Here at PCMag, we’ve been covering security software for more than 30 years. We encourage you to enable multi-factor authentication for online accounts, and luckily, using an authenticator app is extremely easy. It’s also more secure than one-time codes sent to you via SMS, which is seriously risky. Most people will use an authenticator app for a single purpose: generating one-time passcodes. It’s a capability offered by some password manager apps, such as Bitwarden and LastPass, but we recommend keeping access to your OTP codes separate from your passwords and other sensitive data. That way, if someone gains access to your password manager vault, they can’t get access to everything. Read on for the best authenticator apps we’ve tested, followed by how they work and how to choose the right app for you.
Deeper Dive: Our Top Tested Picks
Best for Privacy and Backups
2FAS
2FAS is a simple but fully functional app that does everything you want in an authenticator. It lets you add online accounts either manually or with a QR code. It can create cloud backups of your registered accounts either in iCloud for Apple devices or Google Drive for Androids, which is critical if you lose your phone or get a new one. The backup is encrypted and only accessible from the 2FAS app. 2FAS doesn’t need your phone number or even require you to create an online account, so it’s not susceptible to SIM-swapping fraud. You can set a PIN to access the app, and on the iPhone, you can use FaceID or TouchID. A home-screen widget keeps it ever at the ready.
Best for Android
Aegis Authenticator
Aegis Authenticator is a free and open-source option for Android users. You can get it from Google Play or the open-source F-Droid catalog. Authentication tokens are encrypted at rest, and accessing them requires a password or biometric unlocking. Aegis provides automatic encrypted backups to an online storage provider of your choice, as long as said provider supports the Storage Access Framework of Android (most major cloud storage services do). Aegis lets you import your accounts from an existing authenticator, and the app offers good organization tools, such as custom icons for accounts, custom login groups, and search.
Best for Workforces
Duo Mobile
Duo Mobile is geared toward business users, especially now that it’s part of Cisco’s portfolio, but you can use it for personal logins, too. Duo Mobile comes with enterprise features, such as multiuser deployment options and provisioning, one-tap push authentication, and one-time passcodes. It’s a simple authenticator app, and if you use it, you’ll appreciate the ability to back up your logins using Google Drive for Android and iCloud KeyChain on iPhone.
Best for Backup to Google Drive
Google Authenticator
Google has beefed up its Authenticator app, adding an all-important backup capability. To enable this backup, you sign in with a Google account, though you’re not required to sign in to an account, which is good. But it’s a double-edged sword: Although signing in backs up your logins, if that account gets hacked, so potentially do all your accounts protected by Google Authenticator.When you use Google Authenticator to log in to your Google account, you enter the six-digit code shown in the authenticator app, just as you would to log in to any other service. The app also lets you import logins from an old phone to a new one if you have the former on hand. There’s no Apple Watch app or even an Android Wear app for Google Authenticator.
Best for Microsoft Accounts
Microsoft Authenticator
Along with delivering standard time-based one-time passcodes, Microsoft Authenticator includes optional secure password generation and lets you log in to Microsoft accounts with a button press or by tapping a two-digit number in a push notification. It’s available for both Android and iOS. The app enables schools and workplaces to register users’ devices. If you use this app, you can turn on account recovery. That way, when you get a new phone, you will see an option to recover by signing into your Microsoft account and providing more verifications. For added security, you can require that you unlock your phone with a PIN or biometric verification to see the codes. Password management options are in a separate tab at the bottom. If you sign in to the same account you do in the Edge browser, you see the logins you’ve saved and synced there.
Buying Guide: The Best Authenticator Apps for 2024
How Do Authenticator Apps Work?Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, whenever you want to log in to a site, you open the app or website, enter your username and password, and then, when prompted, type the code you see in your authenticator app into the secured login page. That’s it. “Time-based” means the code is only valid for a short time, maybe 30 to 60 seconds, which makes it harder for anyone to steal your code and log into your accounts because they only have a short time to do so.The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-based one-time password (HOTP) algorithm sanctioned by the Internet Engineering Task Force. Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.How to Set Up an Authenticator AppTo set up MFA by app instead of text message, go to your online account’s security settings and look for the multi-factor or two-factor authentication section. Nearly every financial site has it, and so do many other kinds of online accounts. Most sites list the simple SMS code option first, but go past that and look for authenticator app support. The most common way to set up MFA is to scan a QR code on the site with your phone’s authenticator app. Note that you can scan the code on multiple phones if you want a backup. Financial sites usually also give you account recovery codes as an additional backup—save them somewhere secure, like in your password manager. The codes work in place of an authenticator app, meaning if you lose or break your phone, you can enter one of these codes to get into your account.What Should I Look for in an Authenticator App?Data Collection PracticesAuthenticator apps don’t have any access to your accounts. After the initial code transfer, they don’t communicate with the download site; they just generate codes. You don’t even need phone service or an internet connection for them to work, which is why we take particular umbrage with authenticator apps that engage in excessive data collection. To us, data collection veers into “excessive” territory when an app collects data from device categories that have nothing to do with the app’s primary function.
(Credit: Apple/Google/PCMag)
For example, as shown above, if you are using an Android or iOS device, Google Authenticator may collect data from your Contact List, your email address, and even your photos and videos. It’s a lot of data for an app with such a simple purpose.Backups of Account InfoSomething to look for when choosing an authenticator app is whether it backs up the account info (encrypted) in case you no longer have the same phone on which you originally set it up. All the apps included here do this.No SMS CodesOne common MFA method is a time-based one-time passcode sent to you by text message, but it’s not as secure as either an authenticator app or a security key. Thanks to a vulnerability in SMS messaging, crooks can reroute text messages and intercept your codes. We recommend using authenticator apps that do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don’t. What’s the Safest Third-Party Authenticator App?The safety of these apps stems from the underlying principles and protocols rather than any implementation by the individual software makers. Aegis Authenticator and Microsoft Authenticator have slight security advantages in that they can be set up to require biometric logins to access the codes needed to unlock your online accounts.
Recommended by Our Editors
Is There Anything Safer Than an Authenticator App?Using an authenticator app is one of the better types of MFA. It’s always better to use some kind of MFA than none at all, and authenticator apps are free, easy to use, and widely available. However, the top option for safety is a dedicated hardware key MFA device. Our Editors’ Choice is the Yubico Security Key C NFC.
(Credit: Kim Key)
MFA security keys produce codes that are transmitted via NFC or by plugging them into a USB port. Unlike smartphones, they are single-purpose and security-hardened devices. These devices can secure your Apple, Google, or Microsoft accounts.Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Plus, if you lose your phone, all of your codes go with it. Security keys have neither batteries nor moving parts and are extremely durable—but they’re admittedly not as convenient as your phone.
Finally, remember never to install an unknown, unrecommended authenticator app, even if it looks good. Malicious impersonators have appeared on app stores. Stick with the best authenticator apps recommended here from well-known companies.
