The Best Two-Factor Authentication App (2024)

The research

  • Why you should trust us
  • Who this is for
  • How two-factor authentication works
  • How we picked
  • How we tested
  • Our pick: Duo Mobile
  • Also great: Google Authenticator
  • The risks of two-factor authentication
  • How to set up and use a two-factor authentication app
  • The competition
  • Frequently asked questions
  • Sources

Why you should trust us

Max Eddy is Wirecutter’s senior staff writer for security, privacy, and software platforms. He has covered security—including different forms of authentication—for 12 years. Additional reporting for this guide was contributed by Thorin Klosowski.

Who this is for

If you use a password to log in to an app or a website, you should add two-factor authentication (or 2FA) to protect your account. Using 2FA is one of the two things the Cybersecurity Infrastructure and Security Agency (CISA) recommends for individuals and families; the other is using a password manager to create unique and complex passwords for all of your online accounts.

2FA is widely available, and the easiest way to get started is to use one of the apps we recommend.

Advertisement

SKIP ADVERTISEMENT

How two-factor authentication works

Two-factor authentication is built on the idea that there are three ways to prove your identity online. You can authenticate yourself using:

  • something you know, such as a PIN or a password
  • something you have, like a smartphone or a security key
  • something physically unique to you, like a fingerprint or a face scan

When you log in with a username and a password, that’s one factor of authentication. Following years of data breaches and security failures, a password isn’t enough to protect your online accounts. When an account requires the use of a second factor (something you have or something you are) along with a password, that can thwart an attacker. This is because they’re unlikely to have access to your phone, security key, fingerprint, or face.

There are three primary means of providing two-factor authorization. One of the most common is by entering a code received via text message. This is “something you have,” since only you should be receiving texts sent to your phone number. However, attackers can use what’s called a SIM swap to intercept 2FA codes sent over SMS, and that’s why we recommend against using SMS-based 2FA, if possible. Any 2FA is better than no 2FA, so if you think 2FA over SMS is the only option that works for you, it’s fine to keep using it. Just be aware of the risks.

The most secure form of 2FA uses a hardware security key, which you plug into your computer or tap against your phone after you enter your password. They’re very secure and resistant to phishing attacks, but security keys are expensive and not widely supported.

Authenticator apps split the difference. Unlike security keys, authenticator apps are free, supported by many sites, and work with the smartphone you already have. Unlike SMS codes, authenticator apps work without a data connection, and they generate codes on your phone, so the codes can’t be intercepted.

These apps generate a code called a time-based one-time password, or TOTP. When you’re logging in, you typically enter your password and then enter the code when prompted by the site. These codes don’t last long—about 30 seconds—so it’s harder for someone else to use a code, even if they’re peeking over your shoulder to see your phone.

How we picked

We found these elements to be the most important differentiators for 2FA authenticator apps:

  • Platform compatibility: A good two-factor authentication app must work on both Android and iOS. Availability on Windows and Mac is useful, but it’s not a requirement.
  • Usability: An authenticator should make it easy to add new accounts, find existing accounts, and delete unneeded accounts.
  • Reliability: For security reasons, we recommend apps that are open source or made by well-known companies, like Google, Twilio, Cisco, or Microsoft. Going with a reliable company helps guarantee continued support for new mobile operating systems and tech support, if something goes wrong.
  • Encrypted optional backups: Losing all of your 2FA codes is a major inconvenience, and this could potentially lock you out of your accounts. The best 2FA apps have easy backup features that also encrypt your data end-to-end, to ensure no one else can use it. Backing up TOTP data carries some risk, so we prefer backup options that can be switched off.

Using this criteria, we tested 2FAS, Aegis Authenticator, Authy, Duo Mobile, FreeOTP, Google Authenticator, LastPass, Microsoft Authenticator, SaasPass, and Zoho OneAuth.

Advertisement

SKIP ADVERTISEMENT

How we tested

We used the iOS and Android versions of each app to add new accounts, copy and paste codes, and test out features, such as renaming accounts and changing icons. If an app supported backups or multiple devices, we tried recovering accounts on new devices.

We dug through each app developer’s website, looking for details about the company’s security measures, support process, and app features. In particular, we looked at how companies secure customer data and what (if any) data they gather. When necessary, we attempted to contact developers to better understand their apps.

The Best Two-Factor Authentication App (1)

Top pick

Duo Mobile

The best two-factor authentication app

Duo Mobile is easy to use and pleasant to look at, and it can securely back up your information.

Buying Options

Buy from Duo(free)

Duo Mobile is a straightforward 2FA authenticator app from Cisco, a major industry name. The app makes it easy to enroll sites with 2FA and to find those codes when you need to enter them. We especially like how it handles secure backups, and this is what sets it apart from the competition.

