Two-factor authentication is a way of adding an extra layer of security to your accounts. It combines something you know: your user name and password, with something you have: a code that is sent to you by the service, or generated by an app. Since data breaches are so common, and, let’s admit it, many people re-use passwords because good passwords are difficult to remember, the “something you know” may also be in the hands of miscreants.
However, the something you have—the authorization code—cannot be leaked and reused at a later time, because these codes have a very short lifespan (usually a matter of minutes or seconds). However, when codes are sent via SMS, they could be intercepted, which is why using an app provides assurance that on one can get at the code you use to confirm your identity. They are easy to set up and use, and they’re quicker to use, since you don’t have to wait for codes to be sent to you. They can even provide you with access when you can’t receive SMSes.
Two-factor authentication apps are simple and easy to use. You install one on your iOS device, and some also work on the Mac or even the Apple Watch, providing you quick access to codes even if you don’t have your iPhone handy.
Each service sets up 2FA differently, but most provide you with a QR code that you scan with your iOS device’s camera when in the authorization app. This sends specific information to the app that allows it to generate the correct codes.
When you want to log into a service, enter your username and password, and then, when prompted for a code, go to your app and generate one. In most cases, these codes refresh every 30 seconds, and the apps tell you how much time you have left. You can either copy the code to paste into a login screen on your device, or type it on another device, such as your computer.
There are lots of authenticator apps available for iOS; I’m going to look at three of them.
Google Authenticator is popular, simple, and easy to use, but it is quite limited. It’s available for iOS and Android. There are versions of the app for iPhone and iPad, but there is no Apple Watch app.
Unlike the other apps I’ll discuss in this article, it just has one feature: it generates codes. For some people this may be sufficient, but I feel that an app like this should do more.
You can set it up for a number of accounts, but its greatest weakness is that it is inextricably linked to your device, meaning you cannot transfer the information it contains to any other device. This means that if you lose your iPhone, or if your iPhone gets replaced due to a repair, or even if you upgrade to a newer iPhone and restore your data via iCloud or iTunes, unfortunately you cannot rely on Google Authenticator to let you back into your accounts.
Authy goes a lot further than Google Authenticator. There are iOS and Android apps, an Apple Watch app, a desktop app for Mac, and a browser plugin for Chrome. To begin with, Authy requires that you confirm your device via a code sent by SMS or phone call. You are then asked to set up a password for access to your backups; Authy stores encrypted backups of your 2FA services that you can recover on other devices with this password.
Authy presents a list of accounts at the bottom of its display (if you have more than one line of accounts set up, you can expand this display); tap one to generate a code, then tap the small “copy icon” button to copy it to the clipboard.
You can use Authy on multiple devices, and its encrypted backups make it easy to set up Authy on a new device if you’ve lost or replaced yours.
Unlike Google Authenticator or Authy, which only display icons for your services and then generate authentication codes, 1Password manages your 2FA codes along with your username and password.
You can sync your database via the 1Password servers if you use 1Password’s subscription service; if you use the standalone app, you can sync your database via Dropbox. This means that you can generate 2FA codes from any device that 1Password supports: iOS, Android, Mac, and Windows. There is also a 1Password app for Apple Watch which allows you quick access to authorization codes.
The upside to using 1Password for 2FA codes is that it integrates with your other login information. And when you log into a site using 1Password (as opposed to using iCloud Keychain) the app automatically copies a one-time code to your clipboard for 30 seconds, and you can paste it immediately in the required field. If you do sign in with iCloud Keychain—which in many cases is quicker, especially on the Mac—then you’ll need to go to the 1Password app to get your code.
If you use the Apple Watch app, you can choose which of your logins are stored on the watch, and if you have 2FA set up for any accounts then the 1Password Apple Watch app displays them immediately when needed.
Starting with iOS 15 (and macOS Monterey), Apple’s own password manager, iCloud Keychain, now also supports two-factor authentication codes. Most other password managers should support 2FA one-time passwords (OTP) as well.
There are a number of other multi-factor authentication apps for iOS, including Microsoft Authenticator and Okta Verify.
You should use two-factor authentication wherever possible. You can check out the unofficial Two Factor Auth List site for a partial list of some services that work with 2FA apps (look for a check mark in the “Software Token” column, and click on the link under the Docs column for more info about implementing 2FA for that service).
Beyond the three apps I’ve discussed here, you have many choices as to how you can securely generate one-time 2FA codes. If all you want is two-factor codes, Google Authenticator (although popular) is too limited, while Authy is a great choice. But 1Password gives you a lot more flexibility, providing two-factor codes in addition to storing your passwords, and more.
Credits: iPhone image by Rafael Fernandez; 2FA image by EFF.