If you use two-factor authentication with one-time codes generated in an app, Google Authenticator is not your only option. Since Google’s original solution was created a decade or so ago, a number of alternatives that outperform it in convenience and functionality have come on the scene.
As recently as three years ago, you could count available authenticator apps on one hand, but with a few dozen in the mix now, it is easy to get lost in the options. To help you choose an authenticator that works with your operating systems, we have grouped the 10 most noteworthy by OS:
- Authenticator apps for Android: andOTP, Twilio Authy, Google Authenticator, Microsoft Authenticator, Cisco Duo Mobile, FreeOTP
- Authenticator apps for iOS 15: OTP auth, Step Two, Twilio Authy, Google Authenticator, Microsoft Authenticator, Cisco Duo Mobile, FreeOTP, iOS built-in authenticator
- Authenticator apps for Windows: WinAuth, Twilio Authy
- Authenticator apps for macOS: Step Two, OTP auth (paid version only), Twilio Authy
1. Google Authenticator
Operating systems: Android, iOS
Anyone reading this post is probably already familiar with the overwhelmingly popular Google Authenticator. However, we can’t write about authenticator apps without mentioning this one — and we can use Google’s authenticator as a baseline for evaluating the other programs.
On the whole, Google Authenticator is a convenient solution for those who would rather not get involved with token synchronization through the cloud. Instead, the app can export all of the tokens created in it, making a single QR code to import them en masse to a new device. In the iOS version, it recently became possible to search tokens and protect access to the app with Touch ID or Face ID, unlike with the Android version. Google Authenticator still cannot hide generated codes from view, which may be problematic if you use it in public. (Incidentally, all authenticators for Android restrict the taking of screenshots, so all screenshots in this post come from the iOS versions of the apps.)
Pros:
- No need to create an account,
- Face ID/Touch ID protection for app access (iOS version only),
- Simple interface with minimal settings,
- Ability to export and import all tokens at once,
- Ability to search by token name (iOS version only).
Cons:
- No login protection (Android version),
- Inability to hide codes,
- No cloud backup/sync,
- Greater potential risk, because of ease of exporting tokens, if the unlocked app falls into the wrong hands.
Summary
Google Authenticator lacks some useful features, but if you don’t want to get involved with storing tokens in the cloud, it’s a decent option.
2. Microsoft Authenticator
Operating systems: Android, iOS
Many people looking for an alternative to Google Authenticator turn to Microsoft Authenticator based solely on the reputation of the developer. They’re partly justified: The Microsoft app includes a few useful additions to the basic set of features. For example, it can hide codes on the screen and store tokens in the cloud, and both the iOS and Android versions protect app logins. Microsoft Authenticator also comes in handy if you work with Microsoft accounts regularly, in which case you do not need to enter a code, just tap the button in the app to confirm login.
However, this app also has drawbacks. First, the Android and iOS apps use completely incompatible cloud backup systems, and you can’t transfer tokens any other way. For users of devices with different operating systems, that would be a deal-breaker. Second, Microsoft Authenticator needs about 10 times the storage space of Google Authenticator, 150MB–200MB compared with 15MB–20MB.
Pros:
- PIN-, fingerprint-, or Face ID–protected access,
- Cloud backup/sync,
- Hides codes,
- No account required (as long as you keep cloud backup disabled),
- Greatly simplified Microsoft account login,
- Support for Apple Watch (iOS version).
Cons:
- Microsoft account login necessary for backup/sync (Android version only),
- Incompatibility between iOS and Android backup/sync systems,
- Inability to export or import tokens,
- Large (requires 150MB–200MB).
Summary
Microsoft Authenticator greatly simplifies login to Microsoft accounts, but it is hard to excuse its enormous size — and that iOS and Android cloud backups are incompatible.
3. Twilio Authy
Operating systems: Android, iOS, Windows, macOS, Linux
Twilio Authy’s main advantage is its comprehensive cross-platform support. Not only does Authy offer versions for all current operating systems, but also, the app syncs them all handily. That easy access does come with one disadvantage, though. The app requires an account linked to your phone number to work at all.