It has an easy-to-use interface that’s also easy on the eyes. You might not spend a lot of time in your 2FA authenticator app, but the time you do spend there shouldn’t be a headache. We like Duo Mobile’s spacious, uncluttered interface, which is punctuated with tasteful pops of color.

Each site you enroll with Duo Mobile appears as a card in the app, with the name of the site and (in some cases) a logo. Each entry is collapsed, and it reveals the code only when you tap on it. A decaying blue line and countdown provide a visual indication for how much longer the code is valid. If you want to move, rename, or delete an entry, just tap the three-button menu.

It’s easy to enroll new sites. Duo Mobile walks you through a quick tutorial the first time you add a new site. We especially liked that it explicitly instructs you to enter the generated code back into the site you’re enrolling—a step that’s easy to miss, especially if you’re new to 2FA authenticator apps.

The Best Two-Factor Authentication App (3)

The Add Account button is clearly marked in the app, and from there you can quickly scan a QR code to input a new site. You’re also presented with a lengthy list of sites that support 2FA, though this is less helpful than it sounds. Tap any one, and you have to manually enter an alphanumeric key to begin generating TOTP codes, instead of scanning a QR code. Duo Mobile could retool this list to be a more-accessible onramp.

It has optional, encrypted backups. With just a toggle and a password, Duo Mobile will back up all of your accounts protected with 2FA. So if you get a new phone, lose your old phone, or delete the Duo Mobile app, you can pick up right where you left off. And, unlike most other 2FA apps, Duo Mobile doesn’t ask you to provide any personal information or create an account to securely back up your accounts. Your backup is stored in your iCloud for iPhones and Google Drive for Android devices, so Duo Mobile never has access to your backup or the means to decrypt it. It also can’t restore your backup for you if you lose or forget your password, so be sure to write it down.

You’ll need to supply a strong password, and Duo Mobile will reject weak choices like “1234567890.” To secure this backup, we recommend using some of the techniques for creating a memorable master password for a password manager, and store that password someplace safe.

Although it’s exceptionally unlikely, an attacker could steal backups and potentially decrypt their contents. We think the benefits of Duo Mobile’s encrypted backups outweigh that small risk. But they’re optional, if you don’t feel the same.

We found that easy, encrypted backups were the defining feature between the best 2FA authenticators we reviewed. And we think Duo Mobile’s backup mechanism is the best, even if you can’t use the backup mechanism to move from an old iPhone to a new Android phone (or vice versa). We didn’t like that Authy required a phone number to back up its accounts, and we weren’t comfortable with how Google Authenticator didn’t encrypt its backups at all.

Flaws but not dealbreakers

Duo Mobile lacks customization options. There are no dark or light modes, and there’s no option to change the logos that Duo Mobile adds for some sites. Also, the search tool becomes available only after three sites are added to your list, which we found confusing.

Its website and customer support are designed for paying users. Duo Mobile’s emphasis on its paying enterprise customers leads to some confusing choices, both in the app and on the website. For example, although the Duo Mobile site offers a lot of useful documentation, you have to read it carefully to figure out what applies to enterprise customers and what’s useful for everyone else.

Duo Mobile is not as transparent about its practices as we’d like. When we asked to see any third-party audits, we were told that those audits were under non-disclosure agreements, and we were directed to a list of standards with which the company complies. We’d like the company to engage in audits that can be released publicly. Google Authenticator, for example, participates in the Mobile Application Security Assessment program, which involves a publicly released third-party audit of basic security practices (PDF).

While performing a review of several authenticator apps and their backup mechanisms, University of California Berkeley researchers found that Duo Mobile encrypted backup data using secure, modern methods. Duo Mobile confirmed to us that it uses Argon2, PBKDF2, and XSalsa20 stream cipher to encrypt backup data. We appreciate this candor, but the company should make this information available on its website.

You can’t easily move between Android and iPhone. Duo Mobile’s backups are restricted to the kind of device they’re created on. Google Authenticator included a convenient option to export authentication information between devices using a QR code, and it would be nice to see Duo Mobile do something similar.

You still can’t secure Duo Mobile with a PIN or biometric scan. Modern phones require that you provide some kind of lock on your device, but locking specific apps makes it much harder for a thief or a trusted individual to access your 2FA codes. Other authenticator apps have embraced this feature, and Duo Mobile should do the same.

Advertisement

SKIP ADVERTISEMENT

Also great: Google Authenticator

The Best Two-Factor Authentication App (4)

Also great

Google Authenticator

Easy to use, with a caveat

Google Authenticator is a streamlined, straightforward authentication app with a surprising number of useful features. But users should be aware of how it secures its backups.

