The Best Two-Factor Authentication App (2024)

For the original version of this guide I spoke with David Temoshok, senior policy advisor at the National Institute of Standards and Technology (NIST); independent consultant Jim Fenton, who works with NIST and other organizations; Nabeel Saeed, senior product marketing manager for Twilio Account Security; and independent scientist Stuart Schechter, who has spent time researching types of authentication methods. In 2023, I spoke with Conor Gilsenan, a doctoral student at the University of California Berkeley and the primary author of the peer-reviewed paper, Security and Privacy Failures in Popular 2FA Apps.

For anything you do on the internet—whether that’s shopping, using social media, or online banking—you should use two-factor authentication to secure your most important accounts.

For most people, that means using one of the apps we recommend here. But if you need stronger security because you’re an activist, journalist, government official, or other public figure, you should consider a hardware security key instead.

Two-factor authentication adds a second layer of security to make it more difficult for someone other than you to get into your accounts. These two factors can include:

One common example of two-factor authentication is a debit card; you need to know a PIN and have the physical debit card to withdraw money. A two-factor authentication app is a similar idea, but instead of a physical card, the second element is your phone.

Here’s how it works: With two-factor authentication enabled on an online account, you log in as usual with your username and password. That’s factor one. Then, the site asks you for a security code. That’s factor two. This code may come in a text message, in an email, as a software token retrieved from a two-factor authentication app, or as a hardware token from a physical device. Text-message verification is better than nothing, but not recommended due to the ease of SIM swapping (when someone uses social engineering to get your phone number assigned to a new SIM so that they can intercept your SMS tokens). Email verification can be secure, but only if you have strong two-factor authentication on that email account.

With the two-factor authentication apps we’re talking about here, the login code is a “soft token,” a Time-Based One-Time Password (TOTP). The app generates these codes using an algorithm assigned to your device when you install the app, and each code lasts 30 or 60 seconds. This means only your physical device has the codes, which makes them more secure than text-message or email codes.

Some accounts may also support push notifications, where instead of asking you to manually type in a code, the site sends a notification to your phone to approve the login. Sometimes this step asks you to match a code between your phone and your computer, as you may have done with Bluetooth devices, while other times it shows an option to approve or deny the login. Push notifications are easier to use and more secure than TOTP, but aren’t available for many sites.

Manually entering a code every time you log in to a site is a little cumbersome, but within a couple of days, the process of opening an app to grab a code should be second nature. (And if you’re using a password manager as well, which you absolutely should, it’s less work overall, since you have to type only your authentication code while your password manager autofills the rest.) Plus, many sites, including Google or Facebook, only ask for the second factor when you sign in from new devices (or in a different browser), so you don’t have to do it every time.

Securing your online accounts with two-factor authentication is recommended by the National Institute of Standards and Technology (NIST) and many other security experts, and using an authentication app on your smartphone is the most accessible way to do so. You don’t need to enable two-factor authentication everywhere; David Temoshok, senior policy advisor at NIST, recommends using two-factor authentication for “anything that’s dealing with personal information, the collection of personal information, or the maintenance of personal information.” You should enable two-factor authentication on your password manager, email, any cloud backup services you use, banks, social media profiles, chat apps, and any app with your health and fitness data. To see what sites currently support two-factor authentication, visit the 2FA Directory.

Enabling two-factor authentication has some risks worth considering. If you lose your phone, you lose access to the two-factor authentication app. In order to recover your two-factor authentication app and get back into your accounts, you need access to the recovery codes most sites provide when you enable two-factor authentication, another device with the app installed where you’ve manually scanned all the same QR codes, or a web-based backup (something that most two-factor authentication apps provide but that most experts recommend against).

Two-factor authentication can protect against more-basic phishing attempts, such as when a fake login page tries to steal your password. But two-factor authentication isn’t perfect—no security tool is. It is still susceptible to advanced phishing attempts. Someone could email you a link to a fake Gmail login page saying your account needs an update, where you then log in with your username, password, and two-factor authentication token. Unlike a stolen password, two-factor authentication software tokens need to be grabbed in real time to be useful. Not much data is available about the specifics of phishing attempts like this, but the FBI’s Internet Crime Complaint Center received 25,344 reports of phishing in 2017 (PDF). The FBI does warn people about the risks of SIM swapping and phishing tools, but two-factor authentication is still effective in protecting accounts. You should send reports of phishing attempts to the FTC, but since most people don’t, it’s hard to know how often such phishing happens.

