More than ever, online account security is essential these days. You should rely on unique passwords for each of your accounts (using a password manager of your choice) and turn on two-factor authentication (2FA) for any service you use that supports it. For most accounts, the second factor usually is a one-time password (OTP), automatically regenerated on a regular 30-second schedule. Using this security measure will prevent bad actors from breaching your accounts even if they get a hold of your passwords.
Some services offer to send you OTPs via SMS, but you should always opt for proper 2FA apps if you can. Text messages aren’t encrypted and phone numbers can be spoofed, so an elaborate hacker has no trouble getting past these measures. Luckily, there are quite a few great 2FA apps to choose from.
Standalone 2FA apps
It’s generally a good idea to rely on open-source tools for security — the code is transparent and openly available, so security audits are easy to conduct. That’s why our first recommendation and my personal 2FA manager of choice is andOTP, a fork of the long-inactive OTP Authenticator app. The open-source app might not be the prettiest, but it gets the job done very well. Its storage can be encrypted via password, and it supports encrypted backups. While it doesn’t offer cloud syncing, you can rest assured that your OTPs will never be stored on unknown, potentially insecure servers without your explicit permission. andOTP also saves the secret code you need to use to set up your OTPs, so you can easily switch to another OTP manager if you ever want to without having to go through the setup process for all of your accounts again.
If you don’t value the open-source aspect that much and prefer a 2FA app that automatically and securely syncs over the cloud, Authy might be the service of your choice. Your cloud backup is encrypted by a password and an SMS-based 2FA system, allowing you to seamlessly sync your OTP codes across multiple devices. Authy also has a proprietary 2FA API that some services rely on, so you might be forced to use Authy already anyway.
Authy doesn’t let you recover the secret codes used to set up OTPs, so if you ever want to switch to another manager, you’ll have to set up all of your OTPs via your accounts anew again.
If you don’t want to backup or sync your 2FA codes at all for security reasons, the Google Authenticator might be interesting for you. It supports the usual features and runs locally on your Android phone. While Authy and andOTP have dark modes, Google Authenticator is the only one that switches automatically based on your system theme.
Password managers with integrated 2FA functionality
It’s generally not recommended to store 2FA credentials in the same place as your password as that effectively eliminates the second factor part of the equation. But as long as you take all imaginable measures to secure your password manager, having all of your credentials in one place is convenient and might encourage you to set up 2FA for more of your accounts, which is more secure than just relying on passwords. You might still want to use a standalone 2FA app for your most important accounts when you go this route.
Here are our favorite solutions for password managers with 2FA support:
Microsoft Authenticator started out as a 2FA app, but the company recently turned it into a full-fledged password manager that syncs with Microsoft Edge when you log in with your Microsoft account. You can still use the Authenticator as a standalone 2FA app by simply not adding passwords if you prefer that. You also don’t have to log in with your Microsoft account if you don’t want or need cloud backups.
MYKI probably isn’t the best-known password manager out there, but it has some unique tricks up its sleeve. Your data doesn’t ever leave the devices you own, but your passwords and 2FA codes still sync via its peer-to-peer setup that doesn’t require manual work on your part. That’s great if you’re concerned about server security without wanting to lose out on the convenience of cross-device syncing. Our own Rita wrote an extensive review a few years back, and it’s still to the point.
OTPs are displayed alongside your password and account name.
If you’d rather rely on cloud-based software, Bitwarden is a great open-source choice. To use it for 2FA codes, you need to pay for the $10/year premium version, which is incredibly fair compared to other password managers. Once you’ve got everything set up, you can use Bitwarden to autofill passwords. OTP codes will then be added to your clipboard automatically, so you can just paste them.
LastPass’s approach is a little different from other password managers with integrated OTP support. The security company offers a secondary 2FA app that you need to use in tandem with the main password manager application. When you log in to one of your OTP-protected accounts, you’ll receive a push notification on your phone, allowing you to seamlessly verify your identity. You can also back up your OTPs to your LastPass account.
Of course, this is only a small selection of 2FA options out there, but we’ve found these to be the best or most unique ones. Most password managers have built-in support for 2FA codes, and a few services have their own OTP implementations you can or must alternatively use.
You can find out which of your services support 2FA on the crowdsourced twofactorauth.org website. Tap the “Docs” shortcut in the results to see detailed instructions on how to enable OTP codes for the service in question.