Buying Options

Buy from Google(free)

Google Authenticator is ubiquitous and easy to use, and it includes some surprisingly helpful features. But because of how it handles backups, users have to make an uncomfortable choice.

It’s easy to use, even for beginners. We like that Google Authenticator includes a brief demonstration of the app and how to use it in the hidden overflow menu, so newcomers can reference it at any time. Adding new sites is also straightforward. Tap the plus button at the bottom of the screen, and then choose between manually entering a code or scanning a QR code. A search bar at the top makes short work of a long list. Tapping an entry copies the code, and tapping and holding lets you edit its information and position.

You can easily transfer your accounts, even offline. Google Authenticator includes integrated import and export features; it’s one of the very few 2FA authenticator apps we looked at that do. Select “Transfer accounts” from the hidden left-rail menu, choose between importing or exporting, select the accounts you want to transfer, and then scan the resulting QR code with Google Authenticator on another device. We like that the app verified our identity before allowing the transfer.

If you enable Google Authenticator’s backup feature, your data syncs between devices where you’ve installed Google Authenticator and are logged in with the same Google account. However, we’d prefer that Google made device syncing optional and not part of its backup system.

You can (sometimes) add more layers of security. Google Authenticator’s iOS version offers a Privacy Screen option, which locks the app and requires additional authentication to open it, even when your phone is unlocked. That’s great, but we were confused as to why the same feature wasn’t available on our Android device.

It doesn’t use end-to-end encryption for its backups. On its face, Google Authenticator’s backup and syncing mechanism sounds great. If you have a Google account—and you probably do—it takes seconds to enroll in its backup and syncing function, which works cross-platform by storing your backup with your Google account. But Google doesn’t use end-to-end encryption (E2EE) to secure your information. This was brought to light shortly after the backup feature launched, in 2023, and it was later confirmed by the company. We confirmed with security researchers Talal Haj Bakry and Tommy Mysk that, as of March 2024, Google Authenticator still does not use E2EE to secure backups.

This does not mean that your data is unsecured. Google tells us that data is encrypted in transit and at rest—and never stored in plaintext. But Google also manages the encryption key for that data. If Google used E2EE instead, you—and only you—could decrypt your data.

Google says that using E2EE could lead to situations where users cannot retrieve their backup data, for instance, if they lose the password used to secure the backup. Though that is a risk, we believe that not using E2EE poses other risks. If an attacker gained access to your Google account, they’d likely be able to sync their own device and duplicate your 2FA codes. If an attacker stole the backup from Google’s systems, they’d still need to also steal the keys to decrypt it. We’re not clear on what would happen if law enforcement were to subpoena Google for the backup information. We asked Google to walk us through these scenarios but did not hear back. Google confirmed to us that it has plans to add E2EE to Google Authenticator “down the line,” and it referred us to its documentation on how it encrypts customer data.

We prefer Duo Mobile’s approach to securing backups because the company can’t decrypt your data at all, but we cannot deny the convenience that Google Authenticator offers. If the choice is between using Google Authenticator and not using 2FA at all, use Google Authenticator, but you should understand the risks. You can use Google Authenticator without enabling its backup feature—just don’t log in with your Google account.

The risks of two-factor authentication

2FA can help prevent attackers from getting into your accounts, but what if your phone breaks or some other disaster prevents you from using your second factor? If that happens, you could also be locked out of your account.

Most sites address this problem with backup codes. These are special codes that let you log in even when you can’t use your second factor. Typically the site generates these for you, and you write them down in a secure location for use only in emergencies.

Many sites also allow multiple forms of 2FA, which provide backup options. For example, you can enable SMS codes and 2FA apps for a single account. Experts we spoke with said this is a fine strategy, but enabling a backup 2FA method that can be phished carries some risks.

Although authenticator apps are more secure than 2FA over SMS, they can also be phished. A savvy attacker could build a convincing phishing site complete with spots for your password and the code from your 2FA app. If an attacker got both of these and was able to use them before the code expired, they would be able to take over your account.

We recommend that readers always double-check that the site URL is correct before they log in. Using a password manager can help steer you away from phishing sites since they also store the URL of the site along with the password. If your password manager doesn’t recognize the site, proceed with caution.

Some password managers can now generate TOTP codes just like an authenticator app. It’s undeniably convenient to have your passwords and 2FA codes in one place, but we think it defeats the purpose of 2FA. If an attacker can break into your password manager and can get both your passwords and your 2FA codes, you’re in serious trouble. Again, if it’s a choice between storing your TOTP codes in a password manager and not using 2FA at all, go ahead—just be aware of the risks.

