Best two-step authentication apps or TOTP generators

  • 2FA apps are differentiated by backup, export, cross-platform, and access security.
  • Bitwarden, Authy, and TOTP Authenticator stand out for their synchronization and autofill.
  • andOTP, Aegis, and FreeOTP are open source Android options with varying levels of functionality.
Lorena Figueredo

14 minutes

App authentication

Online security is no longer optional: attacks happen every now and then, and accounts without additional protection are easy targets. Enabling second verification with temporary code apps can make all the difference, and Android has a huge ecosystem of options. In this guide, you'll find a complete review of two-factor authentication apps and TOTP generators, with their strengths and limitations, so you can choose wisely and without unpleasant surprises. The idea is that you are clear about what each app offers and how it fits into your daily life..

Throughout this article, you'll see pure 2FA alternatives, password managers with integrated TOTP, cross-platform solutions, and tools designed for businesses or very specific use cases like gaming. We also include practical tips for setup, backup, and recovery. If you already use 2FA, you'll probably discover features you weren't taking advantage of..

What is two-step verification and how does it work?

Two-step verification, also known as 2FA or multi-factor authentication, adds an extra layer to your login: in addition to your password, you enter a code that changes automatically or confirm a prompt. That second factor can be a TOTP code, an SMS, a push notification, biometrics or even a physical key..

The flow is simple: you enter your username and password, the server validates and requests the second factor, the app or device generates or receives the code, and you confirm it. By completing that second step, you prove that you are the rightful owner..

Most used types of second factor

  • SMS or call: convenient but less secure, vulnerable to SIM swapping (SIM-based authentication).
  • TOTP or OTP by software: Time-based, single-use codes generated by apps.
  • push notification: You confirm with a tap on your phone.
  • biometrics: fingerprint or face to protect access to the authenticator app (advantages and disadvantages).
  • Hardware token: Physical keys like YubiKey with FIDO2, U2F and OTP.

For most Internet services, the practical standard is a 6-digit TOTP that rotates every 30 seconds. The apps in this guide focus on that scenario, with nuances depending on the provider..

Key recommendations before choosing a 2FA app

Consider what you need: cloud syncing, export and import, cross-platform support, account-free use, a minimal interface, or advanced organizational features? Also consider whether you want to separate your password manager from your authenticator or prefer an all-in-one..

Very important: Do not delete 2FA accounts from the app without first disabling verification in the corresponding service. If you remove the token from the authenticator without disabling 2FA on the web, you may get locked out..

The best authentication apps and TOTP generators

Google Authenticator

Google Authenticator

Available on Android and iOS, it's the benchmark for simplicity. It allows you to export and import all tokens at once using a QR code, and on iOS, it includes search and protection with Face ID or Touch ID. Historically it didn't offer cloud backup, but now it can sync codes across multiple devices with your Google account, encrypted in transit and at rest..

  • Pros: No account required, simple interface, bulk export, iOS search, privacy screen option to require PIN or biometrics.
  • Against: On Android, access protection can be limited, it doesn't always hide on-screen codes, and it relies on the system clock for TOTPs to match.

Useful setup and management: You can sort codes by dragging and dropping, edit labels, delete entries, and transfer them between devices. If you lose your phone, remotely wipe or delete synced codes from your account. If you use no-account mode, you will need to migrate manually using the export feature..

Google Authenticator
Google Authenticator
downloadDownload QR-Code
Google Authenticator
Developer: Google LLC
Price: Free

Microsoft Authenticator

It works on Android and iOS, and shines if you use Microsoft accounts thanks to simplified login with approvals. It hides codes, protects access with PIN or biometrics, and supports cloud backup. On the downside, backup between iOS and Android is incompatible and the app takes up significantly more space than lightweight alternatives..

  • Pros: Robust access protection, cloud sync, Apple Watch support on iOS, seamless experience with Microsoft accounts.
  • Against: : Cross-platform copy incompatibility, does not allow exporting or importing tokens to a file, large size.