The app’s interface looks very different from those of other authenticators. Instead of a list, it has something like a set of tabs, so at any given moment, it displays only the selected token, leaving the rest to appear as small icons that you can switch between at the bottom of the screen. If you have a lot of tokens, that can be inconvenient. Desktop users can display tokens as a list, but the option isn’t available in the mobile version.
Pros:
- PIN-, fingerprint-, or Face ID–protected access,
- Cloud backup/sync,
- Availability for all popular operating systems,
- Support for Apple Watch (iOS version),
- Ability to search by token.
Cons:
- Requires an account linked to a phone number,
- Displays only one token at a time,
- Inconvenience of searching for tokens,
- Inability to hide the active token’s code,
- Inability to export and import tokens.
Summary
You cannot use Twilio Authy without setting up an account, and the smartphone interface isn’t as user friendly as we’d like it to be, but with apps for all operating systems syncing perfectly with one another, this app may be worth a look.
4. Cisco Duo Mobile
Operating systems: Android, iOS
Duo Mobile, acquired by Cisco in 2018, is one of the oldest authenticator apps. Its main advantage is a clean, user-friendly interface. Duo Mobile also hides codes from view and does not require an account. However, the software lacks other important features: first and foremost, access protection, which neither the iOS nor the Android version has.
Duo Mobile uses two systems for cloud backup: Google Cloud on the Android platform and iCloud on the iOS platform. The smartphone user’s existing Google and Apple accounts serve for that, meaning users do not have to create a new account for the app to work. However, users cannot sync data between Android and iOS versions, the app does not support file export, and there is no option to view a secret key or QR code for tokens that are already saved (which could be helpful if you need to do a manual sync).
Pros:
- Clean, user-friendly interface,
- Ability to hide codes,
- No need to create an account,
- Cloud backup/sync,
- Apple Watch support (iOS version).
Cons:
- No access protection,
- Inability to export or import tokens,
- Incompatible backup/sync systems for iOS and Android.
Summary
Cisco Duo Mobile may meet your needs if you use, and plan always to use, only one mobile operating system.
5. FreeOTP
Operating systems: Android, iOS
This open-source authenticator app was created after Google closed its Authenticator source code. The FreeOTP interface is ultraminimalistic, with nothing superfluous. This minimalist approach is especially apparent in the iOS version, which lacks even the option to create a token based on a secret key, leaving only QR-code scanning. The Android version retains both options, and it offers a lot of flexibility in manual token creation, letting users choose the type of generation (TOTP or HOTP), the number of characters in the code, the algorithm, and the refresh interval for the codes.
One disadvantage is that no version of the app supports cloud sync or token export and import in the form of a file, so once you start using the app, you’re stuck with it. In addition, in FreeOTP, you can’t set a PIN or protect app access any other way (in the iOS version, you can protect individual tokens with Touch ID or Face ID). The app hides codes by default, though, and also hides them automatically after 30 seconds of inactivity. FreeOTP’s final advantage is that it takes up minimal storage space, about 2MB–3МB (by comparison, Google Authenticator requires 15MB–20MB, and Microsoft Authenticator takes up 150MB–200MB).
Pros:
- No need for an account,
- Simple interface,
- Hidden codes as default,
- Codes automatically hidden after 30 seconds of inactivity,
- Minimal storage requirement,
- Touch ID or Face ID protection for tokens (iOS version only),
- Ability to search by token name (iOS version).
Cons:
- Inability to generate a token with a secret key (iOS version; requires scanning a QR code),
- Inability to export and import tokens,
- Inability to backup/sync,
- Lack of access protection.
Summary
Like all open-source apps, FreeOTP is a little quirky, but we cut it a lot of slack because its interface and overall storage requirements are so light.
6. andOTP
Operating systems: Android
The andOTP authenticator has everything you can think of to conveniently and securely save tokens, and then some. For example, andOTP’s features include tag support and search for tokens by name. There is also an option to connect a “panic button” so that in case of emergency, you can erase all tokens from the app and reset.