A two-factor authentication app doesn’t need to offer much to be good, but a poorly made one can be a serious pain to use—or even pose a security issue. Here’s what we found to be most important through our interviews with experts and our independent research:

After interviewing experts and picking the feature criteria, we read reviews of the apps on Google Play and Apple’s App Store, and we dug through each app developer’s website looking for details about the company’s security measures, support process, and app features.

We used each app to add new accounts, copy and paste codes, and test out features such as renaming accounts, changing icons, and performing push notification logins. If an app supported backups or multiple devices, we tried recovering accounts on new devices this way.

Duo Mobile has the best combination of features, usability, and support of any two-factor authentication app we tested. It’s available on Android and iOS, it’s fast at setting up new accounts, and the design lets you easily find the two-factor code you’re looking for. Duo Mobile is supported by its parent company, Cisco, so the apps are consistently updated for new operating systems. Its backup system is optional, easy to turn on or off, and stored on your own Google Drive or iCloud account, which gives you some control over how it works but also limits you between operating systems.

Duo Mobile works with any site that uses TOTP and with any site that supports Google Authenticator; if a site doesn’t specifically mention support for Duo Mobile but does mention compatibility with Google Authenticator, Duo Mobile (or any other two-factor authentication app) still works.

Getting the hang of multi-factor authentication isn’t easy on any app, but we like Duo Mobile’s “Add account” screen. Like any other two-factor authentication app, you can use your camera to scan a QR code from this page. But it also includes a list of popular services that support two-factor authentication, which is a huge benefit for anyone setting up the app for the first time. For some reason, when you tap on a website from this list, you have to manually add a code instead of scanning the QR code. It’s still a useful starting point, but the on-ramp could be smoother.

Like most two-factor authentication apps, Duo Mobile has a simple interface. We like that its large website icons make it easy to find the code you’re looking for, though the more services you add, the more annoying it gets scrolling through a long list. Thankfully, the search box at the top of the app is helpful if you have more than 10 or so accounts. This is much nicer than Google Authenticator’s plain, icon-free design, and though Duo Mobile’s layout has some wasted space, it was still easier to quickly find an account than on Authy’s grid-based design with tiny icons.

Duo Mobile includes useful documentation and various guides if you have questions about how the app works, though we do wish they’d try harder with the app update descriptions instead of repeating the phrase, “This update introduces various behind-the-scenes improvements and minor bug fixes to enhance your authentication experience.”

If you lose your phone, you lose access to your authentication app. To solve this problem, most authentication apps offer cloud backups (even though some security experts tend to recommend against using this feature), and some makers of authentication apps are better than others about explaining how (or if) they encrypt these backups.

Backups make it possible to recover your tokens if you lose a phone or move to a new device. This way, you don’t have to manually scan new QR codes or enter recovery codes to get into your accounts. However, the security experts we spoke with recommended against using cloud backups for two-factor authentication tokens. David Temoshok, senior policy advisor at NIST, noted, “When you mix together different authentication factors, you get into problems. Something you know plus something else you know isn’t two-factor authentication.” Even though these backups are encrypted, someone could theoretically break that encryption or guess your password to get your tokens because they are uploaded online. Security experts suggest keeping the recovery codes that sites provide you after you enable two-factor authentication (they’re one or more long strings of letters and numbers) in a secure location where you can access them even if you lose your phone.

That’s easier said than done in practice, and many people, especially those who aren’t comfortable with tech, probably want to enable backups. The Duo Mobile backup is stored in either your Google Drive or iCloud, depending on which operating system you use. Like Authy, the password you choose to encrypt this backup is never sent to the company, which means nobody at Duo Mobile can help you recover the backup if you forget the password. Still, it’s very important that you use a strong, unique password for this backup. We like that Duo Mobile prevents you from using obvious passwords, such as “password,” which Authy allowed us to do.

The optional backup is handy and can easily be toggled on and off. This makes it possible to transfer tokens to a new phone even if you don’t want to keep backups enabled all the time. You can’t transfer the backup between operating systems. So, if you change from an iPhone to an Android phone, you have to start from scratch. Similarly, on an iPhone, the app backup only works on a new device when you restore that device from a previous operating system backup. This means if you set up a new phone as a new device, Duo’s backup cannot be loaded.

