The most important thing you can do to increase your online security, alongside using a password manager, is to enable two-factor authentication. After interviewing three experts and testing seven authenticator apps, we think Authy has the best combination of compatibility, usability, security, and reliability.
When you log in to an online account with two-factor authentication enabled, the site first asks for your username and password, and then, in a second step, it typically asks for a code. Even if someone gets ahold of your username and password, they still can’t log in to your account without the code. This code, which is time-sensitive, can come to you via SMS, or it can be generated by a two-factor authentication app, such as Authy, on your phone. When you open Authy you see a grid with large icons that makes it easy to find the account you’re looking for, copy the security token, and get on with your day.
Compared with other authentication apps, Authy is also available on more platforms, including iOS, Android, Windows, Mac, and Linux, and it features PIN and biometric protection for the app. Unlike most other two-factor authentication apps, Authy includes a secure cloud backup option, which makes it easier to use on multiple devices and makes your tokens simple to restore if you lose or replace your phone. The fact that the backup is optional lets you decide what, if any, security risks you’re willing to make in favor of usability. It’s run by Twilio, a reputable company that clearly outlines its security practices and updates Authy frequently.
How to set up and use Authy
Most people use Authy primarily on their phone, so let’s start there:
- Download the app from Google Play or Apple’s App Store.
- Open the app; Authy asks for your mobile phone number and email address.
- Authy sends you a PIN over text message. Enter that code in the app.
Now, let’s walk through what it’s like to set up two-factor authentication on a site. Every website is a little different, but Authy includes guides for the most popular sites, and the Two Factor Auth (2FA) list includes nearly every site that supports two-factor authentication. As an example, here’s how it works on a Google account:
- Log in to your Google account (it’s much easier if you do this from a computer).
- Click the Security tab on the left side.
- Select 2-Step Verification.
- Reenter your password.
- Find the “Authenticator app” option and click Set Up.
- Select Android or iPhone and click Next.
- Google displays a QR code. Open the Authy app on your phone. On Android, tap the three-dot menu and then Add account. On iPhone, tap the Add Account button, with the large + symbol.
- Tap Scan QR Code and use the camera on your phone to scan the QR code from Google. Tap Done on your phone.
- The account is now in Authy, but it’s not enabled yet. Back on Google, click Next. Then, enter the six-digit code from Authy. Click Verify.
- You will see a “Backup codes” option. This is how you can get back into your Google account if you lose your phone and access to the Authy app. Save these codes. Print them out and store them somewhere you’ll be able to access them if you lose your phone.
You need to do this for every account on which you want to enable two-factor authentication. You should do so for any account that has personal information, including your password manager, email, chat apps, social networks, bank sites, cloud backup services, or anywhere you’re storing health data. This process can take a while if you’re starting from scratch, but once you get your backlog in order, you won’t need to set up new accounts often. It’s critical that you save the backup codes each account provides, as that is the most secure way back into your account in case you lose your phone.
If you do not trust yourself to hang on to the backup codes a website provides, consider using Authy’s encrypted backup. Security experts recommend against this, and using the feature means you’re trading security for the convenience of being able to get back into your accounts even if you lose the backup codes. Authy encrypts your account on your phone, so nobody at Authy can get access, but even though it’s encrypted with AES-256 (Advanced Encryption Standard), someone could theoretically break that encryption and get your tokens because they are uploaded online, though we do not have evidence that this kind of infiltration has happened thus far. If you go the backup route, the best configuration for this setup is to have backups enabled with Authy installed on a secondary device but with multi-device disabled. You also need to pick a strong password you haven’t used for anything else. Since you do not need to log in to Authy often, it’s very easy to forget what this password is, but Authy does at least periodically ask you to re-enter your password to help ensure that you remember it.
How we picked
A two-factor authentication app doesn’t need to offer much to be good, but a poorly made one can be a serious pain to use—or even pose a security issue. Here’s what we found to be most important through our interviews with experts and our independent research:
- Platform compatibility: A good two-factor authentication app should work on both Android and iOS. Availability on Windows and Mac can be useful, especially for account recovery, but isn’t a requirement.
- Usability: An authenticator should make it easy to add new accounts, find existing accounts, and delete unneeded accounts.
- Reliability: Pretty much anyone with an app developer license can make an authentication app, so when it came to security we looked for apps run by well-known companies like Google, Twilio, Cisco, Microsoft, and others. Going with a reliable company helps guarantee continued support for new mobile operating systems and tech support if something goes wrong.
- Ease of account recovery: Account recovery is the biggest pain point with two-factor authentication, so we looked for apps that offered multiple ways to recover an account, whether through a support line, some type of device backup, or other means.
- Optional backups: The security researchers we spoke with said they don’t recommend backing up or syncing a two-factor authentication account because then your tokens are on the company’s servers, which could be compromised. So we looked for authenticators that left this feature opt-in. For the apps that do offer backups, we looked for clear explanations of how the backups worked, where they’re stored, and how they’re encrypted.
- App security: We looked for apps with support for PIN or biometric locks, so you can add another layer of security, such as Face ID or your phone’s fingerprint scanner, to the app if you want.
With our criteria set, we tested Authy, Duo, Google Authenticator, Microsoft Authenticator, LastPass Authenticator, 1Password’s built-in authenticator, and Salesforce Authenticator.