Two-factor authentication is one of the most important things you can do to protect yourself against getting your accounts hacked, and you should enable it now if you haven't already. Authy is our favourite two-factor app on the block.
When you first enable two-factor authentication on websites such as Gmail, LastPass or Facebook, they will set you up using SMS as your second factor. So the next time you log into Facebook, you'll receive a six-digit code as a text message whenever you try to log in. However, there are other ways to set up two-factor authentication -- most notably, with an app that generates the codes for you.
You may have heard of these apps before, and a lot of the sites you use probably support them. They're handy because you don't have to rely on an incoming SMS message to log in -- just open the app, and your codes are there waiting for you. In a lot of cases, they will even work if you don't have an internet connection. Some of these apps do even more -- like automatically log you in if your phone is near your computer. But our favourite is Authy -- here's why.
Platform: Android, iOS, Chrome, OS X Price: Free Download Page
- Supports a lot of apps, including all those supported by Google Authenticator: Gmail, LastPass, Evernote, Dropbox, Facebook and heaps more
- Install Authy on multiple devices including your phone, tablet and PC, and sync your tokens between them
- Backup your accounts to the cloud (optional, turned off by default)
- Get tokens offline or when you don't have good service
- Lock Authy behind a PIN or Touch ID, so that even if your phone is stolen, your tokens aren't left out in the open
- Use it in conjunction with the Mac app, which automatically bypasses Authy if your phone is in Bluetooth range
Where It Excels
When it comes to two-factor authentication apps, most are quite similar and support the same Google Authenticator-enabled services. Two main things set Authy apart: its ability to PIN or Touch ID-lock the app (which alone makes it our favourite) and its ability to sync to the cloud and between devices. That means if you don't have your phone nearby, your tablet or computer work just as well. And, before you think installing Authy on a computer is insecure, keep in mind it's really no different than installing Authy on your phone -- the goal is to keep your devices out of thieves' hands, so that even if they get your passwords, they can't log into your account. It doesn't matter whether that device is a PC or a phone (and in fact, a phone is easier to steal).
Where It Falls Short
Some people may not want to sync their accounts to Authy's servers, since it puts it in the hands of someone else. Authy encrypts everything locally on your phone so they never see it, but some people may prefer not to sync their accounts to Authy's servers. This is hardly a con of the app though since this feature comes turned off, and it's completely optional. Even if you don't sync your tokens to the cloud, having the PIN lock and the ability to install Authy on your computer is totally worth picking it over other apps.
Some users have also had some quirkiness with Authy's syncing and its Bluetooth feature on the Mac, but I haven't experienced these myself. We're also not a huge fan of Authy's most recent grid-based iOS design, but that's a fairly small quibble.
The most obvious competition to Authy is Google Authenticator, the app that started it all. Google Authenticator works great, it's free, it's from a company you know, and it's easy to set up. It is, however, the most basic of the options out there, so you won't get any extra features here -- just basic two-factor tokens for lots of accounts.
FreeOTP is similar to Google Authenticator with a slightly nicer UI and an open source codebase. If you prefer open source when it comes to security, FreeOTP will do the trick.
Toopher supports every site that Google Authenticator does, but with a few extra features for its partner sites, including LastPass, WordPress and MailChimp. When you log in to a Toopher partner -- say, LastPass -- your phone will get a push notification with details on the account, browser, and computer requesting the login, and you can choose to allow it or deny it -- no six-digit code necessary. You can also choose to bypass two-factor authentication when you're in a trusted location, such as at home. Toopher says this shouldn't drain battery very much, since location services are only called upon when you get a push notification.
Lastly, you have the option of skipping apps entirely and just using SMS. SMS works fine, but it doesn't work when your phone's offline or doesn't have good service -- a problem I've encountered more than a few times. However, SMS will work as long as you have your number -- whereas any of the above apps will stop working if you lose your phone or it gets its data wiped.
Lifehacker's App Directory recommends the best applications and tools across multiple platforms.