Authenticator app

An authenticator app generates time-based one-time passwords (TOTP) — six-digit codes that rotate every 30 seconds — used as the second factor in two-factor authentication.

Common authenticator apps

• Google Authenticator — simple, free, no cloud sync (which is a privacy win and a recovery downside).
• Authy — cloud sync across devices, more recovery flexibility.
• 1Password — built into the password manager, very convenient.
• Microsoft Authenticator — solid but with rougher cross-device migration.

Why authenticator beats SMS

Codes generate locally on your device. An attacker would need to physically have your phone (and your phone’s unlock) to read them. SMS codes, by contrast, are vulnerable to SIM-swap attacks — the dominant takeover pattern in 2026.

Setup gotchas

• Save the QR code or secret during setup, in case you need to re-add the account later.
• Generate backup codes at the same time — your fallback if you lose the authenticator.
• Don’t store backup codes in the same device as the authenticator.

See post-recovery security checklist for full setup guidance.