We looked at 48 2FA apps for this round of testing, and we eliminated most because they lacked critical features. We ended up testing 13 authenticator apps.
We looked at so many 2FA apps because app stores are awash in them. Some of these are actually good products from small developers, but we were concerned to see dozens of highly suspicious 2FA apps on both the iPhone and Android app stores.
Although we can’t say whether those suspicious-seeming apps are actually malicious, many had virtually no public information about the app or its developer, and several had names that were similar to those of popular apps. We also saw several apps with ludicrous fees, some of them even charging users to generate codes for specific sites. When you search for a 2FA app, make sure that you download the correct one. If you decide to do your own research, we strongly suggest that you avoid any 2FA app with in-app purchases in its app store listing.
The maker of one of our favorite password managers, Bitwarden, released a 2FA app that you can use without a Bitwarden account. There are risks to storing 2FA codes in a password manager, so we appreciate that Bitwarden introduced an optional separate app. The app has a clean design and we found it easy to use, but unlike Authy or Duo, it doesn’t let you manually set a password to secure your backups.
2FAS is one of the best-looking apps we tested, and we especially liked how clear its onboarding process was. It also offers backups, and it can sync codes between your phone and a browser extension — although for security you’ll have to use your phone to confirm each request to send a code to the web extension. It’s a clever approach, but we don’t think it saves much time.
Microsoft Authenticator is from a trusted name, includes backups if you log in with your Microsoft account (although you can use it without an account), and offers clear and friendly instructions to new users. A recent update has improved this app by focusing more on 2FA, but we still found the design a bit too confusing.
Like Microsoft Authenticator, Zoho OneAuth primarily provides 2FA protection for Zoho users, but it can also store log-in codes for other websites. We had a hard time setting up this app and found its additional features more confusing than compelling.
SaasPass has numerous features, but we weren’t impressed with any of them. The onboarding was confusing, the interface was utterly overwhelming, and we weren’t able to figure out how to do basic tasks like delete a site we added.
The LastPass Authenticator is well designed, and it provided one of the best onboarding experiences we saw. However, it required that we create a LastPass account and also install the LastPass app in order to use its backup feature. We still have concerns about LastPass’s future after several recent security issues.
FreeOTP is an open-source 2FA app from the makers of Red Hat Enterprise Linux. We like that it provides optional encrypted backups and don’t mind its barebones design. But with very little support or documentation online, users of this app will be on their own if they have any trouble.
Did you know you can use your security key to store TOTP codes offline? Just install the Yubico Authenticator, plug in your security key (or tap it against your phone), and then you can use it like any other 2FA app. We don’t recommend it because security keys are expensive and if you lose your key you’ll have lost your 2FA codes. But it could be a good option if you’re very concerned about security and already have a security key.
Some password managers, including 1Password and Bitwarden, can store TOTP information and generate 2FA codes. Apple’s standalone Passwords app can also store TOTP codes, along with passwords and passkeys. There’s some risk to using a password manager to generate 2FA codes, but if using a password manager for 2FA is the only way two-factor can work for you, be aware of the risks, and make sure to use a strong password and enable 2FA for your password manager.
Some larger companies, like Microsoft, offer their own branded 2FA apps that can also generate codes for other sites. If you’re already hooked into these ecosystems, these may be fine options. However, if your employer requires you to use a specific authenticator app that also lets you add your own sites, make sure you’ll be able to access those other sites if you change jobs.
We also dismissed other 2FA apps, including 2Stable Authenticator App, Aegis Authenticator, Authenticator by Matt Rubin, Authenticator Pro, Binaryboot TOTP Authenticator, ID.me Authenticator, Okta Verify, Raivo OTP, Salesforce Authenticator, Synology Secure SignIn, Thomson Reuters Authenticator, Tofu Authenticator, and others for a lack of features or support.
This article was edited by Signe Brewster, Arthur Gies, and Caitlin McGarry.
Click Here For The Original Source
