Protect yourself: How to choose the right two-factor authenticator app
The single most important security precaution you can take with high-value online accounts is to enable a mobile device as a secondary identity factor. Which authenticator app should you choose? The correct answer might involve multiple apps.
Adding multi-factor authentication (often called two-factor authentication, or 2FA) to high-value online accounts is one of the most important security precautions you can take. It takes just a few minutes to set up, and the result is a layer of protection that will prevent intruders from intercepting your email, stealing funds from your bank account, or hijacking your social media.
In this post, I describe the most basic form of 2FA, which uses an authenticator app installed on a mobile phone to provide a secondary form of proof of identity when necessary. In that case, the two factors are the classic "something you know" (your sign-in credentials) and "something you have" (the mobile device that you've configured with a shared secret). The combination of those two factors sets the proof-of-identity bar high enough that your average thief won't be able to get over it.
When you use your credentials to sign in on an untrusted device, the service demands that you enter a Time-based One-time Password Algorithm (TOTP) code generated by that app or respond to a notification on the device. After passing that challenge, you can typically designate a personal device as trusted and skip the codes for future sign-ins.
Most people choose a single 2FA app and use it for every service. My configuration is a little different, because I have two phones that I use interchangeably, and a greater-than-average number of online accounts on which 2FA is enabled. I've settled on a security setup that uses three separate authenticator apps, each one with its own specific security role to play.
That setup might sound confusing in theory, but it solves several problems elegantly, and it isn't the least bit annoying in practice. The same regimen might work for you.
Here's the tl&dr: If you're protecting Google accounts, use the Google Authenticator app. For Microsoft accounts, use the Microsoft Authenticator app. For all other accounts, use either of those apps or chose a third-party alternative like Authy, which allows you to back up and restore your security configurations so you can remain secure when you switch phones.
Allow me to introduce these three apps, with details about the unique strengths of each. All three are completely free and are available for iOS and Android platforms.
If you go to just about any online service that supports the six-digit TOTP codes that are at the heart of 2FA, this is the app you're instructed to download. The dirty little secret is that there's nothing special about the way the Google-branded Authenticator app generates those codes. For third-party apps and services, you can use any of the three 2FA authenticators I describe here.
Where the Google app shines is, naturally, when protecting sign-ins to your Google accounts. That includes both personal accounts (Gmail, YouTube, and other consumer services) and G Suite apps managed by an organization.
The default option, a Google Prompt that you respond to on your mobile device, doesn't require the Authenticator app at all. If you're signed in with the corresponding account on an Android device or in the Gmail app on an iPhone, you can respond to the prompt, as shown on the left below, and sign in.
To set up the Authenticator app for the first time, use its option under the Set Up Alternative Second Step heading. Open the app, click the + button to add your account, and scan the QR barcode. Enter the six-digit time-based code to confirm that you're set up correctly, and you're done.
If you can't receive the prompt, for some reason, or if you prefer another authentication method, click the Try Another Way To Sign In link, which allows you to choose one of the options you set up previously, as shown on the right below.
The interface for setting up and responding to authentication options is the same for G Suite accounts, although an administrator has to enable the feature from the G Suite admin console, where they can also limit the types of authentication allow and tighten security by turning off the ability to trust a device or to receive codes via SMS or a phone call.
To set up third-party 2FA accounts in the Google app, click the + button and scan the bar code or manually enter the setup information. You can use codes generated here for any TOTP-based 2FA proof.
Although you can install the Google Authenticator app on multiple phones, you can only use one device at a time, and you can't share accounts between devices. You can move your existing accounts to a new phone, but there's no supported way to back up and restore configurations.
At first glance, Microsoft's Authenticator looks pretty much like the Google equivalent. It generates the same six-digit TOTP codes for third-party 2FA accounts but does its best work on consumer Microsoft accounts and enterprise-managed Azure AD accounts.
After installing the Authenticator app, you can configure 2FA settings for a free Microsoft account at https://account.live.com/proofs. You don't need a QR code; sign in with your user name and password in the app and then respond to one of the proofs you've already set up. After that setup is complete, you'll see a push notification when you sign in to a new device.
Note that you can set up and use the Microsoft Authenticator app on multiple devices simultaneously. The eight-digit authentication codes are the same across devices, and you can respond to prompts on any device that's properly set up.
For Azure Active Directory accounts, setup is a little different. An administrator has to enable multi-factor authentication from the Office 365 or Azure AD admin console; after that, users manage security verification by going to https://account.activedirectory.windowsazure.com/Proofup.aspx. There, you can set up multiple security verification options and assign a preferred option, as shown here.
For maximum security, disable the option to authenticate using codes sent over SMS and allow only calls to your office number or a prompt or code from the Authenticator app. You can choose any of those options at sign-in time.
For Azure AD accounts, you can set up the Authenticator app on multiple devices, and it will work properly. You can also use this app to set up third-party 2FA accounts (Facebook, Twitter, QuickBooks, and so on) in this app and use its codes to sign in.
The iOS version of Microsoft Authenticator allows you to back up settings to iCloud, making it possible to copy settings from one iPhone to another relatively easily. A similar option is, alas, not available for Android devices.
Although you can set up third-party 2FA accounts in either the Google or Microsoft Authenticator app, you can't sync those accounts between devices between the two devices, nor can you easily back up and restore settings between devices. And that, ultimately, is why I'm not willing to use either of those apps for third-party accounts.
Instead, I use and recommend the free Authy app. You can add any 2FA account to it, scan the QR code to set up the shared secret and be ready to go in minutes. Best of all, you can back up and restore those settings and set up a secondary device using the same account information. For someone who switches between mobile devices regularly, this is a killer feature.
When you have Authy set up on two or more devices, setting up an account on any device automatically pushes those settings to the new device, so you don't have to manually set up authentication in multiple places or worry that you'll lose access to important accounts if you lose your primary device or it's damaged.
The backup password, which manages syncing between devices, isn't stored on the servers that sync Authy settings between devices. It's only used locally, which means that even if Authy's servers are compromised, an intruder can't recover your 2FA information without the backup encryption key, and if you lose that encryption key, you'll have no way to recover your 2FA codes if your only device is lost, stolen, or damaged.
Of course, you don't have to back up your settings to the cloud. You can keep those settings completely local, but if you do so, you lose the ability to sync and backup security tokens. (And if you want to know how Authy handles those backups, read the explainer here.)
So, to recap, I use the Google Authenticator for my Google accounts and the Microsoft Authenticator for Microsoft accounts. In both those cases, I rarely have to open the app manually, because I can simply respond to prompts as needed. For everything else, Authy is my go-to app.
If you've got a preferred alternative, tell me about it in the comments below.