Picking a suitable 2FA app is more important then ever but you should know that there are pitfalls if you pick the wrong one, such as loosing all of your 2FA tokens and getting locked out of the accounts that you have enabled 2FA on.
2FA can also be referred to as MFA (Multi-factor Authentication).
My Recommendation
For all for those who have not got time to go through all of the apps to decide which is best for you, there is a clear winner and is the one I use.
2FAS
- It is not part of the main suppliers of services such as Amazon, Google and Microsoft, so will not have any weird integrations/actions you don't know about.
- You control your data.
- You can export and backup your 2FA tokens as an encrypted backup and store it in a place of your choosing.
- It can sync between devices allowing you to have your 2FA tokens on more than one device but with one single database.
- Well supported and updated often.
- Supported on Android, iOS and Browsers.
- It is free and licensed under the GPLv3.
- This is the only App that I found support all of the following: Cloud Backup, Sync across Devices, Import / Export a backup, Import from other apps.
- The website is very polished
Because 2FAS depends on donations, after you have used it for a while and find it really useful (which you will) consider a small donation every year, even £5/$5 will help.
2FA Explained
Two-Factor Authentication (2FA) also called two-step verification, is a security process in which a user has to pass two different authentication methods to gain access to an account or a computer system. First factor is the basic thing you know: username and password, and the second factor is what you might have as unique as a (Smartphone, security token, biometric) to approve authentication requests.
Important Information
Before we go any further and look at the Apps, it is helpful to point out some of the things I found out as they deserve a special mention:
- Some Apps only store the 2FA tokens on the one device and if you loose this device you will loose all of your 2FA information locking you out of all of your 2FA protected accounts. This means that App selection is very important.
- Don't store you 2FA in your password manager otherwise you are not really implementing 2FA. If someone gets access to your Password Manager accopunt (Bitwarden/LastPass/1Password/....) they have both authorisation methods.
- Don't use an authenticator App for that companies services. This prevents unwanted integrations or actions these large companies can do without telling you. Some examples are:
- Google Authenticator for Google services.
- Microsoft Authenticator for Microsoft service.
- You should not hand over any personal information like phone numbers. Authy asks for a mobile phone number, this can be used to retrieve your 2FA tokens if you loose access.
- Before enabling 2FA make sure you have setup all of your recovery information on that account.
- When you enable 2FA on an account, you are sometimes given some emergency access codes, you should make a copy of these and put them somewhere safe. I am not sure if you should store these in your password manager as this defeats the purpose of 2FA due to the fact both authentication credentials are in the same place. If it is an important account you could print them off and put paper copies in your safe.
- Most Apps require you to enable Cloud backup and Sync options as they are turned off for privacy. This should be one of the first things you do, turning these options on, otherwise if you loose your phone you will loose access to your 2FA enabled accounts.
Notes
- General
- Recovering your account if you lose your 2FA credentials - GitHub Docs
- If you lose access to your two-factor authentication credentials, you can use your recovery codes, or another recovery option, to regain access to your account.
- This is a good example of being careful and backing your tokens up. For GitHub, I would probably print them off and put them in my safe.
- Basics of two-factor authentication with Bitwarden | Bitwarden Blog - Using two-factor authentication helps increase user security for websites and applications. The name refers to requiring users to utilize two separate methods of verifying their identity in order to access an account.
- Recovering your account if you lose your 2FA credentials - GitHub Docs
- Swap from one authenticator to another (Manually)
- A lot of apps do not have any automatic processes for this procedure, so you have to do it manually.
- Migrating From Authy to Bitwarden for 2FA Codes - I've used Authy for several years to generate my time-based one-time passwords (TOTP) for two-factor authentication (2FA). For various reasons, I recently migrated to using Bitwarden instead. This is my migration story.
- How Do I Switch From One 2FA Authentication App to Another?
- Login to your service with your current 2FA App.
- Disable 2FA.
- Re-enable 2FA but using the new 2FA authenticator.
- The Protocols
- TOTP
- time-based one-time passwords
- Time-based one-time password - Wikipedia
- RFC 6238 - TOTP: Time-Based One-Time Password Algorithm - This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in RFC 4226, to support the time-based moving factor.
- TOTP is the replacement for HOTP.
- HOTP
- HMAC-based one-time passwords
- Counter Based
- HMAC-based one-time password - Wikipedia
- RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm - This document describes an algorithm to generate one-time password values, based on Hashed Message Authentication Code (HMAC). A security analysis of the algorithm is presented, and important parameters related to the secure deployment of the algorithm are discussed.
