Choosing your preferred password manager and using it to create and store your login credentials is the most important step you can take to secure your online life. Still, passwords can leak, and credential phishing is a big problem. That’s why you should rely on a second factor other than your password to authenticate yourself. That’s where two-factor authentication (2FA) comes in.
Most of the services that offer 2FA do so via an application that generates an automatically renewing code every 30 seconds. However, they differ in quality, features, and convenience. To help you find the right one, here’s a collection of the best applications you can get for your favorite Android phone.
What is 2FA?
2FA, or two-factor authentication, adds a second factor in addition to your password to the process of signing in to your account from a new device. This ensures that even if your password leaks, a bad actor can’t get into your account.
Most of the time, 2FA works in conjunction with one-time passwords (OTPs) or codes generated by an extra app, which is what we focus on here. To achieve that, your preferred 2FA app saves a secret code (a hash) in a secure enclave within your phone. This secret is used to generate new one-time passwords periodically. When you log in to a service you protected via 2FA, you’re prompted to enter your current one-time password, and the service authenticates you.
There are other ways, and you might run into them when you log in to your Google account on a new device. Here, your phone might send you a prompt and ask you to confirm that it’s you who wants to log in, all without forcing you to enter a code.
Some services might send you one-time codes via SMS messages. If possible, you should avoid this option and opt for an app-based solution. SMS is an outdated standard that doesn’t protect messages in transit from prying eyes, as it’s not end-to-end encrypted. With SMS-based solutions, bad actors might also spoof your SIM card and receive your text messages.
There’s also the option to opt for a physical hardware key like the Yubikey 5C NFC as your second factor. That’s the most secure option, but it is more complicated than relying on apps.
For all these ways, the idea is that in addition to something you know (your password), you need something in your possession (the phone with the app that generates your one-time code, the SIM card used to receive your SMS messages, or the security hardware key plugged into your device) to get into your account.
How can I set up 2FA on my accounts?
Most popular services support two-factor authentication, and some make it a requirement. You can find out which of your favorite online services support 2FA on the crowdsourced 2FA Directory. When you search for your accounts there, tap the Docs shortcut in the results to see detailed instructions on enabling OTP codes for your services.
The most recent LastPass security breach has meant we have removed the service from our recommendations. You can read more about the latest breach here.
Standalone 2FA apps
Authy may be the simplest and most straightforward option for most people. It’s a cloud-based manager that automatically stores a secure backup of your 2FA codes on its servers. This prevents you from losing access to your codes in case of phone theft or damage.
Security is still at the core of this service. To access your 2FA codes when you switch to a new phone, you confirm your action using an SMS one-time code and a password you need to select during setup. Then you can decrypt your 2FA credentials and use them on your new handset.
Make sure to write down your Authy password somewhere or memorize it well. Don’t worry, Authy periodically asks you to confirm that you still remember it. We advise against adding your Authy password to your password manager, especially if you plan to protect your password manager with a 2FA code saved to Authy. In that case, you might accidentally lock yourself out of your manager and your Authy account, with no simple way to recover access.
With that out of the way, using Authy is simple. You can view your accounts in a grid or a list and use a Copy button to add the one-time code to your clipboard. The look may be a bit dated, and you may not love tapping accounts to reveal the OTPs one at a time, but the robust cloud storage solution makes up for these issues.
Authy is free to use. The company behind it, Twilio, earns its money with enterprise customers by offering its own 2FA backend solutions. That’s why you can rest assured Twilio does everything it can to provide a secure system. After all, its business model is based on the premise that it increases security through its 2FA service offerings for enterprises. Thus, it does everything to make the process as secure as possible.
However, accidents happen. In August 2022, Authy’s parent company, Twilio, was hacked, and 93 unlucky, highly targeted individuals out of 75 million users had their credentials stolen. As long as you’re not a politician, multi-millionaire, or a target of criminal activity, Authy is a good option.
Other than the hack, the only downside to Authy is that it doesn’t let you recover the secret codes you use to set up one-time password generators for your accounts. If you decide to switch to another 2FA manager, you’ll have to set up your OTPs anew again, which is a hassle. To work around this, save the secret somewhere else when you add a new account to Authy. We recommend a mix of Authy and Aegis (see below) for this reason.
