The basic foundation of all security online nowadays can be summed up in two features: a strong password and the use of two-factor authentication (2FA). For years, the standard for 2FA authentication has been the Google Authenticator app, but there are security settings you NEED to understand as well as more secure alternatives (such as 2FA keys) that are worth considering.
Key Takeaways
- The Google Authenticator 2FA app only secure if you enable Privacy Screen and build in a reliable backup.
- The most secure 2FA method uses a physical security key, but for a free option, authenticator apps are recommended over text message-based 2FA, which is vulnerable to SIM swap attacks.
- The best alternatives to Google Authenticator are Authy (free, multi-device, encrypted backups), Ageis Authenticator (open source), and 1Password (paid password manager with 2FA).
- 2FA is crucial for account security beyond just passwords, as it prevents unauthorized access even if passwords are compromised.
As I’ve already shared in my explanation of 2-factor authentication, the process can be accomplished in one of three popular ways:
- SMS Text (least secure)
- Authenticator app (most popular)
- Physical 2FA key (most secure)
When possible, I recommend that you not use SMS text as a means of 2FA verification since it has been easily hacked using a scam known as the SIM swap
And since a 2FA key requires you to purchase a physical key, that leaves the authenticator app as the best free option to use here. Here’s how to secure the Google Authenticator app or, if you prefer, move to a secure alternative.
Use the links above to jump down to a specific section or continue to scroll. Let’s dive in!
How to Secure the Google Authenticator (2 Steps)
Over the years, Google has thankfully updated and improved their Authenticator app to make it more secure. Specifically, there are two security features you need to be aware of:
- Privacy Screen: You don’t want anybody who steals your phone to be able to access the app that holds all of your 2FA codes. When you click on the three bars on the upper-left of the app and find “Settings,” you’ll find a place to turn on what they call a “Privacy Screen” that requires biometric ID to open the app (fingerprint or Face ID). Anybody who uses Google Authenticator should have this setting turned on.
- Some Form of Backup: Google Authenticator offers you two ways to implement a backup in case your phone is lost. The first is to create a backup QR code. This is done by clicking on the three bars in the upper left and choosing “Transfer accounts.” This will bring you through a simple process to generate a backup QR code. The second option is to backup all of your codes to the cloud via your Google account.
While it may be tempting to allow Google to backup your codes to the cloud, there is risk to doing so. Suddenly, the security that you get from 2FA authentication is no longer confined only to your device. The codes are copied to “the cloud.”
To check your setup, open the Google Authenticator app and look for the cloud symbol toward the top. If it’s green, you’re copying a backup of all your codes to the Google cloud. If it’s grey like you see below, you’re not.
Please note: you still need to backup your codes! But controlling those backups is a more secure way to move forward.
Best Alternative 2FA Authenticator Apps
There are quite a few good alternatives to Google Authenticator that offer what is known as time-based one time passcodes, or “TOTP” for short.
While it’s a fairly simple app, its function is vital to your online security, so that means it’s equally important that you choose the right one. And thankfully, it’s not too difficult to transfer your Google Authenticator codes to a new app
Here are the three best options to choose from, with screenshots and reasons why.
Authy (FREE) | Best Overall 2FA App
Authy has long been a favorite alternative 2FA authentication apps. Although the app will require that you provide them with a phone number that they use to authenticate any new device that you want to add, the benefit is that you are given the ability to use multiple devices for two-factor authentication.
Authy encrypts the accounts locally before backing them up as an additional security measure, but once you’ve synced devices, you can turn that feature off (and probably should).
The app is available for multiple operating systems including iOS, macOS, Android, Windows, and Chrome OS.
I don’t like that Authy uses your phone number to authenticate new devices because that leaves your account vulnerable to a SIM swap on your device. If they already have your password then they can easily decrypt your backed-up accounts and proceed to hack into them.
The good news is that Authy has a feature that blocks the addition of new devices once you’ve already added all the devices that you’ll be using for 2FA.
The app works even when offline.
1Password (Paid) | Best 2FA in a Password Manager
1Password is a popular password manager but it can also double as a two-factor authentication app. If you are a premium user, then setting up 2FA for various accounts is pretty easy.
Of course, the first step is to enable 2FA on the website you need to protect. The next step is to store the QR code or PIN generated by the website on 1Password. There is a step-by-step process for how to store QR codes or one-time passwords on their support page.
Because your 1Password vault is encrypted and backed up for all your devices, even if you lose your phone, you won’t lose all of your 2FA codes.
While some people might not be comfortable storing their passwords in the same place as their 2FA codes, there’s a level of convenience that comes with 1Password’s autofill feature.
If you are not already using 1Password it may not make sense to use the app for your authentication needs unless you are also in the market for a password manager.
Yubico Authenticator | Hardware-based codes
A hardware-based authenticator app such as the Yubico Authenticator is by far the most secure alternative to Google Authenticator, although it’s also the most inconvenient.
Hardware-based authenticator apps work by storing all codes on the physical YubiKey device. Access to the codes comes when you plug the key into your computer or tap it on your mobile device.
The benefit to this approach is the high level of security. The downside is that it’s difficult to keep a backup of your codes, it’s inconvenient to plug in the key each time you need codes, and each key is only able to store 32 TOTP codes.
This method is recommended only for high threat models and only for those most important accounts.
Why 2FA Authentication is Important
If you are just using your username and password to log in to your account, that account is just a brute-force attack away from being compromised. The hackers only need to guess your password and they are in.
Enabling 2FA will add an extra layer of security to your account so that even if the hackers manage to crack your password, they still need to enter a six-digit code that was sent to your phone.
SMS messages are currently the most popular method to receive the authentication code but, they have become increasingly unsafe now that hackers can easily pull sim-swapping attacks. There are also the security and privacy concerns that come with handing over your phone number to organizations.
The best option is to use a physical 2FA key, but if you’d rather not buy a key, the authenticator app option works well.
Be sure to subscribe to the All Things Secured YouTube channel!
Thanks for this article. I’ve been trying to use FIDO & FIdo2 more and more often, but a lot of the sites i use still don’t offer these services. So I’m using authy & Google Authenticator for most of my sites. Too many sites are so behind the times that they consider offering only google authenticator as a 2FA as “cutting-edge.” The latest security just isn’t in their immediate business interests.
I wish I could use authy for all the sites that offer 2FA, but lots of sites require you to use google. I also agree with you that having to run downstairs to get my phone, unlock it with pin, fish out the right authenticator app, navigate to the right site for credentials, memorize the 6-digit code before it’s timed out, run back upstairs, and for google auth move the cursor inside their tiny box (why not automatic like authy??)–all this is a massive inconvenience. can’t wait til security keys’ use is nearly universal.
I’m curious – which sites require Google? As far as I know, anywhere that you can use Google Authenticator, you can also use Authy. They run on the same setup, so I’ve never heard of a site having the ability to mandate use of the Google app over another.