Two-factor authentication is a great tool for adding an extra layer of security to your online accounts. It requires users to provide both their password and a second piece of information (usually an authentication code or one-time password) when logging in to an online account from a new device.
This requirement for a second piece of information can protect your account if your password is breached or leaked. However, not all two-factor authentication methods are created equal.
Short Message Service (SMS)-based two-factor authentication makes your account vulnerable to a range of attacks including Subscriber Identity Module (SIM) swap attacks (where hackers switch your phone number to a SIM card that they control and intercept your two-factor authentication codes), social engineering attacks (where hackers trick you into handing over your two-factor authentication codes), and interception attacks (where hackers intercept two-factor authentication codes at the network level).
Email-based two-factor authentication is also susceptible to social engineering attacks and if a hacker gets access to your email account, they can access two-factor authentication codes linked to your email address.
Fortunately, there are other two-factor authentication methods that aren’t susceptible to these attacks, such as hardware-based two-factor authentication and time-based one-time passwords (TOTP).
In this post, we’ll cover the different types of two-factor authentication tools that are available, the strengths and weaknesses of each method, and list some of the top two-factor authentication tools.
Types of two-factor authentication tools
There are three main types of two-factor authentication tools:
- Hardware keys
- Dedicated TOTP apps
- Apps with a TOTP feature
1. Hardware keys
Hardware keys are necessary for hardware-based two-factor authentication which is the most secure form of two-factor authentication. They work by generating a unique one-time password on a separate device.
Since this one-time password is generated on a separate device and isn’t transmitted via SMS or email, hardware keys protect you from SIM swap attacks, social engineering attacks, email account takeover attacks, and most types of interception attacks. Additionally, they protect you from many types of attacks that involve your computer or phone being compromised.
2. Dedicated TOTP apps
Dedicated TOTP apps generate TOTP codes via an app on your device. These codes change every 30 seconds.
They aren’t as secure as hardware-based two-factor authentication because bad actors can potentially trick you into handing over your TOTP codes during social engineering attacks or infect your device with TOTP-stealing malware. However, they’re still much more secure than SMS and email-based two-factor authentication.
Since the TOTP codes are generated via an app, this form of two-factor authentication protects you from SIM swap attacks, email account takeover attacks, and most types of interception attacks.
3. Apps with a TOTP feature
Some apps, such as password managers and encrypted notes apps, have a feature that lets you generate TOTP codes.
The main benefit of using a password manager with a TOTP feature is that the password manager can protect you from social engineering attacks because the extension or auto-fill feature will only be activated on the genuine domains that you have saved to your database. If a bad actor directs you to a malicious form or domain, the extension or auto-fill won’t activate and this can serve as a warning that a bad actor is attempting to steal your TOTP code.
The main drawback is that your passwords and TOTP codes aren’t separated so if your password manager is compromised, bad actors can access both your passwords and TOTP codes and get access to all of your accounts.
Outside of these benefits and drawbacks, these in-app TOTP features offer the same level of security as dedicated TOTP apps.
The TOTP codes can potentially be stolen via social engineering attacks or malware. However, apps with a TOTP feature are still a much better authentication solution than SMS or email because they can protect you from SIM swap attacks, email account takeover attacks, and most types of interception attacks.
How to check whether an app or website supports two-factor authentication
You can usually check whether an app or website supports two-factor authentication by searching for related keywords (such as “two-factor,” “2FA,” “authentication,” and “TOTP”) in its support documents or looking for the option to enable two-factor authentication in your account settings or security settings.
Additionally, this crowdsourced 2FA Directory lists the types of two-factor authentication that are offered by various apps and websites.
Top two-factor authentication tools
Here are some of the best two-factor authentication hardware keys, dedicated TOTP apps, and apps with a TOTP feature.
YubiKey (hardware key)
YubiKeys are one of the most popular and secure hardware-based two-factor authentication tools on the market. They provide many types of keys to suit your needs including:
- USB-A keys
- USB-C keys
- Lightning keys
- Near-field communication (NFC) keys (which can wirelessly transmit one-time passwords to NFC-enabled devices)
- Biometric authentication keys (which let you protect your YubiKey with fingerprint authentication)
Collectively, the various Yubikeys that are available support a wide range of authentication protocols including:
- FIDO2/WebAuthn
- FIDO U2F
- Smart card
- OpenPGP
- One-time password (OTP)
Once you have the YubiKeys that are compatible with your devices and have set them up, you’ll never have to enter an authentication code on compatible apps or websites. Instead, you just plug it in and press the button on the YubiKey or tap it against an NFC-compatible device whenever you’re prompted to authenticate.
You can get a YubiKey here.
ente Auth (dedicated TOTP app)
An open-source two-factor authentication app from the creators of the ente photos app.
