Leaks and hacks from recent years make it clear that passwords alone don't provide enough security to protect your online bank accounts, social media logins, or even accounts for websites where you shop. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. The security coverage team at PCMag frequently exhorts readers to use MFA, and using an authenticator app is one of the easiest and most secure ways to do it.
Using an authenticator app, such as Google Authenticator or Microsoft Authenticator, is a more secure form of MFA than one-time codes sent to you via SMS. We recommend enabling MFA to protect yourself from the consequences of a data breach, and it's among the steps you should take if you discover your information has already been involved in a breach. The best authenticator apps also help protect you against stealthy attacks like stalkerware.
Our summaries of the best authenticator apps, listed alphabetically, will help you decide which one to use so you can start setting up your accounts to be more secure. If you're looking for the best free authenticator app, you're in luck, because they're all free! Below our recommendations, you find more information on just how these apps work to keep you safe, as well as criteria you should consider when choosing one.
What Is Multi-Factor Authentication?
As the name implies, MFA means you use more than one type of authentication to unlock an online account or app. Usually, the first factor is your password. MFA means you add another factor in addition to that password. Experts classify authentication factors into three groups:
Something you know (a password, for example).
Something you have (a physical object).
Something you are (a fingerprint or other biometric trait).
When you use an authenticator app, you bolster the password you know with your token, smartphone, or smartwatch.
What Is Two-Factor Authentication?What's the Best Kind of Multi-Factor Authentication?
Using an authenticator app is one of the better types of MFA. The top option for safety, however, is to use a dedicated key-type MFA device (our favorite at the moment is the YubiKey 5C NFC). These keys produce codes that are transmitted via NFC or by plugging them into a USB port. Unlike smartphones, they have the advantage of being single-purpose and security-hardened devices. Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Security keys have neither batteries nor moving parts and are extremely durable—but they’re not as convenient to use as your phone. You can use these devices to secure your Apple, Google. or Microsoft accounts.
There's another common method of MFA that's not as good: authentication code by text message. Yes, your bank might send you a text message with a code that you enter into the site to gain access, and that is a type of MFA. But getting codes by phone turns out not to be especially secure. A vulnerability in SMS messaging is that crooks can reroute text messages. An authenticator app on your smartphone generates codes that never travel through the mobile network, so there's less potential for exposure and compromise. Plus, if your text messages are visible on your lock screen, anyone with your phone can get the code.
How to Set Up an Authenticator App With Your Online Accounts
To set up MFA by app instead of text message, go to your banking site's security settings and look for the multi-factor or two-factor authentication section. Nearly every financial site offers it. Most sites list the simple SMS code option first, but you should go past that and look for authenticator app support.
The most common way to set up MFA involves scanning a QR code on the site with your phone's authenticator app. Note that you can scan the code to more than one phone if you want a backup. Financial sites usually provide account recovery codes as an additional backup. These consist of long strings of letters and numbers. Save those account recovery codes somewhere safe, such as in a password manager. The codes work in place of an MFA code on your phone, which means they let you still log in to the site if your phone is lost, stolen, or busted.
How Do Authenticator Apps Work?
Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, every time you want to log in to a site, you open the app and copy the code into the secured login page. That done, you’re in. The time limit means that if a malefactor manages to get your one-time passcode, it won’t work for them after that first 30 seconds.
The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-based one-time password (HOTP) algorithm, which is sanctioned by the Internet Engineering Task Force. Authenticator apps don’t have any access to your accounts. After the initial code transfer, they don’t communicate with the download site; they simply and dumbly generate codes. You don’t even need phone service for them to work.
Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.
What Should I Look for in an Authenticator App?
Backups of Account Info
Something to look for when choosing an authenticator app is whether it backs up the account info (encrypted) in case you no longer have the same phone on which you originally set it up. All of the apps included here now have this capability, with Google Authenticator being a recent latecomer to the party.
No SMS Codes
As mentioned, we prefer that authenticator apps do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don't. Authy is the only app on this list that does it, but as mentioned, there's a workaround.
What's the Safest Third-Party Authenticator App?
The safety of these apps stems from the underlying principles and protocols rather than any implementation by the individual software makers. That said, all those listed here are extremely safe, with a minor point off for Twilio Authy; as mentioned above, it's the only one that requires your phone number and the only one that can be set up using SMS verification. Note that we've removed LastPass Authenticator from this roundup, as its online backup was compromised in last year's LastPass breach.
Aegis Authenticator and Microsoft Authenticator have slight security advantages in that they can be set up to require you to use biometric logins to get to the codes you need to unlock your online accounts.
Hardware security keys, like those made by YubiKey, are the safest option of all. But they lose points for their lack of convenience. Most people always have their phones handy, and losing or having a security key stolen could be a big headache.
A final note: Be sure not to install an unknown, unrecommended authenticator app, even if it looks good. Malicious impersonators have shown up on app stores. Stick with the best authenticator apps recommended here from well-known companies.