- U2F / FIDO U2F
- Fast Identity Online Universal Second Factor
- This uses a physical security key such as a YubiKey
- Universal 2nd Factor - Wikipedia
- WebAuthn
- Web Authentication
- WebAuthn - Wikipedia
- mOTP
- Steam
- Steam's own system?
- Yandex
- Yandex's own system?
- TOTP
- Protocol General Information
- HOTP vs TOTP: Differences and advantages - Arengu Blog - Learn the differences between HOTP (hash-based) and OTP (time-based) and see which one-time password suits your auth process better.
- 2FA with FIDO U2F / OTP / HOTP / TOTP - DEV Community - Two-factor authentication (2FA) is an authentication method where the user is granted access only.
- An In-depth Guide to FIDO Protocols: U2F, UAF, and WebAuthn (FIDO2) - FIDO consists of 3 protocols for strong web app authentication: Universal 2nd Factor (U2F), Universal Authentication Framework (UAF), and WebAuthn (FIDO 2).
- u2f - FIDO and FIDO2 differences - Information Security Stack Exchange - A concise descriptions of the various protocols mentioned.
- HOTP vs TOTP - what are the differences? Which one is better? - YouTube | 2FAS - Ever wonder what TOTP and HOTP stands for? What is taht? How does it work?
- OTP Tools
- Online Authenticator Checker | Verifyr
- Generate one-time passwords online for time-based (TOTP) and counter-based (HOTP) codes and passwords.
- This has advanced options.
- Check 2FA token | 2FAS
- Check that Your 2FAS Auth App Is working properly.
- Simple to use.
- QR Code Generator | FreeOTP
- Online Authenticator Checker | Verifyr
- Joomla
- New to Joomla 4.2, Multi-factor Authentication (MFA) - The Joomla Community Magazine - With 4.2, we now have a new way to authenticate our sites. Two-factor Authentication has grown outdated with many new authentication methods arriving, so along comes Multi-factor Authentication (MFA).
- Enable Jooma 2FA using Google Authenticator - TechLabs - How to enable Jooma Two-factor Authentication (2FA) using Google Authenticator. Enable Joomla MFA Verification code system plugin, install Google Authenticator app and register for MFA by scanning the QR code on your mobile phone.
- You do not need to use Google authenticator. Most 2FA Apps use the TOTP protocol. So it might say `Google Authenticator`in the settings but most 2FA apps will work fine.
- Recover Joomla If You Lost Google Authenticator Device
- Did you lose Google Authenticator Device or uninstalled?
- This article outlines how to fix this issue but should only be done when you loose your admin access as a last resort.
- Two-factor-authentication-2fa-mfa-using-lastpass-authenticator - Joomla! Documentation - This will require the use of the miniOrange 2-Factor authentication (2FA/MFA) plugin.
A Table of 2FA Apps
This is my research into the various apps that I found on the internet.
| Name | Author | Free / Paid |
License | Platform | Protocols Supported |
Cloud |
Sync across Devices |
Import / |
Import |
Pros / Cons |
| 2FAS | 2FAS | Free | GPLv3 | Android, iOS, Browsers | TOTP, HOTP | √ | √ | √ | √ |
Pros
Cons
|
| Authy | Twilio | Free | Proprietary | Android, iOS, Windows, macOS, Linux | TOTP | √ | √ | × | × |
Pros
Cons
|
| Aegis Authenticator | Beem Development |
Free | GPLv3 | Android | TOTP, HOTP | √ | × | √ | √ |
Pros
Cons
|
| FreeOTP Authenticator | RedHat | Free | Apache v2 | Android, iOS | TOTP, HOTP | √ | × | √ | × |
Pros
Cons
|
| FreeOTP+ | Haowen Ning | Free | Apache v2 | Android | TOTP, HOTP | √ | × | √ | × |
Pros
Cons
|
| Raivo OTP | Tijme Gommers | Free | Proprietary | iOS, MacOS | TOTP, HOTP | √ | √ | √ | × |
Pros
Cons
|
| Duo Mobile | Cisco | Free | Proprietary | Android | TOTP, HOTP | √ | √ | ? | ? |
Pros
Cons
|
| Authenticator Pro | jamie-mh | Free | GPLv3 | Android | TOTP, HOTP, mOTP, Steam, Yandex | √ | × | √ | √ |
Pros
Cons
|
| WinAuth | WinAuth | Free | GPLv3 | Windows | TOTP, HOTP | ? | ? | ? | ? |
Pros
Cons
|
| andOTP | Jakob Nixdorf | Free | MIT | Android | TOTP, HOTP | √ | × | √ | × |
Pros
Cons
|
| Authenticator Plus | Mufri | Paid (£2.49) |