Advertisement

SKIP ADVERTISEMENT

How to set up and use a two-factor authentication app

Once you’ve picked which 2FA app you want to use, it’s time to enable two-factor authentication for your accounts. Every website is a little different, but the best place to start looking is in the account settings for each site or service. If you’re not sure whether a site supports 2FA, 2FA Directory is a good place to start. And it often includes links to each site’s documentation for setting up two-factor authentication. For example, here’s how it works on a Google account:

  1. Install an authenticator app on your phone.
  2. Log in to your Google account (it’s much easier if you do this from a computer).
  3. Click the Security tab on the left side.
  4. You’ll see several 2FA options under the section “How you sign in to Google”; for now click 2-Step Verification.
  5. Re-enter your password.
  6. Find and click the Authenticator option, and then click Set up authenticator.
  7. Google will display a QR code. Open your authentication app, and find the button to add a new account.
  8. Use the camera option within the authentication app on your phone to scan the QR code from Google, and confirm on your phone.
  9. Your Google account should now be added to your authentication app, but it’s not enabled yet. Back in your Google account settings, click Next. Then enter the six-digit code from your app, and click Verify.
  10. Click the back arrow to return to Google 2FA settings. You will see a Backup codes option. These are the codes that will allow you to get back into your Google account if you lose access to your authentication app. Save these codes somewhere safe by writing them down or printing them out.

That’s it. But now you have to repeat this process for every site and service you use. That’s a lot to tackle all at once. Instead, you can do a few at a time, or make it a point to enable 2FA whenever you need to log in to a site. And if you’re still not using a password manager, this is a great opportunity to start.

We think everyone should set up backup codes, to keep from being locked out of their accounts if they lose their second factor. But these aren’t the only options. Google, for example, supports several different 2FA options, and you can mix and match. Just remember that many 2FA systems—including backup codes—are targets for phishing. Always make sure you’re at a legitimate site before entering 2FA codes, and be wary of urgent-sounding emails that link you directly to logins or password-changing options. Type in the URL yourself, so you know you’re going to the real site and not a phishing scam made to look like the real thing.

Most 2FA authenticator apps offer backups of some kind, but these present their own risks. A skilled attacker could potentially steal a backup and access its contents if it’s poorly secured. That said, we think losing a phone is a greater risk that backups address well. If you decide to use a 2FA app backup, we recommend using one that will encrypt your data, and choose a unique, complex password to secure it.

The competition

We looked at 56 2FA apps, and we eliminated most because they lacked critical features. We ended up testing 10 authenticator apps.

We looked at so many 2FA apps because app stores are awash in them. Some of these are actually good products from small developers, but we were concerned to see dozens of highly suspicious 2FA apps on both the iPhone and Android app stores.

Although we can’t say whether those suspicious-seeming apps are actually malicious, many had virtually no public information about the app or its developer, and several had names that were similar to those of popular apps. We also saw several with ludicrous fees, some of them even charging users to generate codes for specific sites. When you search for a 2FA app, make sure that you download the correct one. If you decide to do your own research, we strongly suggest that you avoid any 2FA app with in-app purchases in its app store listing.

Authy, like Duo Mobile, is a corporate app that offers a free and very capable 2FA app for consumers. We found it easy to use, but we didn’t care for its design—especially on Android. It has a cross-platform backup option and the ability to sync codes between devices. But the former requires your phone number, and Authy developer Twilio even recommends disabling code syncing because an attacker could potentially use it to clone your codes. Recently, Twilio announced that it was ending support for its desktop apps. Authy was previously our runner-up pick, but it doesn’t meet our refined criteria.

The makers of our favorite free password manager, Bitwarden, released a new 2FA app in 2024, and you can use it without a Bitwarden account. We don’t recommend that people store their 2FA codes in a password manager, so we appreciate that Bitwarden introduced a separate app. The app has a clean design and we found it easy to use, but it doesn’t let you set a password to secure your backups the way Duo does, so it didn’t rise to the level of pick.

Aegis Authenticator is a simple, straightforward 2FA app that’s highly customizable. We liked that it was available on the F-Droid alternative Android app store. But we found its backup process to be opaque, and it offered little support for new users. It’s also Android-only.

2FAS is one of the best-looking apps we tested, and we especially liked how clear its onboarding process was. It also offers backups, and it can sync codes between your phone and a browser extension. The app is open-source, and its website lists all of the primary developers. However, we couldn’t discern 2FAS’s business model, and we couldn’t find information about how the app secured user information. The app’s developers insist that all communications be handled over Discord, but we did not receive a response to questions submitted to 2FAS developers there.

