Best two-factor authentication apps for iOS 16 in 2023

AppleInsider may earn an affiliate commission on purchases made through links on our site.

Given the wide range of security threats and breaches on the internet, it is more important than ever for you to protect your accounts and data online.

Two-factor authentication (2FA) is a way to ensure that only you have access to your accounts using another way to verify who you are when you sign in.

In 2FA, you usually log in with your password as usual, but then the online system you log into contacts you back to ask you to verify yourself. This is usually done via an email, or a special one-time (OTC) code sent to you via email, text message, phone call.

Once you have the OTC in hand, you use it to confirm to the system that you are who you say you are. Once you have entered the code sent to you, authentication is complete and you are authorized to use the system.

Most banks and online payment services like PayPal and auction sites like eBay and others now use 2FA when you log in.

One of the reasons 2FA is more secure than regular passwords is that you need to have the device the secret code is sent to in your possession to complete the login: if someone else tries to log in and claims to be you, they will be denied by the system as they don’t have your phone, tablet or access to your email account.

2FA makes login more secure by requiring an extra step in the login process sent in real time by the system you’re logging into yourself. It’s not foolproof, but it’s much more secure than just a simple password.

Taking the 2FA idea a step further, there are now a number of apps you can install on your personal device, each of which receives and stores a secret code for every system you want to log into in the future. The codes usually expire quickly so they cannot be stolen and used by others.

The first time you log into each online system, it may ask you to scan a QR code on your mobile device on your computer, or it may send you a 2FA code for future use. Each code is saved in the app for later use.

The 2FA app knows which codes belong to which systems so you don’t have to remember them. Most of the setup is automatic on the backend.

The idea behind 2FA apps is that the app acts as a repository for all your secret codes. The next time you want to log into a given system, you simply look up the code on your mobile device and enter it on your computer, or use it to scan a new QR code presented on the system at the time of login.

The app’s backend infrastructure then notifies the system that you are trying to log in and that you are who you say you are.

2FA apps act as a kind of broker – authentication always happens on a third-party system, never on the system you’re trying to log into. This is considered good safety practice.

In most cases, the backend systems involved send an authorization token between each other for the login session. If the token expires, you will probably be prompted to sign in again. All this happens invisibly on the back.

Once you’ve verified your secret code using your 2FA app, its backend tells the system you want to sign in that everything’s ok and proceed. This is the kind of tokenized sign-in process that happens, for example, when you buy something on eBay and then pay for it with PayPal online.

2FA apps just take a similar system design one step further by storing your secrets to log in.

There are dozens of 2FA apps on the market. Some are free, some you have to pay a service to use.

Large internet players such as e.g Google and Microsoft has 2FA authentication apps, so does Oracle, 2 Stable, and others. Some 2FA apps such as Authy and others require you to first register on their website and provide personal information, including your phone number. Others do not.

2Stable also offers an Apple Watch authentication app.

Google Authenticator is simple, but doesn’t provide any built-in way to back up 2FA data or secrets.

On iOS, some apps support 2FA as well FaceID and Touch IDothers do not.

Duo mobilewhich was acquired by Cisco Systems, is more intended for enterprise use.

Note that LastPass has both a 2FA and a password manager app. The two are different. Password manager is for storing passwords, 2FA app is for secrets used only in 2FA.

By far the most popular of the free 2FA apps is 2 PHASE.

2FAS is easy to set up and use, provides a simple drop-down list of timed secrets, and adding new services or sites is a breeze. For example, many web hosting companies now support 2FAS for login authentication, which you only need to set up once.

This usually involves scanning an automated QR code when you turn on 2FA on the web hosting control panel, which you then scan on your phone using the camera. 2FAS recognizes the QR code and generates a unique six-digit OTC every 30 seconds for each service when you view the app on your mobile device.

From then on, no one can log into your web hosting account unless they have both your login password and your mobile device. 2FAS also offers an Android version.

Most other sites that support 2FA work in a similar way.

Most of the secret codes stored in 2FA apps expire very quickly – within thirty seconds or so, and then automatically reset in the app. This prevents codes that may have been compromised from remaining valid for very long.

You basically have under one minute to use the codes displayed or they will be invalid. This also prevents others from writing down the codes and using them later.

Some 2FA apps offer an Apple Watch app: As of this writing, Authy and Microsoft Authenticator offer an Apple Watch version of their 2FA apps, Google and LastPass do not.

Most of the 2FA apps support encryption during sync and backup, but surprisingly neither Microsoft Authenticator nor Google Authenticator do at the time of this writing. Some 2FA apps such as TOTP authentication does, but only during backup.

As a side note, you can also use 2FA on Mac – using Apple’s login system, Face ID or Touch ID which is now standard on most Apple devices including on most current Mac keyboards. When you sign in to most Apple online systems, such as Apple ID, a 2FA one-time (OTC) code is generated that you must enter on another Apple device to sign in.

If you only own one Apple device, Apple will send the OTC to that same device, which kind of defeats the purpose if your device falls into the wrong hands. Face ID and Touch ID obviously eliminate this flaw.

Third-party hardware companies such as Yubico sell plug-in USB devices, which use your fingerprint to authenticate you, much like Apple’s Touch ID does.

Google sells similar biometric USB-based keys called Titanium security keywhich essentially works the same way as the Yubikey.

Hardware biometric authentication is always more secure than pure software authentication because you need to have the physical device – and your fingerprint or face – present to authenticate. Biometrics adds an extra layer of security to 2FA, making it 3FA: you are a third key.

Most of the 2FA apps are on par with each other, except for the minor issues mentioned above. Most don’t have much of a problem – if they did, they’d be considered a security risk and quickly pulled from Apple and Google’s app stores.

By far the most popular and successful third-party 2FA apps are 2FAS and Authy by a clear margin with Duo Mobile leading the way for business use.

2FAS and Authy are simple and easy to set up, 2FAS doesn’t require your phone number or an email to set up, and neither app causes problems. Both are fine.

You really can’t go wrong with a 2FA app. If your app doesn’t use real-time codes, just be sure to back up your secrets in a way that allows you to access them later if you need to – if you lose access to your secrets, you’re likely to be locked out of your 2FA activated accounts.