Leaks and hacks we’ve read about in recent years make it clear that passwords alone don’t provide enough security to protect your online bank account or social media accounts. Multi-factor authentication (MFA, also known as two-factor or 2FA) adds another layer of protection. Our security team at PCMag frequently exhorts our audience to use it. Authenticator apps, such as Authy, Google Authenticator, or Microsoft Authenticator, enable one of the more-secure forms of MFA. Using one of these apps can even help protect you against stealthy attacks like stalkerware.
What Is Multi-Factor Authentication?
As the name implies, MFA means you use more than one type of authentication to unlock an online account or app. Usually, the first way is your password. MFA means you add another factor in addition to that password. Experts classify authentication factors in three groups: something you know (a password, for example), something you have (a physical object), and something you are (a fingerprint or other biometric trait). When you use one of the authenticator apps included here, you bolster the password you know with the token, smartphone, or smartwatch that you have.
What’s the Best Kind of Multi-Factor Authentication?
Yes, you can implement MFA simply by having your banking site send you a text message with a code that you enter into the site to gain access. However, getting codes by phone turns out not to be the best way to do MFA. A vulnerability in SMS messaging is that crooks can reroute text messages. An authenticator app on your smartphone generates codes that never travel through your mobile network, so there’s less potential for exposure and compromise.
To set up the authentication, you go to the site’s security settings page and look for the multi-factor or two-factor authentication section. Nearly every financial site offers it.
Most sites offer the simple SMS code option, but go past that and look for the authenticator app support. Setting up MFA usually involves scanning a QR code on the site with your phone’s authenticator app. Note that you can scan the code to more than one phone, if you want a backup. You should also save account recovery codes provided by the sites, and store them somewhere safe, such as in a password manager. These codes work in place of a MFA code on your phone, which means they let you still log in to the site if your phone is lost, stolen, or busted.
How Authenticator Apps Work
Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, every time you want to log in to a site, you enter the code into the secured app or site’s login page, and voilà, you’re in. The time limit means that if a malefactor manages to get your one-time passcode, it won’t work for them after that 30 seconds.
The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-Based One-Time Password (HOTP) algorithm, sanctioned by the Internet Engineering Task Force (IETF). These apps don’t have any access to your accounts, and after the initial code transfer, they don’t communicate with the site; they simply and dumbly generate codes. You don’t even need phone service for them to work.
Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.
What to Look for in an Authenticator App
Something to look for when choosing one of these apps is whether it backs up the account info (encrypted, of course) in case you no longer have the phone you set everything up on. Authy, Duo Mobile, LastPass Authenticator, and Microsoft Authenticator offer this, while Google Authenticator does not.
In a security win for Google’s mobile OS, Android prevents anyone from taking screenshots while you have an authenticator app open, whereas iOS allows them.
For even more thorough security, you could implement MFA with a dedicated device, such as YubiKey. These devices produce codes that are transmitted via NFC, Bluetooth, or when you plug them in directly to a USB port. Unlike smartphones, they have the advantage of being single-purpose and security-hardened devices. Though unlikely, it’s possible that a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Security keys have no batteries, no moving parts, and are extremely durable—but they’re not as convenient to use as your phone.
Authy and Microsoft Authenticator also offer Apple Watch apps, for even more convenience, something missing for Google Authenticator and LastPass. With about 100 million of these WatchOS devices in use, it’s a convenience that quite a few folks can take advantage of.
In sum, you should use MFA for all your online accounts, and authenticator apps provide better security than SMS codes. Look through our summaries of the most popular authenticator apps below and start setting up your accounts with the one that appeals to you.
This simple but fully functional app, previously 2FAS, does everything you want in an authenticator. It lets you add online accounts either manually or with a QR code. Unlike Google Authenticator, it can create cloud backups of your registered accounts, either in iCloud for Apple devices or Google Drive for Androids, which is key for when you lose your phone or get a new one. The backup is encrypted and only accessible from the 2FA app.
Unlike Authy, 2FA doesn’t need to know your phone number or even require you to create an online account, so it’s not susceptible to SIM-swapping fraud. You can set a PIN to access the app, and on iPhone it can use FaceID or TouchID, and you can add it as a home-screen widget, but there’s no Apple Watch app. The company also offers a test page you can use to check any authenticator app.
Duo Mobile is geared toward corporate apps, especially now that it’s part of Cisco’s portfolio. The app offers enterprise features, such as multi-user deployment options and provisioning, and one-tap push authentication, in addition to one-time passcodes. A nice security touch is that you cannot screenshot the Duo interface on Android (but you can on iOS). You can back up Duo Mobile using Google Drive for Android, and using iCloud KeyChain on iPhone.
Duo Mobile Review
Google’s authenticator app is basic and offers no extra frills. Unlike Microsoft Authenticator, the Google Authenticator app doesn’t add any special options for its own services. Google seems more interested in having you set up MFA by using built-in Android features rather than the Authenticator app. Using an Android phone for MFA with a Google account (rather than Google Authenticator app) is more convenient, since it involves just tapping the phone rather than entering a six-digit code. Google Authenticator lacks online backup for your account codes, but you can import them from an old to a new phone if you have the former on hand. There’s also no Apple Watch app for Google Authenticator.
LastPass Authenticator is separate from the LastPass password manager app, though it offers some synergy with the password manager. Installing LastPass Authenticator is a snap, and if you already have a LastPass account with MFA enabled, you can easily authorize LastPass by tapping a push notification. Also, once the app is set up with your LastPass account, it’s easy to create a backup of your authenticator accounts in your LastPass vault, which alleviates some pain when you have to transfer your data to a new phone.
LastPass Authenticator (for iPhone) Review
Microsoft Authenticator includes secure password generation and lets you log in to Microsoft accounts with a button press. The app also lets schools and workplaces who use it register users’ devices. Account recovery is an important feature that you should turn on if you use this app. That way, when you get a new phone, you’ll see an option to recover by signing into your Microsoft account and providing more verifications.
One problem (and it’s an Apple lock-in issue) is that you can’t transfer your saved MFA accounts to an Android device if you’ve backed up to iCloud, since the iPhone version requires using iCloud. This is the case for most authenticators that offer cloud backup, unfortunately. Like 2FA Authenticator, Microsoft Authenticator offers another layer of security: You can require unlocking your phone with PIN or biometric verification in order to see the codes.
Password management options are in a separate tab along the bottom. You simply sync with the Microsoft account you associated with the authenticator, and after that, you’ll see the logins you’ve saved and synced from the Edge browser. In addition, Authenticator can operate as a password filler/saver utility on your phone.
One of Twilio Authy’s big advantages is encrypted cloud backup. However, it’s somewhat concerning that you can add the account to a new phone using “a PIN code sent via a call or an SMS,” according to Authy’s support pages. There’s also an option to enter a private password or passphrase which Authy uses to encrypt login info for your accounts to the cloud. The password is only known to you, so if you forget it, Authy won’t be able to recover the account. It also means that authorities cannot force Authy to unlock your accounts.
Unlike the other apps listed here, Authy requires your phone number when you first set it up. We’re not fans of this requirement, since we’d rather have the app consider our phones to be anonymous pieces of hardware; and some have suggested that requiring a phone number opens the app up to SIM-card-swap fraud. Authy’s Help Center offers a workaround, but we’d prefer it just worked more like other authenticator apps. At least there’s an Apple Watch app for those who want it.
Twilio Authy Review
More Ways to Beef Up Your Security