The app is free to use and is currently available on Android and iOS. Desktop versions for Windows, Mac, and Linux are being worked on.
ente Auth offers end-to-end encrypted cloud backups so that you can privately backup your TOTP codes and sync them across devices. The app uses the same encryption protocols as the ente photos app.
It also has easy import and export features that make it easy to switch to and from other authenticator apps or backup your TOTP codes locally.
You can get Ente Authenticator here.
Raivo OTP (dedicated TOTP app)
Update: Raivo announced that it had been acquired by Mobime on July 24, 2023.
A free and lightweight two-factor authenticator that’s available on iPhone, iPad, and Mac.
It’s open-source and can sync codes across supported devices. All of the TOTP codes are end-to-end encrypted with your master password.
Raivo OTP’s other features include search (which makes it easy to find the TOTP code that you need), custom icons for each TOTP code, custom effects, dark mode, and local backup (which lets you quickly create an encrypted backup of your TOTP codes).
You can get Raivo OTP here.
Aegis Authenticator (dedicated TOTP app)
A free, open-source two-factor authentication app for Android.
Its security features include password or biometric app protection (which encrypt the vault) and screen capture prevention.
Aegis Authenticator also offers TOTP code import (which makes it easy to transfer your existing TOTP codes from another app), TOTP export (which lets you manually back up your existing TOTP codes or add them to another app), and automatic vault backup.
The TOTP codes in the app can be customized in various ways. The app offers advanced entry editing, multiple sorting options (including alphabetic and custom), and the ability to group TOTP code entries together.
Additionally, Aegis Authenticator lets you change the look and feel of the app with its icon options (which include auto-generated icons and custom icons) and its themes (which include light, dark, and AMOLED).
Plus, it has a search feature that can be used to quickly find a specific TOTP code.
Aegis Authenticator is available on the Google Play Store and the free and open-source Android app repository F-Droid.
You can get Aegis here.
Bitwarden (password manager with a TOTP feature)
An open-source password manager that has lots of features including a TOTP code generator.
It’s available on all major desktop and mobile platforms including Windows, macOS, Linux, iOS, Android (via Google Play, F-Droid, or as a direct download from GitHub), and the web. Plus, it has browser extensions for all major browsers including Brave, Firefox, Chrome, Safari, Edge, Vivaldi, Opera, and DuckDuckGo for Mac.
Your TOTP codes and any other information in your Bitwarden vault will automatically sync between any devices that have the Bitwarden app or browser extensions installed. All of the data in your Bitwarden vault is protected with end-to-end encryption and you have the option to self-host your vault.
Bitwarden’s browser extension and mobile auto-fill features let you know if the website you’re about to log in to is in your Bitwarden vault — a feature that can prevent you from handing over your TOTP codes to bad actors during social engineering attacks.
Other features include the option to automatically copy TOTP codes to the clipboard, the option to auto-fill TOTP codes, the option to search for specific TOTP codes, a dedicated “Verification Codes” section on mobile (that lists all of your active TOTP codes), and themes (that let you change the look and feel of the app).
You can get Bitwarden here.
KeePassXC (password manager with a TOTP feature)
An open-source password manager for Windows, macOS, and Linux that can generate TOTP codes.
While KeyPassXC doesn’t have official mobile apps, there are several third-party Android and iOS apps that it recommends and some of these clients have TOTP support.
KeePassXC databases are protected with end-to-end encryption and the app lets you choose whether you want to save your TOTP codes and other data offline or online in a cloud storage service.
The app also lets you create multiple databases with unique passwords so if you’d prefer to keep your passwords and TOTP codes separate, you can create a passwords database and a TOTP codes database and protect each database with a unique password.
KeePassXC’s auto-fill features let you know whether the domain you’re attempting to log in to is saved to your database and this can help to alert you when bad actors or malicious domains are attempting to steal your TOTP codes. Plus, these features help to speed up the process of entering TOTP codes on saved domains.
Some of its other features include the ability to search for specific TOTP codes, the ability to export and back up your TOTP codes database in an HTML or CSV format, and the ability to choose custom themes.
You can get KeePassXC here.
Standard Notes (encrypted notes app with a TOTP feature)
An open-source, end-to-end encrypted notes app that can store and generate TOTP codes.
Standard Notes is available on Windows, macOS, Linux, iOS, Android (via Google Play, F-Droid, or as a direct download from GitHub), and the web.
Your TOTP codes and any other data that you save to Standard Notes automatically syncs between any signed-in apps or accounts for easy access on any device. Plus, you can choose whether to save your data on Standard Notes’ servers or host it yourself.
Standard Notes also lets you change the look and feel of the app with themes. It offers a wide range of light, dark, and colorful themes.
You can get Standard Notes here.
Other privacy and security tools
These two-factor authentication tools are just one of the many tools out there that can help boost your privacy and security online. If you’re looking for other tools to enhance your privacy and security, check out these private messaging apps, private email providers, private web browsers, and private search engines.