in a separate tab at the bottom. If you sign into the same account in the Edge browser, you'll see your saved and synced logins there.
Buying Guide: Best Authenticator Apps for 2024
What is multi-factor authentication?
As the name suggests, MFA means using more than one type of authentication to unlock an online account or app. Typically, the first factor is a password. MFA adds another factor on top of that password. Experts categorize authentication factors into three groups:
-
you know (Password, etc.)
-
you Have (Physical object)
-
you teeth (fingerprint or other biometric characteristic)
Using an authenticator app makes your password stronger and know you HaveThat is, a token, a smartphone, or a smartwatch.
How do authenticator apps work?
Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six-digit numbers that refresh every 30 seconds. Once you set up MFA, every time you want to log in to a site, you open the app or website, enter your username and password, and when prompted, enter the code that your authenticator app shows you into the secure login page. And you're done! “Time-based” means that the code is only valid for a short time, like 30-60 seconds. This makes it harder for someone to steal your code and log into your account because they only have a short time to log in.
The code is generated using the standard HMAC-based One-Time Password (HOTP) algorithm approved by the Internet Engineering Task Force, by performing calculations on the long code sent by the QR scan and the current time.
The authenticator app has no access to your account, does not communicate with the download site after the initial code transfer, simply generates codes, and does not require phone service or an Internet connection to operate.
The protocols used by these products are usually based on the same standards, so you can mix and match brands, for example using Microsoft Authenticator to access your Google account and vice versa.
How to set up an authenticator app
To set up MFA in an app instead of by text message, go to the security settings of your online account and look for a section for multi-factor or two-factor authentication. Nearly all financial sites have this feature, as do many other types of online accounts. Most sites will list a simple SMS code option first, but look beyond that for support for an authenticator app.
The most common way to set up MFA is to use an authenticator app on your phone to scan a QR code on the site. You can scan the code with multiple phones if you want a backup. Financial sites usually also provide account recovery codes as an extra backup. Store them somewhere safe, such as in a password manager. The codes act as a replacement for your authenticator app, so if you lose or break your phone, you can enter one of these codes to log into your account.
What should you look out for when choosing an authenticator app?
Backing up your account information
One thing to look out for when choosing an authenticator app is whether it backs up your account information (encrypted) in case you no longer have the phone you originally set it up on. All of the apps mentioned here do this.
No SMS code
As mentioned above, we recommend that authenticator apps do not authenticate you or your device using codes sent via SMS during setup. Most authenticator apps don't do this. Authy does, which is one of the reasons we didn't include it in our roundup of the best authenticator apps.
What is the most secure third-party authenticator app?
The security of these apps comes from the underlying principles and protocols, not from the implementation by individual software manufacturers.
Editor’s Recommendation
Aegis Authenticator and Microsoft Authenticator offer a slight security advantage in that they can be set up to require a biometric login to access the codes needed to unlock your online accounts.
Is there anything more secure than an authenticator app?
Using an authenticator app is one of the better types of MFA. Using some kind of MFA is always better than no MFA at all. Authenticator apps are free, easy to use, and widely available. However, the best and most secure option is a dedicated key-type MFA device. The most recommended is the Yubico Security Key C NFC.
(Credit: Kim Kee)
MFA security keys generate a code that is sent via NFC or by plugging it into a USB port. Unlike smartphones, they have the advantage of being single-purpose and hardened security devices. Why are they more secure? Although not a common threat, your smartphone could have malware-infected apps running on it. Done They intercept authentication codes generated by an authenticator app on your phone. Security keys have no batteries or moving parts and are extremely durable, but not as convenient as a phone. You can use these devices to protect your Apple, Google, or Microsoft accounts.
Another common method of MFA is a one-time time-based passcode sent via text message, but it's not as secure as an authenticator app or security key. Sure, your bank might text you a code and you enter it to access their site, which is a form of MFA. But getting the code over your phone has proven to be particularly insecure. A vulnerability in SMS messages is that criminals can reroute text messages. Authenticator apps on your phone generate codes that don't go over your mobile network, making them less likely to be leaked or compromised. Plus, if the text message appears on your lock screen, anyone with your phone can get the code.
Finally, never install unknown and unrecommended authenticator apps, even if they seem secure. Good thing, malicious spoofing apps are popping up on app stores, so use these best authenticator apps recommended by big names.