Proprietary | Android, iOS | ? | √ | √ | √ | × |
Pros
Cons
|
| Microsoft Authenticator | Microsoft | Free | Proprietary | Android, iOS | TOTP, HOTP | √ | × | × | × |
Pros
Cons
|
| Google Authenticator | Free | Proprietary | Android, iOS | TOTP, HOTP | √ | × | × | × |
Pros
Cons
|
|
| LastPass Authenticator | LastPass | Both | Proprietary | Android, iOS | TOTP, Yubikey | √ | ? | × | × |
Pros
Cons
|
| Bitwarden Authenticator | Bitwarden | Paid | Proprietary | Android, iOS, Windows, macOS, Linux, Browsers |
TOTP, WebAuthn, YubiKey |
√ | √ | √ | × |
Pros
Cons
|
| 1Password | 1Password | Paid | Proprietary | Android, iOS, Windows, macOS, Linux, Browsers | TOTP, WebAuthn | √ | √ | √ | × |
Pros
Cons
|
| Blank | Company | Free, Paid, Both | GPLv3, MIT, Proprietary |
Android, iOS, Windows, macOS, Linux, Browsers |
TOTP, HOTP, mOTP, U2F, WebAuthn, YubiKeySteam, Yandex | √ | √ | × | × |
Pros
Cons
|
Notes
General
- The Best Authenticator Apps for 2023 - Mobile authenticator apps make logging in to online accounts and websites more secure with multi-factor authentication. These are the top MFA apps we've tested.
- The Best 2FA Apps 2023: Authy vs Google Authenticator & More - Using 2FA is the best way to maintain the security of your online accounts. Here are our top picks for the best 2FA apps and hardware.
- Android Keystore system | Android Developers - When an App says the tokens are stored in the Keystore this means it is stored on your Google Drive in a hidden folder that can only be accessed by the same app that created the folder.
2FAS
- Some or all of your tokens are not syncing.
- Cause: You added some tokens before you enabled 'Google Drive sync`. This issue might only be present on fresh 2FAS installations where the Google user has never had this App on their account or devices before.
- Solution:
- On your primary device (the one you use the most or has the most tokens on) export a backup and store safely.
- Turn off 'Google Drive sync` on all of your devices.
- Wait 30 seconds.
- Turn on 'Google Drive sync` on your primary device.
- Wait 30 seconds.
- Turn on 'Google Drive sync` on all of your other devices.
- Done. Tokens should now be syncing properly.
Authy
- Welcome to Authy! – Authy
- Gives some basic information about Authy
- You must use a phone number to create an Authy account.
- Why Is The Authy 2FA App Free For Users? - Authy - Free 2FA? How does that work? Ever ask yourself “Why Is Authy free?” Find out How the Authy 2FA app is paid for, and why is there no charge to use it.
- Phone Number Change Process for Authy and How Long it Takes – Authy
- Export or Import Tokens in the Authy app – Authy
- In order to maintain security for our users, the Authy application does not allow importing or exporting 2FA account tokens.
- Users who want to import or export their tokens can follow this process, which is a workaround and will work for all 2FA Apps.
- Backups and Sync in Authy – Authy - Authy allows you to backup and sync your 2FA account tokens across multiple device and device types - phones, tablets and computers. This guide explains how Authy Backups work, and how to enable or disable them.
- How Authy 2FA Backups Work - Authy - A few years ago Google Authenticator released an update for their iPhone App that wiped users 2FA tokens when installed. That prompted a lot of users to switch to Authy in order to take advantage of our backup feature. We occasionally get questions about this particular feature from both users and developers, so this post will explain how the backup feature works in order to assuage any security or privacy concerns.
- Migrating one-time passwords from Authy to Raivo OTP
- Authy doesn't allow you to migrate your one-time passwords to other OTP apps. However, the Authy Chrome extension allows everyone to extract the tokens by using the Chrome developer console.
- This method can be used to migrate to other Apps if needed. It is from 2019 so I do not know if it still works.