Microsoft Authenticator is from a trusted name, includes backups if you log in with your Microsoft account (although you can use it without an account), and offers clear and friendly instructions to new users. But like most corporate 2FA apps, it’s a little too focused on securing Microsoft accounts. And although the ability to store passwords might be a nice bonus, we prefer 2FA apps that are separate from password managers.

Like Microsoft Authenticator, Zoho OneAuth primarily provides 2FA protection for Zoho users, but it can also store log-in codes for other websites. And also like Microsoft Authenticator, it’s well made and easy to use. However, we didn’t find the app’s additional features compelling.

SaasPass has numerous features, but we weren’t impressed with any of them. The onboarding was confusing, the interface was utterly overwhelming, and we weren’t able to figure out how to do basic tasks like delete a site we added.

LastPass is well designed, and it provided one of the best onboarding experiences we saw. However, it required that we create a LastPass account and also install the LastPass app in order to use its backup feature. We found the experience tedious and cumbersome, and we’re still wary of the company after several recent security issues.

Some password managers also store TOTP information and generate 2FA codes. This is convenient, but security experts we’ve spoken with cautioned against this practice—in the unlikely event an attacker breaks into your password manager, they would have access both to your passwords and to your 2FA codes. If using a password manager for 2FA is the only way two-factor can work for you, be aware of the risks, and make sure you use a strong password and enable 2FA for your password manager.

Apple’s iCloud Keychain password manager can also store TOTP codes. We found that Keychain did a good job of capturing TOTP information and automatically inputting 2FA codes, but that close integration with the OS also means the process is partly hidden from the user. We prefer the straightforward approach of having a dedicated authenticator app, and we also found it easier to access the codes for use on other devices. If using Keychain for your passwords and 2FA is the best choice for you, be aware of the risks of using one system to store both of these factors (and lock down your Apple ID accordingly). Apple has announced that its new operating systems will include a standalone password manager app built on Keychain that will include TOTP codes. We’re looking forward to seeing how it compares once it’s released.

Some sites, including Steam and Battle.net, require that you use their special apps for 2FA. And some larger companies, like Microsoft, offer their own branded 2FA apps that can also generate code for other sites. If you’re already hooked into these ecosystems, these may be fine options. However, if your employer requires you to use a specific authenticator app that also lets you add your own sites, make sure you’ll be able to access those other sites if you change jobs.

We also dismissed other 2FA apps, including TOTP Authentication, 2Stable Authenticator App, Authenticator Pro, Binaryboot TOTP Authenticator, Dashlane Authenticator, ID.me Authenticator, Okta Verify, Raivo OTP, Salesforce 2FA App, Synology Secure SignIn, Thomson Reuters Authenticator, and others for a lack of features or support.

This article was edited by Arthur Gies and Caitlin McGarry.

Advertisement

SKIP ADVERTISEMENT

Frequently asked questions

Which sites support two-factor authentication?

The most popular email services, cloud-storage services, and social networks all support an app as a second factor of authentication. You can find a list of many websites that support two-factor authentication here. Major platforms also support 2FA, including Apple, Google, and Microsoft.

What happens if I lose my authenticator app?

If you lose your phone or delete your authenticator app, you won’t be able to log in to the sites where you’ve enabled 2FA. If you’re backing up your authenticator app data, you can attempt to recover it. If not, to log in you’ll have to use a backup code or an alternate form of 2FA, if you set one up.

Can I restore my two-factor authentication to a new phone?

It depends on the app. Duo Mobile’s backups don’t work cross-platform, but backups from Google Authenticator and Authy can be used to move between Android and iPhones. If your authenticator app doesn’t have any backup or syncing features, you can make the change manually: Visit each site that you have a 2FA code for, log in using your old phone, deactivate 2FA, and then re-enable 2FA using an authenticator app on your new phone. It’s tedious, but it does work.

What about passkeys?

Passkeys are a new technology intended to do away with passwords while also including 2FA. That’s a tall order, but with backing from Apple, Google, and Microsoft, it seems possible. Passkeys are still very new, so even if you want to try them out, you’ll still need 2FA apps for all of the sites that don’t yet support passkeys.

Sources

  1. Conor Gilsenan, doctoral student at the University of California Berkeley and co-author of a paper on 2FA app security, video interview, February 2024

  2. Bob Lord, senior technical advisor at the Cybersecurity and Infrastructure Security Agency (CISA), video interview, October 2023

  3. Derek Hanson, vice president of solutions architecture and alliances at Yubico, video interview, January 2024

The Best Two-Factor Authentication App (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 5545

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.