Twilio authy

Truly cross-platform: Android, iOS, Windows, macOS, and Linux with syncing across all. It requires creating an account linked to a phone number. The mobile interface displays a prominent token and the rest as icons, which isn't ideal if you have multiple accounts. It doesn't allow exporting to a file and the active code can't be hidden, but its ecosystem and backups are top-notch..

  • Pros: Backup and sync, apps for all systems, search, and Apple Watch support on iOS.
  • Against: Required registration with number, UX showing one token at a time, no token export or hiding from current code.
Twilio Authenticator
Twilio Authenticator
downloadDownload QR-Code
Twilio Authenticator
Developer: authy
Price: Free

Mobile Duo

Very popular in corporate environments, with Android and iOS, a clean interface, and hideable codes. It doesn't require creating an account; copies use Google Cloud on Android and iCloud on iOS, but they don't mix with each other. It does not allow token export and lacks built-in access blocking, something to keep in mind if you share a device..

  • Pros: Simple, hides codes, no account required, cloud backups, and Apple Watch support.
  • Against: No access protection, incompatible copies between iOS and Android, no export or import to file.
Mobile Duo
Mobile Duo
downloadDownload QR-Code
Mobile Duo
Developer: Cisco Systems, Inc.
Price: Free

FreeOTP

Open source project for Android and iOS. Extremely minimalist and ultra-lightweight. iOS only supports QR codes for adding tokens, while Android allows you to create manual tokens with advanced parameters such as TOTP or HOTP, digits, algorithm, and period. It doesn't have cloud sync or token export, and access control is basic, although on iOS you can protect tokens with Face ID or Touch ID..

  • Pros: : no account, lightweight, hidden codes by default and auto-hiding after inactivity, search on iOS.
  • Against: no export or import, no cloud copy, iOS does not allow manual registration using a secret key.
FreeOTP Authenticator
FreeOTP Authenticator
downloadDownload QR-Code
FreeOTP Authenticator
Developer: Red Hat
Price: Free

andOTP

Exclusive to Android, free, and open source. It includes tags, search, code hiding, and advanced security features. It lets you view the secret key or QR code for each token, and export them all to an encrypted file in Google Drive with one tap. It can be locked with a password or fingerprint, set up auto-lock, and has a panic button to erase everything if you need to..

  • Pros: Encrypted copies, view secret or QR, powerful organization, flexible locking and auto-hide.
  • Against: Android only, and according to sources, the project is no longer receiving new features, so it is advisable to monitor its maintenance in the future.

Aegis Authenticator

Another free and open-source Android option with robust encryption, backups, and biometric protection. It supports most 2FA formats and offers easy management. Some advanced features are geared towards users with rooted devices, so not everyone will take advantage of them..

  • Pros: open source, encryption, biometrics and native backups.
  • Against: Only Android and certain more technical options require advanced knowledge.
Aegis Authenticator - 2FA App
Aegis Authenticator - 2FA App
downloadDownload QR-Code
Aegis Authenticator - 2FA App
Developer: Beem Development
Price: Free

2FAS (2FA Authenticator)

Free app with a clear interface, end-to-end encryption, offline support, and no ads. It allows you to add tokens via key or QR code, sync with Google Drive, and create backups so you don't lose codes when changing phones. It includes PIN or biometrics and offers a browser extension, although it is not one of the most loaded with extras..

  • Pros: Free, no ads, E2E encryption, backups and offline support.
  • Against: fewer advanced features than more comprehensive alternatives.
2FA Authenticator (2FAS)
2FA Authenticator (2FAS)
downloadDownload QR-Code
2FA Authenticator (2FAS)
Developer: 2FAS
Price: Free

Authenticator App for the Apple ecosystem

Paid app with a limited free version. It includes encryption, Face ID locking, and extensions for modern browsers like Safari, Chrome, Brave, Vivaldi, and even Tor. If you pay, you enable backup and sync, plus family sharing options..

