Leaks and hacks make it clear that passwords alone don't do enough to protect your online accounts. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. Here at PCMag, we've been covering security software for more than 30 years. All our in-house experts frequently exhort readers to use MFA. Using an authenticator app is one of the easiest and most secure ways to do this. It's more secure than one-time codes sent to you via SMS, which is riskier than people realize. Note that we do not recommend LastPass Authenticator, as its online backup was compromised in last year's LastPass breach. Nor do we recommend Authy because it's vulnerable to SIM swapping attacks. Keep reading after our list of the best authenticator apps for more on how they work, as well as criteria you should consider when choosing one.

How Do Authenticator Apps Work?

Authenticator apps generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, whenever you want to log in to a site, you open the app or website, enter your username and password, and then, when prompted, type the code you see in your authenticator app into the secured login page. That's it. "Time-based" means the code is only valid for a short time, maybe 30 to 60 seconds, which makes it harder for anyone to steal your code and log into your accounts because they only have a short time to do so.

The codes are generated by doing some math on a long code transmitted by that QR scan and the current time, using a standard HMAC-based one-time password (HOTP) algorithm sanctioned by the Internet Engineering Task Force.

Since the protocol used by these products is usually based on the same standard, you can mix and match brands, for example, using Microsoft Authenticator to get into your Google Account or vice versa.

How to Set Up an Authenticator App

To set up MFA by app instead of text message, go to your online account's security settings and look for the multi-factor or two-factor authentication section. Nearly every financial site has it, and so do many other kinds of online accounts. Most sites list the simple SMS code option first, but go past that and look for authenticator app support.

The most common way to set up MFA is to scan a QR code on the site with your phone's authenticator app. Note that you can scan the code on multiple phones if you want a backup. Financial sites usually also give you account recovery codes as an additional backup—save them somewhere secure, like in your password manager. The codes work in place of an authenticator app, meaning if you lose or break your phone, you can enter one of these codes to get into your account.

What Should I Look for in an Authenticator App?

Data Collection Practices

Authenticator apps don’t have any access to your accounts. After the initial code transfer, they don’t communicate with the download site; they just generate codes. You don’t even need phone service or an internet connection for them to work, which is why we take particular umbrage with authenticator apps that engage in excessive data collection. To us, data collection veers into "excessive" territory when an app collects data from device categories that have nothing to do with the app's primary function.

(Credit: Apple/Google/PCMag)

For example, as shown above, if you are using an Android or iOS device, Google Authenticator may collect data from your Contact List, your email address, and even your photos and videos. It's a lot of data for an app with such a simple purpose.

Backups of Account Info

Something to look for when choosing an authenticator app is whether it backs up the account info (encrypted) in case you no longer have the same phone on which you originally set it up. All the apps included here do this.

No SMS Codes

One common MFA method is a time-based one-time passcode sent to you by text message, but it's not as secure as either an authenticator app or a security key. Thanks to a vulnerability in SMS messaging, crooks can reroute text messages and intercept your codes. We recommend using authenticator apps that do not use codes sent by SMS during setup to authenticate you or your device. Most authenticator apps don't.

What's the Safest Third-Party Authenticator App?

The safety of these apps stems from the underlying principles and protocols rather than any implementation by the individual software makers.

Aegis Authenticator and Microsoft Authenticator have slight security advantages in that they can be set up to require biometric logins to access the codes needed to unlock your online accounts.

Is There Anything Safer Than an Authenticator App?

Using an authenticator app is one of the better types of MFA. It's always better to use some kind of MFA than none at all, and authenticator apps are free, easy to use, and widely available. However, the top option for safety is a dedicated hardware key MFA device. Our Editors' Choice is the Yubico Security Key C NFC.

(Credit: Kim Key)

MFA security keys produce codes that are transmitted via NFC or by plugging them into a USB port. Unlike smartphones, they are single-purpose and security-hardened devices. These devices can secure your Apple, Google, or Microsoft accounts.

Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Plus, if you lose your phone, all of your codes go with it. Security keys have neither batteries nor moving parts and are extremely durable—but they’re admittedly not as convenient as your phone.

Finally, remember never to install an unknown, unrecommended authenticator app, even if it looks good. Malicious impersonators have appeared on app stores. Stick with the best authenticator apps recommended here from well-known companies.