Authy is cloud-based, making it the only 2FA app in this list to work on almost all platforms. Other than for Android, you can also get it for iOS, macOS, Windows, and Linux from its official website.
If you don’t want to rely on a cloud-backed, closed source solution like Authy, you might be interested in an open source option. That’s the note that Aegis hits. It’s an open source client that follows a more traditional 2FA interface in the spirit of Google Authenticator, showing all your OTPs in a list. Aegis places a high emphasis on security and encourages you to lock the app with a password or biometrics, which allows your codes to be encrypted at rest using a strong algorithm.
Regarding optics, the app adheres to your system’s dark or light preference, and you can add app icons using its icon pack or your own symbols. This is a bit more complicated than solutions with an image database attached to them, but not a big deal if you don’t care for icons.
Aegis supports backups, but the process is more involved than Authy’s. By default, Aegis only stores backups locally on your phone. Remember to upload your backup to a cloud storage provider like Google Drive or your computer when you add a new account. You can also add Aegis backups to your device backups through Google, though you must restore your next phone with your Google account to have access to Aegis secrets again.
The other advantage of Aegis is that it lets you access secret codes and supports exporting and importing from and to other OTP managers, so you’re not locked in if you want to give it a try or if you found a better solution.
Due to its open source nature, Aegis is available for free. It’s available on Google Play and F-Droid, but it is exclusively available as an Android app. No other platforms are supported.
If you don’t want to back up or sync your 2FA codes because you’re concerned about potential breaches, Google Authenticator might be interesting. Yes, that’s right, Google created an app that works offline. It’s not possible to back up your data using the app. Instead, you can only transfer your codes from one phone to another.
Google Authenticator is more barebones than Aegis. It displays your account names and 2FA codes in a list but without the option to add icons for the accompanying services. You also can’t change the density of the list or opt for an option that hides your codes until you tap them. Google Authenticator has a dark mode, though, so there is that.
If you switch phones, you can move your credentials via a QR code you generate in the app settings. There is not much more to talk about here. Google Authenticator is a solid solution that’s straightforward and easy to use, as long as you’re not afraid of losing your 2FA codes.
Password managers with integrated 2FA functionality
You shouldn’t store your 2FA credentials in the same place as your password, as that eliminates the second factor part of the equation. But as long as you take all possible measures to secure your password manager, having all your credentials in one place is convenient. A setup like this might encourage you to set up 2FA for more of your accounts. Even if there is a security downside to this, 2FA is still more secure than relying on a password, as your password could leak from a source other than your password manager.
Should you go down this route, you might want to use one of the above standalone 2FA apps for your most important accounts. At the very least, you need a secondary app to secure your password manager with 2FA. You might also want to secure your Google account, email provider, and other places where you store sensitive data.
Bitwarden is a great open source password manager, and it’s also good at handling 2FA codes. Secrets can be saved alongside your passwords, and it’s possible to export them for use with a different service.
After setting up Bitwarden, you can use it to autofill passwords on your Android phone, just like you would with other password managers. Your currently active one-time code is then added to your clipboard, so you can paste it when you reach the relevant stage of the login process.
OTPs are displayed alongside your password and account name.
To use the 2FA aspect of Bitwarden, you’ll pay $10 a year for Bitwarden Premium, which is more affordable than other comparable options. Bitwarden is available on all platforms you can imagine and offers extensions for all popular browsers. There are applications for macOS, Windows, and Linux. Plus, Bitwarden comes as an Android and an iOS app.
Microsoft Authenticator started as a simple 2FA app, but the company turned it into a full-fledged password manager in 2020 that syncs with Microsoft Edge when you log in with your Microsoft account. That makes it a great choice for Windows users or those who are tied to Microsoft’s ecosystem.
You can use the Authenticator as a standalone 2FA app by not adding your passwords. You also don’t have to log in with your Microsoft account if you don’t want or need cloud backups.
Microsoft Authenticator is free. It’s available on Android and iOS, on Chrome as the Microsoft Autofill extension, and integrated into Microsoft Edge.
Stay safe with 2FA and a password manager
This is only a small selection of 2FA apps available, but we found these to be the most secure solutions that are either affordable or free. If you’re interested in staying secure online, follow the best practices to protect your digital privacy on your phone.