Why It's Smart to Use Authentication Apps for Multifactor Security

The apps generate short-lived codes to use along with a password. That can be safer than having codes texted to you.

authenticator app S3studio

In a world riddled with data breaches, having a strong password isn’t always enough to keep your personal and financial information safe. That’s why security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (aka two-factor authentication). But many people who use multifactor authentication (MFA) may not be using it in the most secure way, according to security professionals.

When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.

But many security experts say there’s a better option: switching to an authentication app, which uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds.

More on Digital Security

Unlike authentication apps, text messages rely on your phone number, which is more vulnerable to criminal attack. A determined attacker may persuade a phone company to redirect someone else’s phone number to a new SIM card on their own device in what's called SIM swapping or SIM jacking. Then they can intercept messages directed to that phone number.

“SIM swapping is obviously a risk,” said Leigh Honeywell, CEO and co-founder of Tall Poppy, a social venture that builds tools and services to help companies protect their employees from online harassment and abuse. But, she says, other problems can arise.

“The issues that come up more often are going to be you lose your job and your phone gets cut off, or you’re on a family plan and you have a conflict with a family member who is the administrator of the plan,” she says. “There are a lot of ways that phone numbers end up being a very brittle part of the security ecosystem that go way beyond the very sharp end of the spear that is SIM swapping.”

And, of course, SMS-based MFA is inaccessible if you don't have a phone signal because, for instance, you're traveling internationally.

To set up multifactor authentication using an app, you download the app and then use a browser on your desktop or laptop computer to go to each of your online accounts. You’ll typically have to scan a QR code with the camera on your phone. Then the app will generate and keep track of your tokens—the temporary codes for each account. (These are also referred to as time-based one-time passwords, or TOTP, because they change every 30 or 60 seconds.) When you need to log in to an account, you enter your password, then open the authentication app to get the code you need to enter for MFA.

The following apps have a good reputation among security experts, though individual experts have their personal favorites. You can also use a password manager for MFA, as described below.

Authy

Price: Free

Authy, owned by Twilio, is available for both iOS and Android as well as desktop and laptop computers. It offers encrypted cloud backup and support for a secondary device, such as a laptop, tablet, or even another phone. Security experts disagree on whether this is a good idea or not; you're slightly more likely to run into trouble because the tokens are on multiple devices. But it makes it easy to recover your tokens if you lose your phone or get a new one. You just have to add the new device to your account and disable the old device. Authy uses large icons for each banking or other account you add, making it easy to find the one you need. Even though some sites mention support only for Google Authenticator, Authy can be used in its place.

Duo Mobile

Price: Free

Duo Mobile, owned by Cisco, is targeted mainly at corporate users, but it also offers a free multifactor authentication option for individuals that’s available on Android and iOS devices. Like Authy, it can be used in place of Google Authenticator. Also like Authy, Duo Mobile uses icons for each account, making it easier to find the one you’re looking for. Although there’s no way to add a secondary device to a free Duo Mobile account, the company does allow you to back up your tokens to iCloud or Google Drive with a recovery password. When you get a new phone, you download the app and recover your tokens from the cloud to start using Duo Mobile on the new device.

Google Authenticator

Price: Free

Google Authenticator, available for Android and iOS devices, can be used with many different online accounts. As mentioned above, a site may say that it's compatible with Google Authenticator and not mention additional options, but you'll still be able to use one of the other apps. Google Authenticator lacks separate icons for each account, so you may need to do some more scrolling and reading to find the tokens you need. If you get a new phone, you download the app and scan a QR code from the app on your old phone to transfer all the tokens. (Until recently, that worked only for Android phones; iPhone users needed to scan a separate QR code for each account. But that tedious process has now been fixed.)

Storing MFA Tokens in Password Managers

The most important way to protect online accounts is to have a strong, unique password for each of them, and for that many security professionals say you should use a password manager. Consumer Reports tests password managers, and a number of them can also double as authentication apps.

“For the average person, it’s just going to make sense to use your password manager to store your tokens," Honeywell says.

Consumer Reports’ top password manager picks, Bitwarden, 1Password and Keeper, offer this option. For example, if you use 1Password, simply select the “password” category on the app, enter the name of the account you’re setting up, and click the plus sign next to “add new one-time password.” (As we discussed above, a token is also called a time-based, one-time password, or TOTP.)

If you’re an iPhone user, you can even set up your phone to automatically copy one-time passwords to your clipboard when you select a log-in for Autofill.

What If You Lose Your Phone?

Getting locked out of an account that’s central to your digital life can be almost as catastrophic as having your account taken over by an attacker. But if you have MFA set up (as you should) and you're using an authenticator app (a great idea), what happens if you lose your phone?

Online accounts give you options for unlocking your account, but going through that process for one account at a time is difficult.

Some authenticator apps allow you to print out or save a list of one-time backup codes to use if you lose access to your authentication app or your phone. Each code can be used just once. You’ll want to keep these safe but accessible.

While some security experts think that saving a list of tokens is dangerous, Honeywell says that line of thinking is a security nightmare for the average person. “To make people go through the hassle of resetting up their TOTP keys again is not necessary, and it does lead to locking people out of their account,” she says.

One More Option: Security Keys

Authentication apps won’t stop you from accidentally entering your code into a fake or fraudulent website designed to steal your log-in information.

“If you can get someone to enter that one-time password at just the right time, then using that authentication app, TOTP is still phishable,” said Martin Shelton, principal researcher at the Freedom of the Press Foundation. He recommends that individuals who think they're at high risk for being hacked instead buy a physical security key such as Yubikey, which provides protection from phishing attacks.

Also remember that your MFA tokens are only as secure as the devices you keep them on, so make sure to use good passwords or passcodes for your phone, tablet, and laptop, and install security updates whenever they become available.


Headshot of Electronics freelance writer, Yael Grauer

Yael Grauer

I am an investigative tech reporter covering digital privacy and security. I'm the lead content creator of CR Security Planner, a free, easy-to-use guide to staying safer online. Prior to Consumer Reports, I covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications. Follow me on Twitter (@yaelwrites)