The app allows you to view your secret key or QR code for each token individually. You can also save all of your tokens at once in an encrypted file in Google Drive — that means with one tap you can back up to the cloud or export to a file. App access can be protected with a password or the fingerprint you use to log in to your Android device. For greater security, however, you can set up a separate PIN or even a long password specifically for andOTP, along with setting the app to lock after a period of inactivity (which you define). There are three or four more settings screens — this app is a geek’s dream.
Pros:
- Access protection with a PIN or password set in the app, or with the OS login PIN or fingerprint,
- Ability to view the secret key or QR code for any token,
- Ability to export all tokens at once to an encrypted file in Google Drive,
- Code-hiding,
- Automatic hiding of codes when the user is inactive (after 5–60 seconds, configurable),
- Automatic locking of the app when the user is inactive (after 10–360 seconds, configurable),
- Flexible token searching by name or using customizable tags,
- Option to use panic button to erase all tokens,
- Flexible and plentiful settings.
Cons:
- Android-only availability,
- Ease of key retrieval, meaning greater risk if the unlocked app falls into the wrong hands.
Summary
andOTP is the most feature-rich authenticator for Android and is sure to please all authenticator geeks.
7. OTP auth
Operating systems: iOS, macOS ($5.99)
If you are an iPhone user who read the above descriptions of andOTP and started to feel jealous of Android owners, we have good news for you: A cutting-edge authenticator app for iOS is also available. The creators of OTP auth clearly understand the problems of people who use 2FA in a lot of services, so this app features a system of folders for organizing token storage.
In addition, OTP auth allows you to view the secret key or QR code at any time for any token or export all of them at once to a file on the smartphone. The app also supports iCloud sync. Users can protect app login with Touch ID or Face ID, or use a separate password for OTP auth. We prefer the latter, given how easy exporting tokens from this app is. The only useful feature missing is the ability to hide codes.
Pros:
- Ability to view the secret key or QR code of any token,
- Ability to export all tokens to a file at once,
- iCloud backup/sync,
- Folder system for organized token storage,
- Apple Watch support,
- Configuration of code display format,
- Access protection with password or Touch ID/Face ID.
Cons:
- Exists only for iOS and macOS (and only as a paid version for macOS),
- Inability to hide codes,
- Icon customization available in paid version only,
- Greater potential risk, because of ease of key retrieval, if the unlocked app falls into the wrong hands.
Summary
OTP auth is the most feature-rich authenticator for iOS, and it boasts easy, convenient token export.
8. Step Two
If andOTP seems over the top and Twilio Authy‘s requirement to sign up scares you away, but you still need an authenticator for both iOS and macOS, you should seriously consider Step Two. The interface is minimalist: Both the iOS and the macOS versions are reminiscent of Apple’s Calculator app, and that is nice in its own way.
To match its minimalist interface, Step Two has minimal settings and features, although it does offer iCloud sync. In addition, the desktop app supports QR code scanning, which it does through screen capture (requiring users to grant permission, which makes the feature somewhat risky; in theory it lets the program see everything else they’re doing).
Pros:
- No unnecessary features,
- No need to create an account,
- iCloud backup/sync,
- Ability to scan QR codes (macOS version),
- Apple Watch support,
- Ability to search by token name.
Cons:
- No access protection,
- Does not hide codes,
- Inability to export and import tokens,
- Ten-token maximum in the free version,
- Screen-capture permission needed to scan a QR code (macOS version).
Summary
Step Two is a minimalist authenticator for anyone who has a Mac and iPhone and doesn’t need bells and whistles.
9. WinAuth
Operating systems: Windows
WinAuth targets gamers primarily. The app’s unique superpower is its support for nonstandard tokens for authentication in Steam, Battle.net, and Trion/Gamigo games. If you are looking for an alternative to Steam Guard, Battle.net Authenticator, or Glyph Authenticator/RIFT Mobile Authenticator, this may be the app for you.
To be sure, the app also supports standard tokens, including tokens for Guild Wars 2 and other NCSoft games (which for some reason the developers list separately), and all others: Google, Facebook, Instagram, Twitter, and so on. WinAuth uses a password for logging in and for individual tokens. The app hides codes by default, including automatically, and lets you encrypt the data it stores and exports.