Duo Mobile is somewhere in the middle in the transparency department. Its guide to backups is linked inside the app, which we like, and though the prompt in the app has almost no details about its security, the landing page at least walks you through how the backup works. University of California Berkeley researchers found that the Duo Mobile app for Android uses a strong encryption algorithm, but when we emailed Duo Mobile to confirm, the company declined to answer. This is a detail that should be included somewhere in its public-facing documentation.

Flaws but not dealbreakers

Like just about every two-factor authentication app, the Apple App Store and Google Play reviews are often brought down by complaints of push notifications not working, IT mistakes, general hate for the very concept of two-factor authentication, and enrollment hiccups; although certainly valid, most of these complaints don’t apply if you’re only using the app for TOTP tokens.

Duo Mobile’s backup doesn’t always encrypt the name of the website and label, according to UC Berkeley researchers, so if someone had access to that backup, they could theoretically see which sites you’ve enabled two-factor authentication on, even without the backup password. But since the backup is never sent to Duo Mobile, the risk would be limited to someone with access to your phone, Google Drive, or iCloud, and even that would only give an attacker a list of websites, not the codes.

Duo Mobile declined to verify researchers findings about the type of encryption used for backups on Android and wouldn’t verify whether that same encryption was used on iPhones, claiming that, “While strong encryption is a critical part of Duo products, to protect their integrity, we are not able to answer all product specific questions.” Considering how well-vetted good encryption is, this response is out of step with the type of transparency we’d prefer to see. Many other apps, including Authy, describe exactly what types of encryption they use on backups.

Since Duo Mobile is designed for both businesses and regular people, some of its documentation is loaded with jargon. For example, understanding the details on the Duo Restore page is way too hard to figure out if you’re not an IT administrator.

Duo Mobile doesn’t let you lock the app behind your PIN or biometric ID such as a fingerprint or face scan. Google Authenticator, Microsoft Authenticator, and Authy all support this. But assuming you have those types of locks enabled for your lock screen (which you should) and you don’t leave your phone sitting around unlocked, this extra security step may not be necessary for most people.

If you don’t enable backups or push notifications, Duo Mobile repeatedly displays an obnoxious banner at the top of the app. Though we understand the need to remind people to enable features they may want, this gets annoying quickly.

Authy has a solid combination of features and support and is available on more platforms than Duo Mobile, including Windows, Mac, and Linux in addition to Android and iOS apps. Setting up new accounts is fast, and simple grid-based design lets you find the code you’re looking for more quickly than Duo Mobile’s interface. Authy is supported by parent company Twilio, so the apps are always updated for new operating systems. Unlike Duo Mobile, Authy supports password and biometric locks, and Authy is the only app we tested with multi-device support and optional backups to ease account recovery, though that does come with caveats. Authy is also one of the only two-factor authentication apps that requires a phone number and email to use, which could open you up to certain security and privacy issues.

We like Authy’s grid-based design, which lets you quickly scan your tokens and find the one you’re looking for. But once you have a dozen accounts or so, it’s much easier to just use the search bar. For less-popular sites, the often-tiny icons can be nearly impossible to see unless you hold the phone right up to your face. Still, this arrangement is much nicer than Google Authenticator’s plain, icon-free design. This is a matter of preference, but we found Duo Mobile’s large icons and simple list easier to use than Authy’s. On Android, Authy has a list view, but the icons are still small and hard to see.

Like Duo Mobile, Authy’s authentication software is made for businesses, which helps bankroll the app.

As with Duo Mobile, Authy provides an option to back up your tokens online. These backups are encrypted on your device before they’re uploaded. Your password is never sent to Authy, which means that even if someone were to hack Authy, they still wouldn’t get your two-factor authentication tokens. We wish Authy enforced better password requirements; we were able to set our backup password to “password,” which would make it easy to guess if someone did get those backups. According to researchers, Authy also uses only10,000 PBKDF2 (Password-Based Key Derivation Function 2) iterations, the minimum recommended by NIST. The higher the number of iterations, the longer it takes to compute the password hash, making it more secure. Authy told us over email in February 2023 that it’s actively working on increasing to 100,000 PBKDF2 iterations in the near future.

