Two-factor authentication (2FA) is essential for securing your accounts these days. It isn’t enough to have a password anymore. Between password leaks, and weak and reused passwords, it’s too easy for hackers to figure out your secrets and break into your accounts. 2FA fills in the security gaps—but not all 2FA is created equal. For most people, authenticator apps offer the best mix of convenience and security. But which one is best for you?
While any 2FA is better than no 2FA, using an authenticator app is more secure than SMS-based authentication. The premise is the same for each: When you attempt to log into an account, you’ll be prompted to provide a code to prove your identity. SMS-based authentication sends the code via text message, while an authenticator app will have the code locked within, changing it every 30 seconds. Bad actors can hijack your phone number through SIM swapping or text message forwarding, potentially stealing your codes before they get to you. With a dedicated app, however, the codes remain in your possession alone.
Should you use the 2FA features of a password manager?
Some password managers have authenticators built-in. If the password manager you use has one (and you should be using a password manager) you can always go ahead and use it. However, some lock 2FA behind a paywall, so if you’re using the free version of the service, you won’t be able to store your codes here. Plus, it can be helpful to have a separation of church and state, so to speak. Keeping your passwords separate from your authentication codes means you’re protected if one of the vaults suffers a data breach.
There’s one caveat to this, in my opinion, which is why I recommend it to a lot of people:
Apple’s built-in authenticator tool
If you have an iPhone, iPad, or Mac (or maybe all three), the easiest way to get into authenticators is by using Apple’s built-in tool. With iOS 15 and macOS Monterey, Apple added 2FA to iCloud Keychain, the company’s password manager.
Many of us entrenched in the Apple ecosystem already save our passwords to iCloud Keychain, so setting up 2FA verification codes directly in this tool is a convenient option to increase the security of our accounts. Codes are encrypted by your iCloud password, and the service supports autofill across Apple devices. That means you can AutoFill your password, then autofill your 2FA code when prompted, speeding through logins.
Again, the most secure solution is to use a separate app, but since iCloud Keychain is protected by both your iCloud password and its own 2FA, and it offers a free and convenient way to set up 2FA for your various accounts, I think it’s a great option for Apple users.
For Android users looking for the best authenticator app on their platform, Aegis might just take the cake. It’s free, open-source, and not tied to a proprietary system, like Google. That means, in part, you’re free to take your tokens and import them to another device.
Best of all, when you set up a password for Aegis, your codes are all encrypted. It won’t matter who has access to your phone or the app: As long as they don’t known the Aegis password, they’ll never be able to access your codes. While it doesn’t support native-device sharing, you can backup your codes and transfer them at your leisure.
Aegis built its brand on its simplicity. It isn’t flashy, and it isn’t feature-filled. It stores your tokens, encrypts them, and lets you transfer them to another device if need be. That’s all you need from an authenticator app, and that’s why people on Android love Aegis.
Just as Aegis is the king of authenticators on Android, Raivo OTP might be the GOAT for Apple users. For anyone in the ecosystem looking to graduate from iCloud Keychain, Raivo’s open-source platform offers some powerful authentication to protect your accounts.
Like Aegis, Raivo encrypts all codes saved to the app, protecting your accounts from prying eyes. You can either choose to store and encrypt them directly through Raivo, in which case they’ll be locked behind your chosen Raivo password, or choose to sync through iCloud, in which case the codes will be encrypted behind your iCloud password.
Raivo syncs your codes across all of your Apple devices. If you initially set up the account on the iOS Raivo app, but you’re trying to log in on your Mac, you can use the macOS app to do so. You can create encrypted ZIP archives of your codes, as well, for easy local backup.
It even comes with fun features, such as a dark mode and custom icons for each account. Authentication doesn’t have to be so serious, after all.
Google Authenticator is, like most Google products, the default authenticator option on Android. That said, it has an iOS app, too, so no matter which platform you work on, you can use Google Authenticator.
The app does not offer cloud backups, which poses a major data risk should anything happen to the device you keep it on. It’s a frequent problem when switching smartphones (do not get rid of your old phone until you’ve transferred your codes). However, that’s a good thing as far as security is concerned. Storing your codes on one device and one device only means there is zero risk of someone breaking into your cloud account and stealing them. As long as your smartphone is locked, your codes are safe.
Microsoft Authenticator is a convenient option for Microsoft users (obviously), but also for anyone with multiple types accounts. You can store your personal codes in the app, alongside codes for work or school accounts, with proper protections in place for each. That makes it a popular option for organizations when setting up 2FA among its members.
It supports autofill, so you won’t need to dive into the app itself every time you try to log in. Microsoft also offers account recovery by backing up the app to the cloud. Again, this isn’t the most secure way to store your 2FA codes, but it does ensure you have a path to recover your accounts should you lose access to the current device.
Authy is one of the OG authenticator apps, prizing itself as a more convenient version of Google Authenticator with support for cloud backups of your codes. It also supports syncing across multiple devices, so you don’t need to refer to one device when trying to log into another.