  • Pros: Well integrated into iOS and macOS, many extensions and biometric security.
  • Against: : free version cut down and key features after payment.

OTP Auth (iOS and macOS)

Take advantage of the Apple ecosystem with iCloud Backup, an app on macOS and Apple Watch. It lets you view the secret or QR code of any token, export all tokens to a file, organize them into folders, and even adjust the font size. It lacks hiding codes and some icon customization options are left for the paid version..

  • Pros: iCloud sync, full export, folder structure, Apple Watch, and format editing.
  • Against: : no hidden codes, certain features are paid and only available in the Apple ecosystem.

Step two

Minimalist on iOS and macOS, with iCloud sync and Apple Watch support. On macOS, it can scan QR codes via screenshots with your permission. It does not include access protection, does not hide codes or allow export and import, and limits you to ten tokens in the free version..

  • Pros: simple, no account, iCloud and search by name.
  • Against: No blocking, no export, visible codes, and token cap in the free version.

WinAuth

Designed for Windows and highly appreciated by gamers, it allows non-standard tokens from Steam, Battle.net, or publisher-specific services. It also generates standard TOTPs for common networks and services. Protect access with a password or YubiKey, hide codes by default, export in plain text or encrypted, and can read QR codes from local files or links..

  • Pros: Gaming token support, flexible encryption and export, auto-cloaking, and portable options.
  • Against: Windows only, not ideal for using the authenticator on a general-purpose PC, and for Steam you must enter credentials during setup.

Protectimus Smart OTP

Protectimus Smart OTP

Complete and available on Android and iOS, with multi-protocol support and PIN protection. On Android, it's compatible with smartwatches for accessing codes from your wrist. A versatile alternative if you want to cover different platforms and usage modes.

Protectimus SMART OTP
Protectimus SMART OTP
downloadDownload QR-Code
Protectimus SMART OTP
Developer: Protectimus Limited
Price: Free

TOTP Authenticator (BinaryBoot)

It generates TOTP codes and is packed with extras like cloud syncing to Google Drive for backups, change history, tags for organization, multiple widgets, and dark mode. It offers a browser extension to push the code to the desktop, icon customization, and biometric or PIN protection. Includes encrypted exports and cross-platform options for moving data between Android and iOS.

  • Pros: Optional Cloud Sync, multi-device, widgets, tags, extensions, and screenshot blocking.
  • Against- Some features like cloud sync are premium, though the core is very solid.
TOTP Authenticator – 2FA Cloud
TOTP Authenticator – 2FA Cloud
downloadDownload QR-Code
TOTP Authenticator – 2FA Cloud
Developer: BinaryBoot
Price: Free

Generic authenticator with TOTP and HOTP

There are authentication apps that combine TOTP and HOTP, with support for SHA1, SHA256, and SHA512, 30- or 60-second tokens, password protection, capture control, and a strong password generator. If you're looking for something straight to Android with built-in QR and visual customization options, this might be a good fit..

1Password with built-in two-step verification

It's not a pure authenticator; it's a premium password manager that adds TOTP to every compatible entry. It's available for all platforms, and the appeal is having the username, password, and verification code all in one place. Ideal if you already manage your digital life in 1Password and want to autofill codes as well..

1Password: Password Manager
1Password: Password Manager
downloadDownload QR-Code
1Password: Password Manager
Developer: Agile Bits
Price: Free

Bitwarden with TOTP

Open source and free for individual use, with a very affordable annual payment option that activates the built-in TOTP generator. The codes are auto-completed on websites and apps from extensions and mobile devices. It allows you to add the secret with the camera icon in the extension, enter keys manually, view and copy the code and even customize parameters using otpauth URIs..

