Is SMS-based 2FA still safe?

SMS 2FA is better than no 2FA, but it is the weakest of the common second factors because of SIM-swap fraud. NIST has recommended against SMS for higher-assurance use cases for several revisions of SP 800-63. Use an authenticator app or a hardware security key for accounts that matter — financial, primary email, password manager, and any work credential.

Is Google Authenticator the best free 2FA app?

It is widely available and free, but it is not necessarily the best fit for every user. Google Authenticator now supports cloud backup tied to a Google account, which is convenient but ties your second factor to a single ecosystem. Microsoft Authenticator, Authy successors, and password-manager-integrated options each have trade-offs. Pick based on your existing ecosystem and your tolerance for vendor lock-in.

Should I keep 2FA codes in my password manager?

It is a security trade-off. Storing TOTP secrets in the same vault as the passwords removes one of the layers of separation that a separate authenticator app provides — anyone who breaches the vault has both factors. The counterargument is that password managers usually have stronger device-binding, encryption, and recovery than a stand-alone authenticator app, and the convenience improves real-world adoption. Most security writers consider it acceptable for personal use; for high-value accounts (financial, primary email), a separate authenticator or hardware key is the more conservative choice.

Do I still need 2FA if I use passkeys?

Passkeys are themselves a strong form of authentication that combines something you have (the device with the private key) with something you are (a biometric or PIN). For accounts that fully support passkey-based sign-in, the passkey replaces the password and second factor in one step. For sites that have not yet implemented passkeys, you still need a second factor on top of your password.

Home / Blog / Best 2FA Authenticator Apps 2026

Best 2FA Authenticator Apps in 2026: A Practical Buyer's Guide

📅 Last updated: May 4, 2026 · ⏱ 12 min read · ✍️ Smart Secure Haven Team

Affiliate disclosure & methodology. Some links in this article are affiliate links. If you click through and subscribe, Smart Secure Haven may earn a commission at no additional cost to you. This is a documentation-based buyer's guide — every feature claim is sourced to the vendor's published documentation or to a named third-party reference (NIST, vendor security pages). We have not run a controlled head-to-head benchmark and do not present synthetic accuracy numbers. See our full disclosure.

The short answer

For most people, the best authenticator app is the one that ships with the password manager you already use, plus a hardware security key for your most sensitive accounts. The stand-alone "free authenticator app" market has consolidated around Google Authenticator and Microsoft Authenticator; both are reasonable choices and free; both tie cloud backup to a single ecosystem. If you don't yet use a password manager, get one — that decision matters more than which authenticator app you pair with it.

Sources for this guide

Standards: NIST SP 800-63 digital identity guidelines (authentication assurance levels and SMS-2FA guidance).
Vendors: Google Authenticator help, Microsoft Authenticator product page, 1Password TOTP help, NordPass 2FA feature page, Bitwarden Authenticator Keys help, Proton Pass, Yubico products.
Background: FIDO Alliance passkeys overview; Krebs on Security for ongoing reporting on SIM-swap fraud and 2FA bypasses.

Why the type of second factor matters

The "second factor" in two-factor authentication is shorthand for a second piece of evidence that you are who you say you are, beyond a password. Not all second factors are equal. The hierarchy, from weakest to strongest, looks roughly like this:

SMS / voice OTP. Vulnerable to SIM-swap attacks. Better than nothing, worse than the alternatives. NIST has formally discouraged SMS for higher-assurance use cases for several SP 800-63 revisions.
Email OTP. Only as strong as the email account it lands in. If your email is the recovery target for everything else, email 2FA on email is circular.
TOTP authenticator app. Generates a 6-digit time-based code from a shared secret stored on your device. Resistant to SIM-swap and most remote attacks; still phishable if you type the code into a fake site.
Push-based mobile authenticator. The provider sends a push notification to your phone for you to approve. Resistant to phishing if implemented with number-matching; vulnerable to "MFA fatigue" attacks if push approvals are blind.
Hardware security key (FIDO2 / WebAuthn). A physical device you tap or insert. Phishing-resistant by design — the key only signs requests for the actual origin domain.
Passkeys. A WebAuthn credential bound to a device. Replaces both password and second factor. Strongest practical option for sites that support them.

For most consumers, the practical sweet spot in 2026 is: passkeys where supported, TOTP where not, and a hardware key for the highest-value accounts (primary email, password manager, financial, work).

The shortlist of authenticator apps

Google Authenticator

Free, available on iOS and Android. The help center documents that it now supports cloud sync of TOTP seeds tied to your Google account. That is convenient, but it means recovery of your second factor depends on the security of your Google account. Use a hardware key on your Google account if you turn on Authenticator cloud sync.

Best for: users already deeply in Google's ecosystem who want the simplest possible authenticator and don't object to ecosystem-tied recovery.

Microsoft Authenticator

Free, available on iOS and Android. The product page describes TOTP code generation, push approvals (with number-matching for Microsoft accounts), passkey support, and a password manager that syncs with Edge.

Best for: users on Microsoft 365 / Entra ID at work, or anyone who wants push-based approvals with number matching.

1Password

Paid. The 1Password TOTP help describes how to store TOTP seeds inside the same vault as the password and have 1Password fill the 6-digit code automatically. The trade-off: same vault means same blast radius if the vault is compromised.

