Data breaches happen every day, which is one reason people keep getting hacked. There's never been a better time to lock down your online accounts using multi-factor authentication (MFA), and using an authenticator app like 2FAS is a good start. It's free, collects minimal user data, works across all your devices, works in your browser, and, unlike some competitors, doesn't require you to create an account to use it. Overall, it measures up as one of the best authenticator apps we've tested, earning it our Editors' Choice award alongside the Android-centric Aegis and Stratum.

Getting Started with 2FAS

2FAS is available for Android and iOS devices. There are also browser extensions for Brave, Chrome, Edge, Firefox, Opera, and Safari. I tested the 2FAS app on an Android device using Google Chrome. Notably, 2FAS doesn't offer apps for watchOS or wearOS. Of the apps I've reviewed, only Authy offers a wearable device app for watchOS users, and Stratum has an app for WearOS devices.

(Credit: 2FAS/PCMag)

Signup Requirements

Authentication requires simple token generation, so it's nice when the associated apps are simple, too. You don't need to hand over an email address, phone number, or any other personal information to use the app, and 2FAS doesn't require you to create an account.

Screenshots are disabled by default in the Android app, but you can enable them for 5 minutes at a time in the Security section of the Settings menu. Lock and unlock the app using a four-digit PIN or biometrics.

Recently, 2FAS added new encryption options for iOS customers. You can choose the default setting, which generates a random key and stores it in your device's Apple Keychain, or you can lock or unlock the app using a PIN or passcode.

Data Collection Practices

(Credit: Google/PCMag)

Conversely, given their stated functionality, some authenticator apps seem to use more data than their fair share. Both the Android and iOS versions of 2FAS appear to collect only minimal data, with Diagnostic data collection reported for the iOS app but none for the Android version. This is a big difference from Google Authenticator, which collects data from at least six categories, including your phone's Contact list, the photos and videos on your device, plus your phone number and physical address.

Hands On With 2FAS

Every website and online platform does multi-factor authentication a little differently. Luckily, 2FAS offers helpful videos showing how to use the authenticator app with many popular services, including Amazon, Binance, Facebook, Gmail, Instagram, PayPal, and Snapchat.

The 2FAS mobile app has a clean, simple user interface, with red accents on a white background by default. In the Appearance section of the app's Settings menu, you can adjust the app's look by switching the theme to dark or matching it to your device's settings.

(Credit: 2FAS/PCMag)

I like that you can arrange your tokens alphabetically or in a custom order. Long-pressing on the token on your dashboard opens the customization menu, where you can change the badge color, group, icon, and name for each entry. Create custom groups to further organize your account codes. You can also hide your tokens by default in the Settings menu. This setting prevents snoops from stealing tokens over your shoulder while you enter them.

To use 2FAS to log in to an online account, enter the six-digit code generated by the app. I didn't have trouble attaching the authenticator to my test social media account, and it was easy to log in.

2FAS Browser Extension

(Credit: 2FAS/PCMag)

The 2FAS authenticator is also available as a browser extension. Here's how it works: When you go to a website with MFA enabled, you'll need to keep your phone with the 2FAS app handy to approve the token request. After you approve it on your phone, you'll copy and paste the token code into the MFA field in the browser.

I tested this feature using Google Chrome. As advertised, I was able to log in to my test accounts without entering an MFA token. I recommend watching this tutorial to learn how to enable custom MFA notifications for your browser. You can't create new tokens using the browser extension. If 2FAS auto-filled the codes, eliminating any interaction with the authenticator beyond an approval request, I'd see more use for the browser extension, but as is, I think the mobile app is more helpful.

If you're holding out for a desktop version of 2FAS, prepare for disappointment. According to 2FAS CEO Marek Bardzinski, storing TOTP secrets on a desktop computer is just asking for trouble. "It weakens the security model of two-factor authentication," said Bardzinski via email. "If a computer becomes compromised by malware, both the password and the 2nd factor could potentially be exposed from the same device."

2FAS's browser extension doesn't share your Secret Key with your computer; it only shares tokens with your phone. But what happens if your browser gets infected with malware? There's a chance that a malicious extension could siphon up all of your browsing data, along with your MFA tokens. To reduce that possibility, frequently check your browser's extensions list, and remove any extensions you don't recognize, reset your browser to its default settings, and clear your browser's cache and cookies.

Backing Up Account Information with 2FAS

(Credit: 2FAS/PCMag)

2FAS can create cloud backups of your MFA tokens, which is crucial if you lose your phone or get a new one. The backup is encrypted; you can only access it from the 2FAS app. For Apple customers, backups are enabled by default and use iCloud Sync. Android users must manually enable Google Drive Sync to back up their tokens. You can add a layer of security to these backup files by setting a custom password in the Settings menu.

Token Exporting and Importing

Looking to switch from your old authenticator app to 2FAS? You can import your old tokens from competing apps, including Aegis, Google Authenticator, and Stratum. 2FAS doesn't generate generic token lists that can be easily imported to other apps, but some apps, like Aegis Authenticator, accept 2FAS export files.