This story was originally published and last updated .
Your online accounts are much safer when you rely on more than only a password, and that's where two-factor authentication (2FA) apps come in. You can use them to create an extra layer of security for your accounts, requiring you to enter a one-time password (OTP) in addition to your regular credentials when you log in. That prevents hackers from accessing your account with a stolen password only.
Some services offer to send you OTPs via SMS, but you should always opt for proper 2FA apps if you can. Text messages aren't encrypted and phone numbers can be spoofed, so an elaborate hacker has no trouble getting past these measures. Luckily, there are quite a few great 2FA apps to choose from.
Standalone 2FA apps
It's generally a good idea to rely on open-source tools for security — the code is transparent and openly available, so security audits are easy to conduct. That's why our first recommendation and my personal 2FA manager of choice is andOTP, a fork of the long-inactive OTP Authenticator app. The open-source app might not be the prettiest, but it gets the job done very well. You can optionally encrypt your data at rest, and its local backups can be secured via a password. Since andOTP doesn't offer cloud syncing, you can rest assured that your OTPs will never be stored on unknown, potentially insecure servers without your explicit permission. andOTP also saves the secret code you need to use to set up your OTPs, so you can easily switch to another OTP manager if you ever want to without having to go through the setup process for all of your accounts again.
You can download andOTP from the Play Store or F-Droid.
Aegis is another open-source client that is mostly identical to AndOTP on the surface, showing your OTPs in a list and supporting local backups. But it places an even higher emphasis on security and highly encourages you to lock the app with a password or biometrics, which allows your codes to be encrypted at rest using AES-256-GCM. Regarding optics, the app adheres to your system dark or light preference, and you can add app icons by yourself using its icon pack or your own symbols (which is a little more complicated than other solutions that automatically add icons).
Aegis also lets you access secret codes and supports exporting and importing from and to other OTP managers, so you're not locked in if you just want to give it a try. You can download it from the Play Store or F-Droid.
If you don't value the open-source aspect that much and prefer a 2FA app that automatically and securely syncs over the cloud, Authy might be the service of your choice. Its cloud backup is secured by a password and an SMS-based 2FA system, allowing you to seamlessly sync your OTP codes across multiple devices. The service also offers desktop apps that sync with your online vault.
Authy is free for individuals; it earns its money with enterprise customers. That's why you can rest assured that it does everything humanly possible to protect your data as it can't afford to lose its paying customers due to breaches.
Unfortunately, Authy doesn't let you recover the secret codes used to set up OTPs, so if you ever want to switch to another manager, you'll have to set up all of your OTPs via your accounts anew again or save them somewhere else whenever you add some to Authy.
If you don't want to backup or sync your 2FA codes at all for security reasons, the Google Authenticator might be interesting for you. It supports the usual features and runs locally on your Android phone. If you switch phones, you can move your credentials via a QR code you can generate in the app settings. Google Authenticator automatically based on your system theme, but it doesn't have the option to add icons, so depending on how many services you protect, it might get pretty hard to tell them apart.
Password managers with integrated 2FA functionality
It's generally not recommended to store 2FA credentials in the same place as your password as that effectively eliminates the second factor part of the equation. But as long as you take all imaginable measures to secure your password manager, having all of your credentials in one place is convenient and might encourage you to set up 2FA for more of your accounts, which is inherently more secure than just relying on one factor. You might still want to use a standalone 2FA app for your most important accounts when you go this route.
Here are our favorite solutions for password managers with 2FA support:
Microsoft Authenticator started out as a 2FA app, but the company recently turned it into a full-fledged password manager that syncs with Microsoft Edge when you log in with your Microsoft account. You can still use the Authenticator as a standalone 2FA app by simply not adding passwords if you prefer that. You also don't have to log in with your Microsoft account if you don't want or need cloud backups.
MYKI probably isn't the best-known password manager out there, but it has some unique tricks up its sleeve. Your data doesn't ever leave the devices you own, but your passwords and 2FA codes still sync via its peer-to-peer setup that doesn't require too much manual work on your part. That's great if you're concerned about server security without wanting to lose the convenience of cross-device syncing. Our own Rita wrote an extensive review a few years back, and it's still to the point.
OTPs are displayed alongside your password and account name.
If you'd rather rely on cloud-based software, Bitwarden is a great open-source choice. To use it for 2FA codes, you need to pay for the $10/year premium version, which is incredibly fair compared to other password managers. Once you've got everything set up, you can use Bitwarden to autofill passwords. OTP codes will then be added to your clipboard automatically, so you can just paste them.
LastPass's approach is a little different from other password managers with integrated OTP support. The security company offers a secondary 2FA app that you need to use in tandem with the main password manager application. When you log in to one of your OTP-protected accounts, you'll receive a push notification on your phone, allowing you to seamlessly verify your identity. You can also back up your OTPs to your LastPass account.
Keep in mind that LastPass is changing how its free tier works on March 16, 2021, so it's only really a viable option if you're ready to pay $3 a month for the Premium version.
Of course, this is only a small selection of 2FA apps out there, but we found these to be the most secure solutions that are either very affordable or free. Most password managers have built-in support for 2FA codes, but as we said, it's always a good idea to keep 2FA and passwords separate.
You can find out which of your services support 2FA on the crowdsourced twofactorauth.org website. Tap the "Docs" shortcut in the results to see detailed instructions on how to enable OTP codes for the service in question.
We've updated this article to include Aegis. Thanks, everyone who recommended the app!