Best for: 1Password users who already have hardware-key 2FA on their 1Password account itself, want to consolidate password + TOTP fill, and accept the same-vault trade-off for everything below their highest-value accounts.

NordPass

Paid (free tier available). NordPass advertises a built-in authenticator that stores TOTP secrets and autofills 2FA codes alongside the password. Same trade-off as 1Password: convenience vs. blast radius. View NordPass plans on the vendor site to confirm current pricing.

Best for: existing NordPass users who want one app for both factors. Stand-alone TOTP is a smaller portion of the value proposition than the password manager itself.

Bitwarden Authenticator

The Authenticator Keys help describes TOTP storage in the Bitwarden vault on paid plans. Bitwarden also publishes a separate stand-alone Bitwarden Authenticator app that stores TOTP secrets independently of the password vault, which preserves the separation-of-factors property if that's what you want.

Best for: users who like Bitwarden's open-source posture, and especially users who want the separate-app version of Bitwarden Authenticator.

Proton Pass

From Proton, the makers of Proton Mail and Proton VPN. Stores 2FA TOTP secrets alongside passwords. Privacy-focused company posture, end-to-end encrypted vault. View Proton Pass plans on the vendor site to confirm current pricing.

Best for: users already in the Proton ecosystem (Mail, VPN) who want everything under one privacy-oriented vendor.

Hardware keys (YubiKey and others)

Hardware FIDO2 / WebAuthn keys (like YubiKey) are not authenticator apps, but they belong on this list because they are the strongest commonly-available second factor. A hardware key on your primary email and your password manager is the highest-leverage security upgrade most consumers can make. Plan for two keys (a primary and a backup).

Decision framework

You don't have a password manager yet → start there. See our best password managers guide first.
You have a password manager and want one app for everything → use the manager's built-in TOTP, but put a hardware key on the manager itself.
You want strict separation of factors → use a stand-alone authenticator app (Google, Microsoft, or Bitwarden Authenticator's separate app), not the password manager's built-in TOTP.
For your three most valuable accounts (primary email, password manager, primary financial) → use a hardware key as the primary second factor and a TOTP backup.
For SMS-only sites → enable 2FA anyway (it's better than nothing), and lobby the vendor for a TOTP / passkey option.

Migration: how to move TOTP secrets between apps

This is one of the most common reasons people get stuck on a sub-optimal authenticator app — the cost of moving 30 TOTP secrets to a new app feels prohibitive. It does not have to be:

Pick the new app first. Read its TOTP-import documentation before starting. Some apps support QR-code import from another authenticator.
Move accounts in priority order. Primary email first; password manager second; financial accounts third. Stop after those if you can't move all 30 in one sitting — you've already protected the most valuable ones.
For each account, generate fresh recovery codes and store them in your password manager before disabling old 2FA.
Disable old 2FA, set up new 2FA. Test sign-in from a private window before closing the migration ticket.
Don't lose the old device until you've verified the new one works for every account. Two functioning second factors is the safe state during a migration.

What about Authy?

Twilio retired the Authy desktop app and shifted users to the mobile-only product before further changes. If you were an Authy user and have been pushed to a successor or a different app, the migration playbook above applies. The most common destinations have been Google Authenticator (with cloud sync), Microsoft Authenticator, or a password-manager-integrated TOTP store.

Common mistakes

Storing TOTP backup codes in your email. If your email is compromised, the backup codes for everything else are too. Store them in your password manager (or printed in a safe).
Single point of failure on your phone. If your only TOTP device is one phone and you lose it, recovery is painful. Use a tool that syncs across devices, or maintain a backup device in a drawer.
SMS 2FA on accounts that matter. Replace with TOTP or hardware-key 2FA on primary email, password manager, and financial accounts.
Using the same factor for everything. If a single ecosystem (Google, Microsoft) holds both your password manager and your authenticator app, that ecosystem is a single point of failure.
Forgetting to enable 2FA on your password manager itself. The manager is the most valuable account in your life. Hardware-key 2FA on the manager is the single highest-leverage security action.

FAQ

Is using my password manager for TOTP a real security problem?
It's a trade-off, not a fatal flaw. The same-vault risk is real but bounded — anyone who breaches the vault has both factors only if they also have your second-factor on the vault itself, which is why hardware-key 2FA on the vault is the load-bearing piece.

What's the simplest thing I can do this week?
Three steps: install a password manager if you don't have one; add a hardware key as the primary 2FA on your primary email; replace SMS 2FA with TOTP on every account that supports it. That gets you to roughly the 90th percentile of consumer security with a few hours of work.

Are passkeys the future?
The FIDO Alliance and most major operating-system vendors are pushing in that direction. Adoption on the long tail of websites is uneven. For sites that already support passkeys, use them. For everywhere else, TOTP plus a hardware key remains the practical answer.

Are these apps free?
Google Authenticator and Microsoft Authenticator are free. Bitwarden has a free tier that includes TOTP on personal accounts. 1Password, NordPass, Proton Pass, and most other password-manager-integrated authenticators require a paid subscription for full features. Confirm current pricing on each vendor's site.

Stay safe online — free weekly brief

One email a week. Practical security tips, password manager and VPN reviews, identity-theft alerts. No fluff.

By subscribing you agree to our privacy policy.

Disclaimer: This article is for general security education only. It is not legal or compliance advice. Threat models differ by individual; if you have specific high-risk needs (executive protection, journalism in hostile jurisdictions, etc.), work with a qualified security professional.