Choosing the right 2FA app for you.
I used to have a single, simple, go-to answer for this question. Unfortunately, it’s become more complicated.
What’s best for you depends on what platforms you use, what mobile devices you have, and whether or not you’re already using a password manager.
Let’s look at the options.
Become a Patron of Ask Leo! and go ad-free!
Two-factor apps/authenticators
Two-factor authentication (2FA) significantly enhances account security. Google Authenticator works well on mobile devices. For desktop and cross-platform use, see if your password manager supports it natively. Authy is also an option but is now mobile-only. Regardless of what you choose, always use 2FA for better security.
Google Authenticator
To begin with, I’m assuming the authentication app being requested is what I often refer to as the “Google Authenticator compatible” authenticator. It generates time-based one-time passcodes (TOTP). These are six-digit numbers that change every 30 seconds. The sequence appears random, and while unpredictable to you and me, it’s generated by a cryptographic relationship between your authenticator and your online account.
One recommendation, then, is to go to the source and use the Google Authenticator on your mobile device(s).
It’s available from both the Android and iPhone app stores. It’s been updated since I last used it. It now synchronizes your codes to your Google account so you can have the authenticator available on multiple devices so you can recover if you lose a device.
However, this is a mobile-only application, so it doesn’t work on Windows or Mac computers.
Best for cross-platform: your password vault
This is my recommendation for most people. Check to see if your password vault includes TOTP/2FA code storage. If so, it can act as your authenticator.
I use 1Password, but other password vaults support this and more are adding the feature. Sometimes your password vault having your 2FA token means it can immediately fill in the requested number as you sign in.
In most cases, your password vault will work across all the platforms you care about. 1Password, for example, works on Mac, Windows, iOS, and Android.
Full disclosure: there are those who feel storing additional information such as two-factor codes and passkeys in your password vault represents a security risk: if your vault is ever compromised, all the information is there for the taking. My opinion is that this risk is exceptionally small and that the convenience of having this information there outweighs the risk significantly. The only two-factor code I have stored outside of my password vault is the two-factor code for the vault itself.1
Best for desktop-only
If you’re not willing to use a password manager for your two-factor codes, or you’re already using a password manager but it doesn’t support them, my recommendation for Windows, MacOS, and Linux is a different password manager: KeePass.
Here’s the trick, though: you needn’t use it as a password manager if you don’t want to. You can use it only for the 2FA support.
(Several third-party mobile apps work with the KeePass database, but if you choose to trust one, be sure it supports 2FA.)
There are many alternatives
Whenever I post recommendations like this, I’m almost always faced with a slew of “What about X?” or “Why didn’t you mention Y?”
Alternativeto.net lists 39 alternatives for Google Authenticator. I’ve certainly not tried them all. Many I’ve never heard of before, so it wouldn’t make any sense for me to mention them.
That being said, check the comments; there will be good recommendations there as people point out everything I so egregiously missed.
My old recommendation
As I said, I used to have a simple go-to recommendation for two-factor authenticators, and that was Authy. Sadly they’ve discontinued support for their desktop (Windows/Mac) versions and are now a smartphone-only alternative. They’re a fine alternative for that, but at this point, I don’t see much to recommend them over Google Authenticator unless you’re in the camp that distrusts Google.
Do this
Use two-factor authentication. Regardless of what solution you choose, use it. It’s a significant security boost for your accounts.
Then, if you’re open to it, consider using your password vault to be your authenticator. It’s an app you (should) already have where you need it, and it’s one less app you need to install.
Want more security tips? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: It’s a chicken and egg problem: if you need the code to open the vault, but the code is in the vault you need to open, you’re stuck. I keep Authy on my mobile devices for this purpose.
gmail will no longer call me on my desktop. i`ve heard they`re having money problems. maybe they can`t afford to call anymore. but i`m strictly desktop. as you mention its only for mobile. since i`m the only one who uses this machine 2FA isn`t necessary. evry time i sign in now they make me use an 8 digit backup code. which i have to create new codes every 10 days. how do us dinosaurs use 2FA?
I’d check the Chrome Web Store or Firefox Add-ons. Both list browser extensions that serve as authenticators.
When setting up an authenticator for a website, when shown the QR code, there’s usually an option that goes along the line of “I can’t scan this code” which then will present a text code that can be copied manually. Some extensions can scan the QR codes.
Even though you are the only one using your computer, the purpose of 2FA is to add additional protection to online accounts.
I use the Microsoft Authenticator app and the TOTP feature in Bitwarden. When adding accounts for two-factor authentication, rather than scanning the QR codes I copy the code appearing with the QR code to a text file and then manually enter that code into whichever authenticator app I’m using.
This method also allows me to keep track of all the websites I have 2FA setup and provides a backup in the event I need to reset an authenticator app, for example when getting a new phone.
I often screen-shot the QR code for backup.
One important thing people may not realize is how important it is to be able to copy your TOTP secrets. If you are not allowed to copy your TOTP secrets you risk being vendor locked to that software. I know Authy did not allow you to copy your TOTP secret out of the app. I believe they still do not. In order to get my TOTP secrets I had to install Authy in a rooted Android device and use Aegis with root permission to get data directly from its protected storage, something most people will not want to do. So better safe than sorry. And you certainly dont want this secret to get in the hands of other people.
Side note: Make sure the system clock with correct timezone is set as accurately as possible as it matters for TOTP. I think your clock can be skewed at most by 30 seconds for most websites to accept it.
As for me I just use Keepass XC both as my password manager and the place I store TOTP. I then use MEGA cloud sync to make it available with other devices but thats not what most people feel comfortable doing.
for a few years I have used Dashlane, I have been extremely pleased. especially with their customer service – if I have problem, question, I send email, they are on top immediately. always there for me, and I’m an “oldie”. I have one password to sign in to Dashlane, and all I need. I can set Dashlane to auto fill, or other settings I feel are secure. they keep updated, and can use on my mobile/tablet/desktop – they all sync. easy for this oldie not to have to keep tabs on all the passwords sites require nowdays! LOVE IT
At this time, for 2FA I use my mobile phone to receive a text code from the site I want to enter, such as my bank, with an option to receive a voice code on my land line. I have no sensitive apps on my phone. Yes, I am an ancient, but this works for me. However, when I am travelling (rare these days) I use an ancient eebook that can run Windows 10 for email and browsing. I am planning a foreign trip where I will not have my real mobile phone number (I’ll have a local SIM instead). What would be the best/simplest method to have 2FA available for my travel computer in the event I absolutely had to access a 2FA site?
I use Microsoft Authenticator for 2FA, installed on my smart-phone. I don’t travel, but I always have my phone with me, so when I need to use a TOTP code, my phone’s always handy. YMMV,
Ernie
I travel often between the US and Europe. If a website’s 2FA only supports SMS text, I have no trouble getting my confirmation text because I use T-Mobile. AT&T, T-Mobile, Verizon, and their resellers all support GSM SIM cards. The others use CDMA which only works in the US.
I would stay away from using SMS as my 2FA method. GSM towers are not hard to spoof. Stick with a decent 2FA app. As a side comment, I would use a separate 2FA app to store the 2FA token for my password manager, which itself has built in TOTP functionality; if I need to install my password manager again, I’ll be sol if I keep my 2FA code for the password manager that actually stores all my passwords and codes. Just a simple point some may not be realizing. I prefer to use a product that supports biometrics, in addition to other access methods like PINS etc.
SMS is better than no 2FA at all. Sometimes it’s the only option, in which case absolutely you should use it.