Photo: BestForBest (Shutterstock)
Two-factor authentication (2FA) is essential for securing your accounts these days. It is no longer enough to have a password. Between password leaks and weak and reused passwords, it’s too easy for hackers to figure out your secrets and break into your accounts. 2FA fills the security gaps—but not all 2FAs are created equal. For most people, authentication apps offer the best mix of convenience and security. But which one is best for you?
While any 2FA is better than no 2FA, using an authenticator app is more secure than SMS-based authentication. The premise is the same for all: when you try to log into an account, you will be asked to enter a code to prove your identity. SMS-based authentication sends the code via text message, while an authenticator app locked the code inside and changes it every 30 seconds. Criminals can hijack your phone number through SIM swapping or SMS forwarding and potentially steal your codes before they can reach you. However, with a dedicated app, the codes remain yours alone.
Should You Use a Password Manager’s 2FA Capabilities?
Some password managers have built-in authenticators. If the password manager you use has one (and you should use a password manager), you can always use it. However, some lock 2FA behind a paywall. So if you are using the free version of the service, you cannot save your codes here. Also, it can be helpful to have a separation of church and state, so to speak. Keeping your passwords separate from your authentication codes protects you if one of the vaults suffers a data breach.
There is one caveat in my opinion, which is why I recommend it to many people:
Apple’s built-in authenticator tool
If you have an iPhone, iPad, or Mac (or maybe all three), the easiest way to get into authenticators is to use Apple’s built-in tool. With iOS 15 and macOS Monterey, Apple added 2FA to iCloud Keychain, the company’s password manager.
G/O Media may receive a commission
Many of us, rooted in the Apple ecosystem, already store our passwords in iCloud Keychain. Therefore, setting up 2FA verification codes directly in this tool is a handy option to increase the security of our accounts. Codes are encrypted by your iCloud password and the service supports autofill on all Apple devices. This means you can autofill your password and then autofill your 2FA code when prompted to speed up logins.
Again, the safest solution is to use a separate app, but since iCloud Keychain is protected by both your iCloud password and its own 2FA, providing a free and convenient way to set up 2FA for your various accounts, I think that it is a great option for Apple users.
For Android users looking for the best authentication app on their platform, Aegis might be for you. It’s free, open source, and not tied to any proprietary system like Google. This means you are partially free to take your tokens and import them to another device.
Best of all, when you set up a password for Aegis, all of your codes are encrypted. It doesn’t matter who has access to your phone or the app: unless they know the Aegis password, they will never be able to access your codes. Although it doesn’t support native device sharing, you can backup your codes and transfer them as you please.
Aegis built its brand on simplicity. It’s not flashy, and it’s not feature-packed. It stores your tokens, encrypts them and allows you to transfer them to another device if needed. That’s all you need from an authenticator app, and that’s why Android users love Aegis.
Just like Aegis is the king of authenticators on Android, Raivo OTP could be the GOAT for Apple users. For anyone in the ecosystem looking to graduate from iCloud Keychain, Raivo’s open-source platform offers powerful authentication to protect your accounts.
Like Aegis, Raivo encrypts all codes stored in the app, keeping your accounts safe from prying eyes. You can either store and encrypt them directly through Raivo, in which case they will be locked behind your chosen Raivo password, or sync them through iCloud, in which case the codes will be encrypted behind your iCloud password.
Raivo syncs your codes across all your Apple devices. If you originally set up the account in the iOS Raivo app but are trying to sign in on your Mac, you can use the macOS app to do so. You can also create encrypted ZIP archives of your codes for easy local backup.
It even comes with fun features like a dark mode and custom icons for each account. After all, authentication doesn’t have to be so serious.
Google Authenticator, like most Google products, is the default authentication option on Android. However, it also has an iOS app, so you can use Google Authenticator regardless of the platform you’re working on.
The app doesn’t offer cloud backups, which poses a huge data risk in case something happens to the device you keep it on. It’s a common problem when switching smartphones (don’t get rid of your old phone until you’ve transferred your codes). As far as security goes, though, that’s a good thing. Storing your codes on one device and only one device means there is no risk of someone breaking into your cloud account and stealing them. As long as your smartphone is locked, your codes are safe.
Microsoft Authenticator is a convenient option for Microsoft users (obviously), but also for anyone with multiple types of accounts. You can store your personal codes in the app along with codes for work or school accounts, with proper protection for each. That makes it a popular option for organizations setting up 2FA among their members.
It supports autofill, so you don’t have to dive into the app itself every time you try to log in. Microsoft also offers account recovery by backing up the app to the cloud. Again, this isn’t the most secure way to store your 2FA codes, but it ensures you have a way to recover your accounts in case you lose access to the current device.
Authy is one of the OG authenticator apps that stands out as a more convenient version of Google Authenticator with support for cloud backups of your codes. It also supports syncing across multiple devices, so you don’t have to refer to one device when trying to log into another.