Similarly to Duo Mobile, Authy’s backups don’t encrypt some information that you might expect it to, sometimes including the name of the website and a username (you can edit these, but we suspect few people bother to do so). Security researchers at Mysk also found this same info was sent in analytics, which may be linked to your email address and phone number. Unlike Duo Mobile, which stores the backup on either iCloud or Google Drive, Authy stores the backup on its own servers, which theoretically gives the company access to those details. Authy recently updated its privacy notice to include more information about what the company can access and added in an email to us that, “Access to this information is limited to employees who either support Authy or have a valid need-to-know.” We appreciate the addition to the policy but think this information should be in the app, as well. Better yet, we’d prefer the company didn’t collect this data at all. Both Duo Mobile and Authy suggest that not encrypting the account names or sites can help with account recovery, but that claim rings hollow to us: Knowing which accounts have two-factor authentication enabled doesn’t ease the process of getting back into an account.

Though we don’t like that Authy requires a phone number and email address to use, it does make it more versatile than alternatives like Duo Mobile or Google Authenticator. Unlike most other two-factor authentication apps we tested, Authy’s backups are cross-platform. So, if you switch from iPhone to Android, you are able to load your backup easily. You can also install Authy on a secondary device, such as a computer or tablet, and use that device in tandem with backups to recover your account in case you lose your phone. Authy calls this feature “multi-device.” With backups and multi-device enabled, your tokens sync across all the devices Authy is installed on. This arrangement offers the benefit of making it easier to recover all your tokens if you lose your phone, but it also involves the trade-off of providing an additional way for someone else to get into your accounts—the more devices your tokens are on, the higher the risk of someone else getting into them.

All these details about backups are especially important because in August 2022, Authy’s parent company, Twilio, revealed that a phishing campaign got access to some customer data, including 93 Authy users. Attackers were able to access and generate two-factor authentication codes for these 93 users because they had “multi-device” enabled. The company now automatically disables multi-device after you add a new device, but this incident reveals how dangerous syncing two-factor authentication codes can be, even when it seems like all the protections are in place.

You can lock the Authy app behind a PIN or a biometric ID such as a fingerprint or face scan, a feature Duo Mobile lacks. If your phone is already locked this way (and it should be), this extra step isn’t necessary, but it’s a nice touch if you want to use a different PIN for added security.

If you want nothing to do with cloud backups, device syncing, or colorful icons, consider Google Authenticator. It’s easy to use and has a built-in method to transfer your tokens to a new device without ever uploading that data to the cloud. But without a backup, you could find yourself locked out of accounts if you don’t take precautions.

Like the other apps in this guide, Google Authenticator is simple to use, and adding an account is as easy as scanning a QR code. The app lacks the colorful website icons of Duo Mobile and Authy, making it harder to scroll through, but it does have search functionality, a feature we’ve found ourselves resorting to as more websites support two-factor authentication. Since it’s developed by Google, the app tends to get updates when necessary, though it’s typically for compatibility with new operating systems or phones, not for new features.

Google Authenticator doesn’t support cloud backups at all, which is a dealbreaker for some people but a feature for others. If you don’t want any information potentially leaking from your authentication app—and you’re willing to accept the risks that come from not having backups—then Google Authenticator is your best option. Just be certain you’re saving the recovery codes when you enable two-factor authentication, because otherwise you may get locked out of your accounts if you lose access to your phone.

Although Google Authenticator doesn’t have an option for a cloud backup, backing up your TOTP tokens isn’t totally impossible. If you have two devices, you can follow the export process to manually back up your codes. This feature is designed for when you move to a new phone, but it works just as well for backups. The onus is always on you to remember to do this, though, and you need to own a second device to back up to (like a tablet or old phone). This can work across platforms, too, so if you have an Android phone and an iPad, you can still manually back up this way. This might seem like a lot of work, but unless you’re creating new accounts on new services all the time, it’s not something you’ll need to do very often.

By default, Google Authenticator doesn’t require a password or provide a warning when accounts are exported, so we recommend enabling the Privacy Screen feature in the settings to lock the app behind your face, fingerprint, or PIN. This way, nobody can access the app but you.

Once you’ve picked which app you want to use, it’s time to enable two-factor authentication for your most important accounts. Every website is a little different, but the 2FA Directory includes nearly every site that supports two-factor authentication as well as links to that site’s documentation for setting it up. As an example, here’s how it works on a Google account:

This process can take a while if you’re starting from scratch, but once you get your backlog in order, you won’t need to set up new accounts often. It’s critical that you save the backup codes each account provides, as that is the most secure way back into your account in case you lose your phone.

If you do not trust yourself to hang on to the backup codes a website provides, consider using the encrypted backup option in Duo Mobile or Authy. Many security experts tend to recommend against it, and using the feature means you’re trading security for the convenience of being able to get back into your accounts even if you lose the backup codes. If you go this route, you need to pick a strong password for the backup that you haven’t used anywhere else.

