According to a recent report from Nightwatch Cybersecurity, Google’s Authenticator app for Android comes with an unfixed issue that can create a big security nightmare if you have any malware or otherwise shifty apps installed on your device. (The Microsoft Authenticator app for Android also shares the same issue, so don’t switch to that app either, for now.)
Both apps, as of when we wrote this article, don’t use Android’s FLAG_SECURE setting, which prohibits other apps (and you) from taking screenshots. Don’t believe me? Pull up Google Authenticator on Android and take a screenshot by holding the power button + the bottom volume button. Boom. Screenshot. Try that on an app like Authy, and you can hold the buttons for as long as you want—nothing.
While Google will surely fix this issue at some point, Authy is a much better app for managing your 2FA codes, anyway. Not only can you secure the app with extra verification steps—so someone fussing with your unlocked device can’t access your codes without your input—but deploying the app on multiple devices is easy. Once you’ve installed the app on a new device and verified that you’re you, all of your 2FA codes synced on your primary device will automatically appear on your new one. Now you have two devices you can use when you’re logging into websites and services, and it took about as much time for you to set up as it takes to download Authy in the first place.
If you don’t want to use Authy for whatever reason, then you should at least test to see whether your authenticator app allows you to take screenshots or not. If yes, consider something else; if no, it’s probably safe(r) to use.