Leaks and hacks make it clear that passwords alone don't do enough to protect your online accounts. Multi-factor authentication (MFA, also known as two-factor authentication or 2FA) adds another layer of protection. Here at PCMag, we've been covering security software for more than 30 years. All our in-house experts frequently exhort readers to use MFA. Using an authenticator app is one of the easiest and most secure ways to do this. It's more secure than one-time codes sent to you via SMS, which is riskier than people realize. Note that we do not recommend LastPass Authenticator, as its online backup was compromised in last year's LastPass breach. Nor do we recommend Authy because it's vulnerable to SIM swapping attacks. Keep reading after our list of the best authenticator apps for more on how they work, as well as criteria you should consider when choosing one.
You Can Trust Our Reviews
Deeper Dive: Our Top Tested Picks
Buying Guide: The Best Authenticator Apps for 2026
What Does an Authenticator App Do?
Authenticator apps are a multi-factor authentication method you can use to encrypt your online login credentials.
Simply put, MFA verifies that you're the one logging into your online accounts. It secures your accounts with something physical that's always with you, such as your mobile device or a hardware authenticator key. It's harder for a hacker to access those things than it is for them to get your username and password combination from the dark web. Additional verification can include a code generated by an app on your phone or proving your identity via biometrics, such as a face or fingerprint scan.
All of the authenticator apps on this list generate time-based, one-time passcodes (TOTP or OTP), which are usually six digits that refresh every 30 seconds. Once you set up MFA, just enter the code from your authenticator app on the secure login page. "Time-based" means the code is valid only for a short time (usually under 1 minute), making it hard for anyone to steal it and log into your accounts.
I spoke to the former US Army whistleblower, Chelsea Manning, in 2024, when she was a security consultant at Nym, a VPN provider. She told me that when people encrypt their online data, it becomes a little harder to steal.
"The more layers of encryption, and the better and the stronger your encryption methods are, the more secure data in transit can be," said Manning.
For more, see our article on what MFA is and how to set it up.
What Should I Look for in an Authenticator App?
Data Collection Practices
Authenticator apps don’t have any access to your accounts. After the initial code transfer, they don’t communicate with the download site; they just generate codes. You don’t even need phone service or an internet connection for them to work, which is why we take particular umbrage with authenticator apps that engage in excessive data collection. Data collection veers into "excessive" territory when an app collects data from device categories unrelated to its primary function.
(Credit: Google/PCMag)In the example above, Google Authenticator may collect data from your Contact List and photos. This too much data for an app with a simple purpose.
Backups of Account Info
When choosing an authenticator app, consider whether it saves encrypted backups of your account information in case you lose your phone. All the apps on this list support backups.
Recommended by Our Editors
Exports and Imports
Consider apps that let you take your MFA token list with you when you switch to a new authenticator app. Aegis and Stratum Authenticator both allow customers to export their tokens and import token lists from competing authenticator apps. 2FAS and Google Authenticator allow you to import your old tokens, but if the apps generate export lists, they're app-specific and not easily importable into other apps.
No SMS Codes
One common MFA method is a time-based one-time passcode sent to you by text message, but it's not as secure as an authenticator app or a security key. Thanks to a vulnerability in SMS messaging, crooks can reroute text messages and intercept your codes. We recommend using authenticator apps that do not use SMS codes during setup to authenticate you or your device. Most authenticator apps don't.
What's the Safest Third-Party Authenticator App?
The safety of these apps stems from the developers' underlying principles and protocols rather than any implementation by the individual software makers. In other words, your online safety comes down to your personal decision-making when engaging with apps, browser extensions, or other software. Sometimes it's worth doing some research before trusting the company behind the app that protects your accounts.
For example, an internet search reveals that 2FAS is an open-source authenticator created by a group focused on internet safety. With that knowledge, you may be more inclined to trust that product over an app created by a profit-driven entity such as Google or Microsoft.
Is There Anything Safer Than an Authenticator App?
It's always better to use some kind of MFA than none, and authenticator apps are free, easy to use, and widely available. However, the top option for safety is a dedicated hardware key MFA device. Our top recommendation is the Yubico Security Key C NFC.
(Credit: Kim Key)MFA security keys generate codes that can be transmitted via NFC or plugged into a USB port. Unlike smartphones, they are single-purpose, security-hardened devices that can help secure your Apple, Google, or Microsoft accounts.
Why are they more secure? Though not a common threat, a malware-infested app running on your phone could intercept the authentication codes produced by a phone’s authenticator app. Plus, if you lose your phone, all of your codes go with it. Security keys have neither batteries nor moving parts and are extremely durable—but they’re not as convenient as your phone.
Finally, remember never to install an unknown, unrecommended authenticator app, even if it looks good. Malicious impersonators have appeared on app stores. Stick with the best authenticator apps recommended here from well-known companies.