Two–Factor Authentication (2FA), or Multi-Factor Authentication (MFA) adds an additional layer of security in addition to the first factor or authentication method you are using, which is very often a password.
In general, it’s always recommended to secure your accounts to any online services with a second factor, even if you’re choosing a strong password, since you don’t know whether an online service is going to be breached at some point and whether it stores your password securely hashed and salted.
One method for 2FA is the use of authenticator apps such as Google Authenticator. These authenticator apps generate a Time-Based One Time Password, or TOTP for short, and are only valid for a short period of time, usually 30 seconds. They get generated based on the current time and an initial secret or seed that has initially been shared between server and authenticator app.
The mechanism is based on the OATH TOTP standard (RFC 6238), and since it’s standard-based, Google Authenticator isn’t the only authenticator app out there that you can use. In fact, there are plenty, which you are actually free to choose from:
Google Authenticator, Microsoft Authenticator, Duo, 1Password, LastPass Authenticator, Twilio Authy, Aegis, FreeOTP and many more.
Many don’t know about these less known but good alternatives, which is why I decided to write this article and point them out.
So, which one to choose?
Since I’m an Android user, my app of choice is Aegis.
My main criteria to choose an app is: having no vendor lock-in or app lock-in, and being able to easily backup or export the secrets or seeds. In addition, the app should respect my privacy and not sync my data with any server unless I want it to or can choose the server.
- Pricing & Open Source: if an app is free, the hurdle is very low to promote the use of MFA. If it’s open source, everybody including researchers can view the code, check for and report issues in case there are any. Aegis is open source, OTP Auth is not but still free.
- Offline Access: the app should support offline access. Some apps like Duo, 1Password, require online access, which can sometimes get in the way (think about being in a different country without wifi or roaming on the mobile). Aegis and OTP Auth do not require online access.
- Passcode Protection & Biometric Lock: the app should provide a way to secure access to it via passcode or biometric lock. Aegis and OTP Auth offer both.
- Backup/Restore or Import/Export: many solutions offer a way to backup and restore code, however, a lot of them only allow the backup to their own cloud and ecosystem (i.e. Authy, Google Authenticator). This causes a vendor lock-in. A better approach is to let the user choose the destination of their backups. Aegis and OTP Auth provide this. If your Android device is rooted, you can even import into Aegis directly from Google Authenticator, Microsoft Authenticator, Authy, FreeOTP, Steam, TOTP Authenticator.
- UI / Search: The user interface should be slick and a search or filter function should be available because as soon as you have a few more codes in there, it’s not that easy to find the right one quickly. Both Aegis and OTP Auth provide this. In respect to UI/UX, it’s worth noting that OTP Auth has Apple Watch support.
- Privacy: neither Aegis nor OTP Auth sends your data to any server behind the scenes. OTP Auth explicitly states on its website: “OTP Auth fully respects your privacy. Your accounts are not sent to any server, no ads are shown and no usage data is collected.”
Both recommended apps are available at:
A note on Google Authenticator and Authy, as they are quite popular: Google Authenticator does not allow to extract the secrets / seeds, which is why I’m not in favor of it.
Authy also does not officially offer a way to extract secrets either, however, there is a workaround via the Authy Desktop app, should you decide to migrate to a different app (such as Aegis or OTP Auth). I tested this workaround and it works as expected — I had used Authy in the past prior to Aegis. One other thing I also dislike about Authy is that it requires you to provide your phone number in order to use the app.
Wanting to migrate to a different app or switching phones is not the only reason why at some point you might want to have access to the initial secrets. There are other use cases such as if you want to automate some of your tasks using RPA (Robotic Process Automation) bots on an authenticated service, you will need access to the secrets in order to solve the MFA challenge. This is just one example and certainly only relevant for more technical users, but one use case I came across before myself. So you definitely want to have the freedom to have access to these secrets in case you need them.
About the Author:
Mathias Conradt is CTO & Co-Founder at Quasr, a European Identity & Privacy Platform. Quasr is not affiliated in any way with the app vendors presented in this article. This article is purely based on the author’s personal preferences and experience. Quasr supports Time-Based One-Time Passwords as authentication factors and works with any of the applications mentioned in this article.