Table of Contents
Here at PCMag, we've covered security software for more than 30 years. We encourage you to enable multi-factor authentication (MFA) for all of your online accounts, and with an authenticator app, it's easy. Most people use an authenticator app for a single purpose: Generating one-time passcodes. All the apps on this list perform that function well, but some offer additional helpful features, such as password management or desktop extensions. Our Editors' Choice winners in this category are 2FAS and Aegis Authenticator because the apps are easy to set up and don't ask for much personal data. Read on for the best authenticator apps we've tested and how to choose the right one for you.
Our Top Tested Picks
Best for Minimal Data Collection
2FAS
- No account signup required
- Open-source authenticator
- Includes extensions for popular browsers
- Limited data collection
- Helpful video tutorials
- Lacks support for wearable devices
2FAS is free, collects minimal amounts of your data, works across all of your devices, has a helpful browser extension, and, unlike some competitors, doesn't require you to create an account or log in to use all of its features. 2FAS is an open-source project run by a group that focuses on improving online safety, which is a plus.
2FAS is one of the best authenticator apps we've tested, earning it an Editors' Choice award winner for the category. That means we think that just about anyone will appreciate how easy it is to use 2FAS to add a layer of MFA to all their online accounts.
Best for Android
Aegis Authenticator
- No data collection reported
- Thoughtful interface customization options
- Diverse exporting and importing choices
- Easy backup capability
- Only works on Android
- No support for wearables
Aegis Authenticator doesn't report any data collection, and we found it easy to import and export our tokens to and from other authentication apps. The only real drawback is that the app only runs on Android devices.
Anyone who uses an Android device will find this app useful. We were particularly impressed with its customization options that are designed to secure your tokens and speed up your workflow.
Best for Microsoft Accounts
Microsoft Authenticator
- Easy to use
- No account signup required
- Includes a password manager
- Supports logins using Microsoft Verified ID
- Inconsistent browser auto-filling
- Lacks support for wearables
We like Microsoft Authenticator because it makes it easy to protect and log into your online accounts using your phone. It's free, and you don't need a Microsoft account to use its authentication functions. That said, logging into your Microsoft account can unlock the app's password management features. The form-filling functions weren't functional on an iOS device during our testing period, but we were impressed with the app's other capabilities as a password manager.
Though the app functioned well as a simple authentication tool without logging in, Microsoft customers will benefit most from this app since creating or logging into your account allows you to use its most impressive features.
Best for Google Accounts
Google Authenticator
- Easy to use
- Account creation not required
- Can manage codes for multiple accounts
- Collects a lot of data
- Limited importing options
- Lacks support for wearable devices
Google Authenticator is free, and if you have a Google account, setting up and transferring codes is easy. Generating codes was painless in testing, and we appreciate the app's intuitive interface.
This app is good for Google fans because it's easy to use while logged in. If you don't want to log into your Google account, your codes won't sync across your devices, which isn't ideal. We were also surprised at how much data the simple token generation app collects from your device, so, again, this is an app for people who really trust Google.
How to Set Up an Authenticator App
Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, just type the code you see in your authenticator app into the secured login page. "Time-based" means the code is only valid for a short time (usually under one minute), making it hard for anyone to steal your code and log into your accounts.
To set up MFA, go to your online account's security settings and look for the multi-factor or two-factor authentication section. The most common way to set up MFA is to scan a QR code on the site with your phone's authenticator app. Some websites give you account recovery codes to use as additional backup. It's a good idea to save them somewhere safe, like in your password manager. That way, if you lose or break your phone, you can still get into your accounts using account recovery codes.
What Should I Look for in an Authenticator App?
Data Collection Practices
Authenticator apps don’t have any access to your accounts. After the initial code transfer, they don’t communicate with the download site; they just generate codes. You don’t even need phone service or an internet connection for them to work, which is why we take particular umbrage with authenticator apps that engage in excessive data collection. To us, data collection veers into "excessive" territory when an app collects data from device categories that have nothing to do with the app's primary function.
In the example shown above, Google Authenticator may collect data from your Contact List, email address, and even your photos and videos. This is a lot of data for an app with such a simple purpose.
Backups of Account Info
When choosing an authenticator app, consider whether it saves encrypted backups of your account information in case you lose your phone. All the apps included in this list allow backups.
No SMS Codes
One common MFA method is a time-based one-time passcode sent to you by text message, but it's not as secure as either an authenticator app or a security key. Thanks to a vulnerability in SMS messaging, crooks can reroute text messages and intercept your codes. We recommend using authenticator apps that do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don't.
What's the Safest Third-Party Authenticator App?
The safety of these apps stems from the developers' underlying principles and protocols rather than any implementation by the individual software makers. In other words, your online safety comes down to your personal decision-making when engaging with apps, browser extensions, or other software. Sometimes, it's worth it to do some research before trusting the company behind the app that is protecting your accounts.
For example, an internet search reveals that 2FAS is an open-source authenticator created by a group focused on internet safety. With that knowledge, you may be more inclined to trust that product over an app created by a profit-driven entity such as Google or Microsoft.
That said, some authenticator apps have security-focused implementations. Microsoft Authenticator can be set up to require biometric logins to access your codes. All of the apps on the list have a way to hide token codes from view, and the Android versions can block screenshots, too.
Is There Anything Safer Than an Authenticator App?
It's always better to use some kind of MFA than none, and authenticator apps are free, easy to use, and widely available. However, the top option for safety is a dedicated hardware key MFA device. Our top recommendation is the Yubico Security Key C NFC.
MFA security keys produce codes transmitted via NFC or by plugging them into a USB port. Unlike smartphones, they are single-purpose and security-hardened devices that can secure your Apple, Google, or Microsoft accounts.
Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Plus, if you lose your phone, all of your codes go with it. Security keys have neither batteries nor moving parts and are extremely durable—but they’re not as convenient as your phone.
Finally, remember never to install an unknown, unrecommended authenticator app, even if it looks good. Malicious impersonators have appeared on app stores. Stick with the best authenticator apps recommended here from well-known companies.
