The increasing frequency of cyber attacks has demonstrated that single-layer account protection – namely the username and password combo – is no longer enough. Take the phishing attack targeting Gmail users, for example, where cyber criminals obtained the credentials of one million users, meaning two things:
- If the user has used the same password with another service, hackers can easily log in and take over that account.
- Hackers can access the user’s Gmail account and all services tied to it, unless Google’s two-step verification is active.
The Second Step in the Authentication Process
The second layer in authentication security arises in the form of a six- or eight-digit passcode generated either by a software or a hardware token or sent via SMS. In some cases an option to receive a phone call is also available.
The most widely adopted two-step verification method is a time-based one-time passcode (TOTP) generated by a software token. It is the most convenient and easiest to implement because it runs on hardware that the user already owns. This second layer of security is linked to a service by either scanning a QR code displayed on the website or typing a secret code manually into the authentication app. Once the app and the web service are synchronized, the login process will then require two steps:
- Entry of username and password.
- Confirmation of the one-time passcode generated by the software token.
Without knowing the latter piece of information, a hacker won't be able to sign into your Gmail account or any online service that supports the second layer of authentication. To help you protect your digital self, here are the most reliable software tokens, their features, and supported platforms.
Unfortunately, not all internet-based services support 2FA, but it’s always worth sending them a note telling them that it's time to up the ante when it comes to security – who knows, they might actually sit up and take note.
The most widespread and known software token is Google Authenticator. The app offers a clean, user-friendly interface to deliver the time-based one-time passcode (TOTP) for the linked services.
- Supports both six- and eight-digit passcodes.
- TOTP and HOTP algorithm support.
- No need for an internet connection.
- Available for Android, BlackBerry and iOS platforms.
Alongside the generation of six- and eight-digit OTPs, one standalone feature of Authy is its support for desktops, which is a considerable bonus when compared to Google Authenticator and other TOTP apps that are usually only available for mobile devices.
- Touch ID, PIN or password protection.
- Multi-device synchronization.
- Encrypted backups in the cloud.
- Keeps tokens safe with three different types of passwords: backup passwords, master passwords, and PIN protection.
- Three different types of authentication: Authy OneCode, Authy SoftToken and Authy OneTouch.
- Available for iOS, watchOS, macOS, Android, Windows (desktop), and it even has a Chrome extension.
Although this service reaches beyond Microsoft’s own platform, the most convenient feature of Microsoft Authenticator is single sign-on and it is sadly tied to the Windows ecosystem. This second layer of security is protected by Touch ID, Face ID, or PIN.
- Support for notifications preventing unauthorized access.
- Phone sign-in support for web apps and services powered by personal Microsoft accounts.
- Backup and recovery of account credentials and related app settings (iOS only).
- Available for Android, iOS and Windows Phone.
Alongside the same features that other multi-factor authentication apps support, there are a handful of reasons to download Sophos Authenticator.
- Compatible with a wide variety of online services, such as Google, Dropbox, Facebook, and more.
- Uses different hash algorithms: SHA-1, SHA-256, and SHA-512.
- Customizable lifespan of one-time passcodes.
- Generated codes can be six to eight digits long.
- Available for Android and iOS.
Developed by the corresponding password management service, LastPass Authenticator is used to log into various online accounts supporting 2FA. Alongside the regular features of such software tokens, there are a handful of reasons that make this service a good pick.
- One-tap authentication for users to log into their LastPass, Dropbox, Google, Amazon, Facebook or Evernote accounts via push notification displayed in the LastPass Authenticator app.
- Android Wear compatible.
- Encrypted backups to restore tokens on a new or reinstalled device.
- Available for Android, Windows Phone and iOS.
These are the top five apps that Best Reviews recommends. Of course, the mobile app storefronts on Google Play and the App Store will no doubt provide many more results when searching for TOTP authenticators. As always, be sure to check the web service for compatible apps first before you clog your smartphone with multi-factor authentication apps.
Best Password Managers of 2024
|Editor's Choice 2024
Get the Best Deals on Password Managers
Subscribe to our monthly newsletter to get the best deals, free trials and discounts on password managers.