Two-factor authentication is a must-have security feature these days, as it adds a second layer of security to protect your accounts from being hacked. Recently, a number of fake authenticators popped up on the iOS App Store, to scam users of their money. We tell you which authenticator apps are safe to use.
Why you should use TOTP apps, and not SMS-based 2FA
You should know that SMS-based two factor authentication (2FA) is not safe, they are prone to SIM-swap attacks and can be captured by hackers. Also, SMS-based codes require you to have a working cellular connection, which can be a problem if your service provider is suffering a network outage, or if you can't find a signal, i.e. you're out of range. Email codes have the same issue, you can't use them without an internet connection, and they are sent via plain text.
This is why apps that support Time-based One Time Passwords (TOTPs) are better, they don't require a network connection, which means they work offline. All you need to do to use an authenticator app, is to visit the settings page of the account that you want to protect, and point your phone's camera at the QR Code displayed on the screen. The app will save the account's information and display the 2-step verification codes, that you can use to secure your account.
Best authenticator apps for Android and iOS
Aegis Authenticator
Aegis has a pleasant interface which is minimal, and easy to use (no account or phone number required). It goes beyond simply saving the 2FA profiles. Aegis can backup your authentication tokens, thus saving you the need to disable and re-enable 2Fa on each account if you're moving between phones. The backups are saved locally, and can optionally be synced to your Google Drive. The backups are encrypted with a password of your choice, so it's quite safe to use this method as there are 2 layers of security (your Google password + Aegis password), three, if you have 2FA enabled on your Google drive, and should have.
Backing up the tokens is important, so you won't be locked out of your accounts when migrating to a new phone. Install Aegis on the new mobile, choose the import option from the app's settings, select the backup file and enter the encryption password, and it will import the tokens. You can use this method to have Aegis on multiple Android devices.
You should enable screen lock or biometric unlock as an extra measure of security, nobody will be able to access the app without your fingerprint or FaceID. The only thing I don't like about Aegis is the way it lists the accounts, there is no grid view (like in Authy). You have to either scroll down the list, or use the search button to find a specific account. This becomes a problem if you have a dozen accounts or so. I have been using it for a few years, so Aegis is my top recommendation for Android users, it is free and open source.
Download Aegis Authenticator - 2FA App (by Beem Development) from the Google Play Store, F-Droid or GitHub.
Google Authenticator
Google Authenticator is one of the most popular 2 step verification apps, it is free and doesn't require a Google account (or a phone number) to use. The Authenticator app is user-friendly, and also lets you transfer accounts to a new device by scanning a QR Code.
A security researcher recently revealed that Google Authenticator did not send any usage data to Google, unlike Microsoft Authenticator which was found to phone home with some analytical data. The main problem with Google Authenticator is that the Android app does not have a biometric lock or a pass code (password) to lock the TOTP vault. Anyone who has your mobile phone's screen unlocked, can simply open the app and view the 2FA codes.
That's silly, what's even more bizarre is that the iOS app does not have this problem. The iOS version has an option called Privacy Screen, which is not enabled by default. Toggling it will require FaceID to unlock the vault, you should enable it.
Download Google Authenticator for iOS and Android.
Microsoft Authenticator
Microsoft's Authenticator app is quite similar to Google's in terms of functionality. It does not require an account or a phone number to use. In addition to TOTPs, the app also functions as a password manager, and you may choose to login to your Microsoft ID to sync the passwords data (not authentication tokens) across your devices.
There is one feature that makes Microsoft Authenticator stand out from the rest, it supports number matching for passwordless login, which I use with my Microsoft account. All you need to do is enter your username in Microsoft's login page (OneDrive, Outlook, etc), and the site will display a number (2 digits). The Microsoft Authenticator app will display a push notification, tapping on which will display three different numbers, select the one which was shown on the web site to approve the login.
The number matching feature is why Microsoft recently discontinued its Authenticator app for the Apple Watch, because the wearable device has a small screen, it won't be enough to display a full number pad. The only drawback with Microsoft's authenticator is that it doesn't allow you to export your authentication tokens to another app.
Download the Microsoft Authenticator app for Android and iOS.
Raivo OTP
Raivo OTP is quite similar to Aegis, it has a minimal design without any visual clutter. Unfortunately, it too lacks a grid view, and hence you will need to rely on the search box or scroll the list. That's a minor inconvenience. Raivo has a companion app on macOS that detects TOTPs from the mobile app on your other Apple devices, and copies them to your Mac's clipboard. That's very useful.
