I have realised that I have become too dependent on Google Authenticator. As part of my de-googling efforts it is about time to use another app that is more privacy and security minded than GA than convenience minded. tbf GA saved my dumbass once when my pixel 4a phone died. all the codes were backed up in the cloud. but now I’m willing to put more effort to local sync etc.
So please list your different experiences of using various 2FA apps. what are the pros and cons of each. opensource, local sync, developed by credible dev/org etc are preferable but any suggestion of a reasonably better app than GA is welcome.
Reminder - this thread is just about the 2FA apps lets us not crowd this with other security topics.
KeepassXC has it, but it kinda defeats the purpose as its supposed to be separate from passwords.
I use yubikey now instead of google authenticator. yubikey is nice, you will need to have access to it physically and you can copy TOTP through its authenticator app.
We also have pyotp, which is a python library for stuff like this. Have never used it, but we can use our own application through that.
I use self-hosted 2fauth. It’s just a web-app with browser extension. The web-app is protected with OIDC (passkeys) and passkeys are stored in vaultwarden.
As others already suggested: Authy — Cross-platform, cloud backup of TOTP, multi-device sync. Good for most people. Aegis (Android) — Open source, strong option for users who want control and privacy. Proton Authenticator — Open source, no ads, encrypted backups, cross-device support.
Microsoft Authenticator — Best for those in Microsoft’s ecosystem. Fast push approvals, seamless with Microsoft accounts and Azure AD, and supports TOTP for others. Backups tie to your Microsoft account, but this means trusting their cloud. Closed source and less flexible than Authy for non-Microsoft services.
I’m using Ente Auth for more than a year. It’s simple, gives an option to host 2FA either locally or on cloud. It’s open-source, free, and supported on all platforms.
Performance depends on device resources and internet, so slow can vary. Regarding bloated, some in the security community label Authy and Microsoft Authenticator this way because they bundle extra features—cloud backup, multi-device sync, push approvals, and account management—that increase attack surface. They aren’t inherently inefficient or resource-heavy.
I’m using Authy too. But I wouldn’t recommend it today, as they have discontinued the desktop client.
If I were to choose a fresh client today, I would go for something open source, which doesn’t need any updates, and something that allows me to take a backup of the parent QR codes.
Authy feels too platform locked. If it goes down tomorrow, I’ll be f’d.
Also, I wouldn’t risk it all with some GitHub/open-source app but will only prefer some proven strong brand just like Google or a company who is into securities.
Self hosting comes with caveats in reliability and can end up being troublesome if your host goes down. Availability is more important than privacy in those cases, but then most offer E2E encryption on something like an Azure or Google cloud, so for most, makes no sense to self-host.
I wouldn’t mind 2 different apps- one for android and another one for windows but it comes with an additional headache of re-configuring the 2fa separately for both devices.
I use Microsoft Authenticator for all my Outlook accounts because there is nothing more convenient than the one-tap Face ID approval for those accounts. However, iOS messes up work and personal accounts and I switched to Google Authenticator at some point for cloud backup due to losing my accounts once before. However, would be happy to move that part to a different Authenticator app.
I initially used Google Authenticator but switched to MS after losing access to it. I needed a solution with cloud backup so it would not be device-dependent. Cloud backup introduced additional security risks, so I chose MS over Authy. So far, I have not encountered any issues with MS. I do not rely heavily on authenticators, since most of my 2FA needs are already covered through OTP or hardware security keys. I primarily use the authenticator for official purposes.