Authy has been a powerhouse in the authenticator market for many years, even before its acquisition by Twilio in 2015. Its user interface looks great, and during my latest round of testing, the app performed its promised functions well. In addition, the company has made upgrades to its mobile security infrastructure since my last review, which is enough to raise its score by half a point. That said, Authy requires account creation via a phone number, which is not ideal. It's also not a great app for commitment-phobes, as it can't export your tokens or import new ones, making it difficult to switch to or from a different app. By comparison, 2FAS collects less data and doesn't require an account to work, making it an Editors' Choice winner for authenticator apps.

Getting Started With Authy

Authy is available for Android and iOS devices. I tested the app using an iPhone 16.

To use multi-factor authentication (MFA) with a service that supports it, you only need a simple token generator. Therefore, I don't think you should have to hand over an email address, a phone number, or any other personal information to use an authenticator app.

(Credit: Twilio/PCMag)

Authy needs a phone number to work on your mobile device. Luckily, it does not have to be your phone number. Instead, you can enter a fake phone number created using a service like Google Voice, and the app will still work. To compare, all of the other apps in the category will work without creating an account or giving up a phone number.

You can register the app with the same account across multiple devices, though Authy doesn't offer multi-device registration by default for security reasons. You'll need to enable it in the Settings menu. I tested this capability using an Android and an iPhone and was able to use the app seamlessly.

Hands On With Authy

Authy's apps for Android and iOS feature sparse, sleek user interfaces, with each website token's associated logo prominently displayed. There are two ways to view your tokens. If you choose the list view, each will be displayed on the dashboard screen. In grid view, only one token is displayed at a time. You can rearrange the tokens on the dashboard and choose an icon to display, but the app lacks customization options or even the option to hide your codes from someone who may be peeking over your shoulder. You can lock the app using MFA, though. For example, on iOS, you can use Face ID or a passcode to open Authy.

(Credit: Twilio/PCMag)

To add a code to your token list, scan a QR code or enter a code manually to register the app for MFA on your preferred website. I enabled MFA for my shopping and social media accounts using Authy without any problems. To use Authy during login, enter the six-digit code displayed on the app dashboard.

Unlike 2FAS and other apps, Authy does not allow you to import tokens from competing authenticator apps. This makes switching from a different authenticator app to Authy pretty time-consuming, especially if you have a lot of accounts.

Here's how to switch from your old authenticator app to Authy:

1. Sign in to your online accounts.
2. Disable MFA for each platform or website.
3. Re-enable MFA.
4. Scan the QR code associated with each entry.

If you have MFA codes for all of your online accounts, switching away from Authy will be inconvenient and time-consuming. You also risk locking yourself out of an account if you forget to switch everything in your vault to Authy and delete the old authenticator app. Authy doesn't allow you to export your authentication codes either, so it's as difficult to leave the app as it is to switch to it.

(Credit: Twilio/PCMag)

If you're hoping to switch from Authy to a new authenticator app right now, the best time to do so was 30 days ago. That's because when you request to delete your Authy account, Twilio may take up to 30 days to complete the deletion. As of publication time, my test account has not been deleted yet.

Backing Up Account Info With Authy

(Credit: Twilio/PCMag)

Once you're all set up, create a backup key to encrypt your tokens. Backing up your tokens is optional. According to a post on Authy's blog, your files are encrypted on your device and then sent to Authy's cloud storage. In the future, I'd like to see an option to back up data to my own secure online storage or online storage that Twilio doesn't control. 2FAS allows backing up to both iCloud and Google Drive.

Security Incidents and Data Collection Policies

In July 2024, Twilio announced that "threat actors" had acquired more than 33 million Authy customers' phone numbers. This came two years after a different security incident compromised Authy customers.

I asked a Twilio spokesperson about updates to Authy since my last review in March 2025, and he said the development team upgraded mobile security measures to "better verify genuine devices, providing a harder defense against account takeovers while keeping the login experience seamless for authentic users." Security improvements are always welcome, which is why I'm raising Authy's score by a half point.

(Credit: Twilio/PCMag)

This is a good time to remind you to use authenticator apps with caution. Anyone with access to your tokens may be able to access your accounts.

In addition, some authenticator apps collect more data than others, especially given their highly specific functionality. According to the Google Play Store, the Authy app for Android may collect your email address, location data, and phone number. To compare, Google's Authenticator app collects data from at least six categories, including your phone's Contact list and the photos on your device. Of the apps I've tested, 2FAS, Aegis, and Stratum collect the least customer data.