  • Configuration: Edit the item, scan the QR code with the TOTP button, or paste the code on your mobile with Configure TOTP and Add TOTP.
  • Autofill: Extensions copy the TOTP to the clipboard after filling it out; on mobile, they copy it after autocomplete.
  • Time synchronization: If the codes fail, check the system's automatic time to re-align it.
  • Personalization.: : Default: 6 SHA-1 digits every 30 s; adjustable by modifying the otpauth URI in the item.
  • iOS Integration: On iOS 16 or higher, you can set Bitwarden as your default app for capturing QR codes from your camera.
  • Microsoft: During signup, choose a different authenticator app to use Bitwarden instead of the Microsoft app.
  • Steam: generates codes with a steam:// prefix; they will be five-character alphanumeric codes.

If you like to centralize credentials and codes, it is a very efficient option. Remember to protect access to your vault and enable 2FA in Bitwarden itself..

Bitwarden - Password Manager
Bitwarden - Password Manager
downloadDownload QR-Code
Bitwarden - Password Manager
Developer: Bitwarden Inc.
Price: Free

LastPass Authenticator

Standalone LastPass app with one-touch push notifications, cloud backup, and smartwatch support. Available on Android, iOS, and Windows. The brand is shadowed by past security incidents, so weigh the pros and cons before adopting it..

LastPass Authenticator
LastPass Authenticator
downloadDownload QR-Code
LastPass Authenticator
Developer: LastPass US LP
Price: Free

Built-in authenticator for iOS and macOS

On iPhone starting with iOS 15 and in Safari 15 on Mac, you have a code generator built into the Passwords section. It syncs with iCloud, supports autofill, and lets you add tokens by scanning with the iPhone camera. Although the idea is convenient, it has limitations: it is difficult to find, it shows a token on the screen, it does not hide codes, it does not export and even on iOS the password can be seen next to the code..

YubiKey and hardware tokens

If you're looking for the ultimate in security, a physical key like the YubiKey is the gold standard. They're battery-free, highly durable, and support FIDO2, U2F, OTP, and smart cards, among others. They integrate with popular services and some have FIPS-certified editions..

Yubico Authenticator
Yubico Authenticator
downloadDownload QR-Code
Yubico Authenticator
Developer: Yubico AB
Price: Free

Institutional and desktop recommendations

Some organizations recommend specific solutions depending on the system. For example, Microsoft Authenticator for mobile devices, FortiToken Mobile II for Windows, and KeePassXC for Linux or macOS are suggested as open options that combine an OTP manager and generator. If you're looking for isolation, check out Graphene OS. If you already use another authenticator, you don't have to change, and there are usually desktop versions when mobile is not possible..

Best practices, backups and recovery

Combine apps if you need to: one for work, another for personal accounts, or a minimalist one on your watch and a complete one on your phone. Always activate PIN or biometric lock in the app, especially if it allows exporting or viewing secrets..

Back up your tokens when the app allows it, or keep recovery codes and secret keys, as explained by services like Dropbox on two-step confirmation. For apps without export, native app or system backup and restore is your lifeline when switching phones..

If a code doesn't work, check that you entered it within the active time, that it corresponds to the correct service, and that your device's time is properly synchronized. Clock desynchronization is a common cause of TOTP errors..

If you lose your phone, remotely wipe it if possible. If your codes were synced to your carrier account, remove them by unlinking the device. If not, visit the services where you used 2FA and relink with the new phone. Acting quickly reduces the risk of unauthorized access.

Which app to choose according to your profile

  • Minimalism and lightness: FreeOTP or Step Two if you're on Apple and basic features are fine for you.
  • Powerful open source Android: andOTP or Aegis with encrypted backups and fine-grained organization.
  • Cross-platform with synchronization: Twilio Authy or TOTP Authenticator with Cloud Sync.
  • All in one: Bitwarden or 1Password to autofill credentials and codes.
  • Gaming and Windows: WinAuth for its support for non-standard tokens.
  • CORPORATE LAW : Duo Mobile and Microsoft Authenticator for their integration and policies.

Whatever your choice, the key is to protect access to the app, plan backups, and understand its limits. With a little bit of organization, 2FA gives you a huge leap in security without complicating your life..

Risks of keeping the 2G network active on your mobile phone
Related article:
Real risks of keeping the 2G network active on your mobile phone