If you have an Android phone with the Aegis app (or any 2FA app that displays QR codes), and want to move the authentication tokens to an iPhone, you can do that easily with Raivo OTP. To do this, just tap and hold your finger on the account name in Aegis, then tap the QR code button that appears at the top. Open the Raivo OTP app on your iPhone, and tap the + button. Use it to scan the QR code from your Android device. Similarly you can use Raivo to display QR codes (swipe to the left on an account), and use Aegis to scan it. That's an incredibly easy way to migrate your tokens without jumping through various settings.
Toggle FaceID from the app's settings, set up a pin code to prevent unauthorized usage. You may also want to change the inactivity lock (timeout) from 5 minutes to something lower like 30 seconds or 1 minute. I use on Raivo OTP my iPhone, it's free, open source, and my number one recommendation for iOS and iPadOS.
Download Raivo OTP from the App Store.
Honorable mentions
Bitwarden Password Manager
Bitwarden has a built-in TOTP feature that you can use to approve logins for your accounts. The catch here is that you cannot use the 2FA option for free, as it is locked behind a paywall. But since the premium subscription costs just $12/year, I felt it was worth mentioning here. The paid tier also gives you the option to use hardware security keys such as Yubikey to unlock your password vault.
Note: Other password managers like Dashlane and 1Password also support TOTPs. I haven't tried these apps, but if you have a subscription you may want to try it since you're paying for it already.
KeePass
KeePass password manager also supports TOTPs, and can be a handy way to get the codes on desktops. It's open source, free, and arguably the best offline password manager ever made. Many KeePass apps on Android and iOS also support 2FA. I use KeePass2Android on my Android, and Keepassium on iOS. Both apps are FOSS, the latter has some optional premium features.
Steam
This isn't an authenticator app per-se, but I'm going to mention it here anyway because it is useful to protect your account. The Steam app on mobile has a built-in authenticator called Steam Guard that displays TOTP codes to verify login attempts made on the web. Valve released a major update for the app last year, while the interface and navigation are subjectively worse than before, the new Steam Guard has a passwordless login option that allows you to scan a QR code displayed on the website, to automatically login without even entering your username and password. I recommend enabling biometric authentication, i.e. fingerprint reader on Android, and FaceID on iOS, to prevent unauthorized usage of Steam Guard.
FreeOTP
I have only tried FreeOTP with one account in the past, and that was when I was trying different 2FA apps to switch to from Authy (I moved to Aegis). FreeOTP is a fine app, it's free and open source. Try it for yourself, maybe you will like it better than I did.
Apple Keychain
iOS, iPadOS and macOS have a built-in password manager that syncs to your iCloud Drive, it's called Keychain. More importantly, it also supports TOTPs. Its already available on your iPhone, iPad and Mac, and is free to use. Why not try it? If you have a Windows computer, you can install iCloud for Windows to access your passwords on your PC.
Note: Apple does not have a dedicated Authenticator app, so anything that claims it is the official one is fake.
Authy
Authy's main strength is multi-device support, which you can enable from the app's settings. I think it has the best interface among 2FA apps. I've said this a couple of times, but I'll say it again, grid view > list view.
The reason why I mention Authy here, and not in the primary list above is because its parent company, Twilio, suffered a data breach last year. Authy uses end-to-end encryption, in theory it should have protected the user's data. The company mentioned in its report that only 93 authy users (out of 75 million) who had additional devices registered to their account were affected by the breach attack. You can read more about the security incident at the official blog. While the number of users who were impacted is low, the fact that they were hacked does raise some concern.
It's also worth noting that Authy requires a phone number to set up the account, and uses it to verify your login on your other devices.
Not recommended
andOTP used to be a great TOTP app, and was one of the other choices that I had been testing before opting for Aegis. Sadly, the open source app was discontinued in 2021, which is why I do not recommend andOTP.
LastPass suffered a major data breach in 2022, which resulted in customer data and password vaults being stolen. You should not use LastPass Authenticator, and if you're, we strongly recommend that you move away from it.
I'm sure there are other 2FA apps that haven't made it to this list. Which authenticator app do you use?
Thank you for being a Ghacks reader. The post Best authenticator apps for Android and iOS appeared first on gHacks Technology News.
0 Commentaires