If you search for “authenticators” in the Google Play store or Apple App Store, you’ll see dozens of apps in the search results. Some of these apps are single-purpose authenticators, but others come from smaller teams—and some may be nefarious. The increased support from a larger company like Cisco, Google, or Twilio is a positive feature for most people. But others might find open-source options better suit their needs.

If you don’t want to use Google Authenticator but do want a solid offline option for Android, Aegis Authenticator is open source and supports local encryption. Like Google Authenticator, the app is one of few that also supports manual exports for backups, meaning you have more control over how that backup is stored.

Raivo OTP is also open source and has a similar feature set to Aegis Authenticator, but it’s for iPhones only. It includes optional online backups, local manual backups, and more. It’s not great for newcomers, though. When you set up an account it forces you to use a strong password, but it doesn’t tell you what the requirements are, so you’re stuck trying random combinations of letters, numbers, and characters until it works. Once you’re set up, it’s a smooth experience, but the onboarding ramp is steep.

2FAS has a sleek design, is easy to use, and comes with many of the same benefits as Authy and Duo Mobile, including backups. We didn’t like the fact that we were automatically opted into backups on the iPhone with no password required at all. On Android, you can enable backups to Google Drive without a password, and you aren’t allowed to set a password until after the backup is created. The company who makes 2FAS has little documentation and information about its security practices, including details about how the backups are encrypted. In 2022, the app was made open source and the company website seems to be constantly adding new information, so we may see more data in the future.

As for the rest of the apps we tested, each had a different set of issues that make them hard to recommend.

If you use a lot of Microsoft applications and services, Microsoft Authenticator is a useful tool that supports password-less logins (which are more secure) for Microsoft apps such as Office, OneDrive, and Outlook. It also supports TOTP codes. Microsoft includes a cloud backup option too, though enabling it requires a Microsoft account. Confusingly, iPhone backups are stored in iCloud, but the Android app stores the backup on Microsoft servers.

Most people don’t use Salesforce, but if you do, its two-factor authentication app provides the more-secure password-less login for Salesforce as well as TOTP codes for everything else.

The LastPass Authenticator is similar to Google Authenticator in that it doesn’t use icons, so finding codes is harder. It does at least support locking the app behind a PIN or a biometric login. LastPass limits the authenticator’s extra features—such as its optional encrypted backup and one-tap verification—to LastPass password-manager customers, so those features are useful only if that’s your password manager. LastPass has had a rough year in terms of security and disclosure, and although the security incident didn’t have anything to do with its authentication app, the company’s poor handling of the disclosure after an attacker gained access to encrypted customer vaults doesn’t give us any confidence in its other apps.

Our favorite password managers, 1Password and Bitwarden, both include a built-in authenticator, but all the security experts we spoke to were hesitant to recommend putting all your eggs into one basket in this fashion—on the off chance someone were to gain access to your 1Password or Bitwarden account, they’d have access not just to your passwords but also to your authenticator. If you don’t use two-factor authentication otherwise, these options are still better than nothing, but keep in mind that you’d still want another app (or security key) to protect your password manager account.

Likewise, Apple includes an authenticator built into the iCloud Keychain, but it only works if you also store your passwords there, and it can be hard to find the passcode if you’re trying to log in from a different browser that doesn’t support Keychain. But, if you’re hooked into Apple’s system already, it’s fast, relatively easy to use, and better than not using two-factor authentication at all.

Single-purpose authenticators can also be useful, and they’re often required by some services that don’t support third-party apps like Authy. Apps such as the Battle.net Authenticator, Xfinity, or Zoho’s OneAuth provide one-tap login approvals or their own code-generation systems. If a web service doesn’t support our picks, you should use that service’s application.

This article was edited by Caitlin McGarry and Arthur Gies.

1. Stuart Schechter, independent scientist, email interview, August 13, 2019

2. David Temoshok, senior policy advisor at the National Institute of Standards and Technology, phone interview, September 12, 2019

3. Jim Fenton, independent consultant, phone interview, September 12, 2019

4. Matt Elliott, Two-factor authentication: How and why to use it, CNET, March 28, 2017

5. Nabeel Saeed, senior product marketing manager for Twilio Account Security, email interview, September 27, 2019

6. Conor Gilsenan, doctoral student at University of California Berkeley, Zoom interview, February 7, 2023