Pros:
- Support for nonstandard tokens for gaming services, meaning it can replace Steam Guard and Battle.net Authenticator, as well as Glyph Authenticator and RIFT Mobile Authenticator,
- Support for token export in an unencrypted text file or in an encrypted archive,
- Codes hidden,
- Automatic code hiding after more than 10 seconds of user inactivity,
- Access protection through password or YubiKey (that is, U2F),
- Additional password protection available for each token,
- Portable, with flash drive and cloud storage options,
- Can encrypt stored data,
- Ability to scan QR code from file (local or on the Internet).
Cons:
- Steam token creation requires giving WinAuth your Steam username and password,
- Using a two-factor authentication app on a PC is not advisable in general,
- No version for other operating systems,
- Greater potential risk, because of ease of key retrieval, if the unlocked app falls into the wrong hands.
Summary
Gamers will love WinAuth because it allows for the creation of the nonstandard tokens game publishers favor.
10. iOS and macOS built-in authenticator
Operating systems: iOS (built in to the system), macOS (built in to the Safari browser)
Starting with iOS 15, all versions of the iPhone’s operating system have a built-in 2FA one-time code generator. To find it, go toSettings → Passwords, select a stored account (or create a new one), and under the heading Account Options tap Set Up Verification Code…. The rest is as usual: You can either scan the QR code or manually enter the secret key — or scan the authenticator QR code right from the camera app and then add a token to an existing account in Passwords. Inconveniently, the latter method will not prompt you to create a new account.
A built-in authenticator is now also available in macOS, or more specifically, in versions 15 and later of the Safari browser. To find it, open Safari, and in the menu at the top of the screen, go to Safari → Preferences → Passwords. Select an account (or tap + to create a new one), tap Edit, and in the window that opens, tap Enter Setup Key… (there is no QR code option here). The tokens automatically sync using iCloud, so you will not need to activate them again on the Маc if you have already created them on an iPhone.
In theory, the iOS/macOS built-in authenticator supports autofill, but in practice, it doesn’t work very smoothly yet. We ran a little experiment with a Twitter account and two-factor authentication with the code we received. Results were mixed: When we logged in to the Twitter app, the system successfully filled in an authentication code, but when we tried to log in to the Twitter website in Safari, the code never appeared, whether we tried in iOS or in macOS.
Pros:
- Availability on every iPhone (iOS 15 and later) and every Маc (regardless of OS, Safari 15 and later),
- No need to create a separate account,
- Ability to add a token directly from the camera app (but only to an existing account; it won’t work for creating a new one),
- Autofill for one-time codes,
- Access protection using Touch ID or Face ID,
- iCloud backup/sync.
Cons:
- Location in the depths of iOS or Safari settings,
- Display of only one token at a time,
- Inability to hide codes,
- Visible account password next to the code (iOS version),
- Storage of 2FA tokens and passwords together antithetical to principles of two-factor authentication,
- Inability to export and import tokens.
Summary
At first glance, building an authenticator into the OS looks like a good idea. However, in this case, autofill doesn’t work consistently, and the feature is too hard to find.
Remember to make a backup copy
In closing, here are a few tips. First, you are never limited to using just a single authenticator app. One option may be better for some purposes, another for others. You can — and should — combine apps depending on your needs.
Second, we recommend paying attention to security. Install a reliable device lock and always make sure to enable app access protection, especially if you plan to use one of the authenticators that lets you easily export tokens (Google Authenticator, andOTP, OTP auth, or WinAuth). With those apps, which prioritize ease of access, a potential attacker can not only steal a one-time code that works for 30 seconds, but also quickly clone all tokens.
Third, remember to make a backup copy of your tokens, especially if you have chosen one of the apps in which you can’t view the secret key or QR code or export tokens to a file (in other words, most of them). The backup copy will come in handy if you lose your smartphone or if, for example, the app stops working correctly after a routine update. In most cases recovering an authenticator without a backup copy will be much harder.