Microsoft Authenticator
- If you loose your authenticator app, do you everything.
- Moving
- How to Move Microsoft Authenticator to a New Phone - Using an authenticator app for two-factor authentication (2FA) is more secure than SMS messages, but what if you switch phones? Here’s how to move your 2FA accounts if you use Microsoft Authenticator.
- Backup and Recover
- How it works: Backup and restore for Microsoft Authenticator - Microsoft Community Hub - A deep dive into the backup and restore mechanisms.
- Back up account credentials in Microsoft Authenticator - Microsoft Support
- Microsoft Authenticator backs up your account credentials and related app settings, such as the order of your accounts, to the cloud. You can then use the app to recover your information on a new device, potentially avoiding getting locked out or having to recreate accounts.
- You can back up multiple accounts, but only one of each type for example, a Microsoft personal account, a work or school account, and a non-Microsoft account such as Amazon or Google.
- If you loose your 2FA tokens and have not recovery information setup on an account you will get stuck in an authentication loop.
- How to recover Microsoft authenticator - Microsoft Q&A
- Q: Can I recover Microsoft authenticator accounts if they weren’t backed up to the cloud? Had an issue where my phone was broken and had to get a new phone. Lost all my authenticator accounts
- A: You can restore from backup (assuming there was one) but make sure no accounts have been added to the newly install app. Then sign on with recovery account to do the restore.
- Authenticator Stuck in Loop
- You will probably need to contact Microsoft and/or perform a recovery on your account. This is definitely true for Microsoft Office.
- Some UK phone numbers (Office 365)
- 0800 032 6417
- 0203 450 6455
- Billing support hours (English): Monday through Friday, 9 AM-5 PM
- Technical support hours (English): 24 hours a day, 7 days a week
- Authenticator Stuck in Loop - Microsoft Q&A
- Q:
- My Authenticator recently stopped working properly. This happened after I switched to a new phone. iPhone 12 to iPhone 14. When I try to log into my work email, it says I need to use Authenticator to authenticate. When Authenticator pops up…it also asks me to authenticate via Authenticator.
- A:
- You can restore from backup (assuming there was one) but make sure no accounts have been added to the newly install app. Then sign on with recovery account to do the restore.
- You can recover your account credentials from your cloud account, but you must first make sure that the account you're recovering doesn't exist in the Microsoft Authenticator app. For example, if you're recovering your personal Microsoft account, you must make sure you don't have a personal Microsoft account already set up in the authenticator app. This check is important so we can be sure we're not overwriting or erasing an existing account by mistake.
- Back up and recover account credentials in the Authenticator app - Microsoft Support
- Q:
- Stuck in a Loop in Microsoft Authenticator - Microsoft Community
- Q:
- I recently headed into my outlook account security settings and was asked to verify myself with my Microsoft Authenticator app.
- I headed into the app and found that my account has been greyed out, and that I can't click on it.
- I then received a message saying "Unable to process notifications from your work or school account. If this account has been removed from the app, please also remove it from the MFA registration page. Otherwise, remove the account and re-add it".
- Since I can't click on the account, as it has been greyed out, I can't delete the account from the app.
- So I headed into my phone settings, deleted the cache and data of Microsoft Authenticator. Once I recovered my other accounts on Microsoft Authenticator, I tried to add my outlook account, but was asked to provide my Microsoft Authenticator code.
- I obviously don't have the code because the outlook account hasn't yet been added to Microsoft Authenticator, and so I'm stuck in a loop.
- Does anyone know how to fix this?
- A:
- Open a web browser and go to https://verify.live.com/
- Log in with your Outlook.com account and go through the verification process.
- Once done add your Outlook.com account again to Microsoft Authenticator app.
- Q:
Google Authenticator
- How to transfer Google Authenticator to a new phone | TechRadar - A big problem for some.
- How to Backup Google Authenticator or Transfer It to a New Phone - How to backup Google Authenticator in case you lose the smartphone? How to transfer Google Authenticator to a new phone? Here are the detailed answers.
- How to retrieve your Google 2FA backup codes (and make more) | TechRepublic - Jack Wallen shows you how to retrieve your Google 2FA backup codes and how best to use them.
- If you didn’t print out those codes, upon setting up 2FA, the first thing you’ll need to do is retrieve them. To do that, you must log into your Google account, and then go to the Google 2FA site, where you’ll be prompted to log in once again. Upon successful authentication, you’ll see an entry for Backup codes.