What is a good authenticator app to use on the Mac and the iPhone, and does it have to be the same one?
Preferably free or low cost. It’s mainly for 1Password.
Both iPhone and Mac are updated to the latest OS.
Thanks,
Rick
Ordinarily I’d say 1Password is a good authenticator app, but you want to use it for 2FA for 1Password itself.
Here I have to question whether that adds security. Let’s say you have 1Password on your iPhone, and your chosen authenticator doesn’t require its own password each time it is used (where would you store that password???). So we have:
- No 2FA: Use FaceID or PIN to unlock iPhone. Use FaceID or password to unlock 1Password.
- 2FA: Use FaceID or PIN to unlock iPhone. Use FaceID or password to unlock 1Password, plus enter 2FA that from authenticator which requires no further authentication than you’re already able to provide (i.e., FaceID or PIN).
1 Like
I’ve been using Google Authenticator for quite a long time. It gets the job done.
I am not a particular fan of Google’s, but Authenticator does not require any Google access credentials (unless you want to sync the keys between devices using their cloud services).
I run my installations logged-out, so everything remains on my device. I use its built in export (to QR code) feature to sync keys between my devices.
As far as I know, every authenticator app implements the same TOTP algorithm (based on RFC 6238), and they can all ingest the same otpauth: URI via QR codes for easy installation. So you should be able to just compare each app’s feature list and pick whatever one you like best.
2 Likes
I can’t find Google Authenticator for desktop. The App Store has a few but not sure which one in from Google.
You might find this earlier thread helpful:
I’ve used Google Authenticator, without a Google login active, for many years. I like it because it is maintained by a company with vast development resources, which reduces the risk of the app being abandoned or discontinued, and is very widely adopted so breaches or flaws will be discovered quickly and receive lots of media coverage.
1 Like
The problem is if my iPhone is not available when needing an authenticator app on my Mac desktop to sign into 1Password. So, I need one for the Mac.
Doesn’t Apple Passwords (part of macOS) support 2FA codes?
1 Like
Thanks. Most mentioned are for iOS. And, Authy, recently had a breach, mentioned here in Tidbits.
Yes, and in case it isn’t well known, you can store the same authenticator code in multiple authenticator apps.
I used to think you needed to screen-capture the QR code and save it. But it’s easier than that. The QR is just encoding a string like C9YZ 3QP9 6X4A 8PUW. When the system creates a QR code for you to scan, there’s an option to see the real code. You can copy that string and paste it into the authenticator apps.
And, you don’t have to save that string separately. In 1Password, if you edit a login item that contains a 2FA code, it will show you the real code string.
1 Like
You are correct. I don’t think Google makes a desktop version of Authenticator.
As I understand it, the breach was in customer phone numbers. Which can be used in conjunction with a SIM-swapping attack to synchronize your keys to an unauthorized device.
But if you don’t sync with Authy’s cloud server (keeping everything local, like I do with my Google Authenticator), then that shouldn’t matter, because there would be no cloud data to sync.
UPDATE: It appears that Authy doesn’t let you use their app without an account in their cloud service. And they don’t provide any ability to export your keys to a third-party app (source: PCMag). So that makes them unacceptable to me.
In general, I don’t trust any authenticator with cloud-sync capabilities, because that cloud service becomes a point of failure. If it breaches, then an attacker can get all your keys. But if they stay on your phone (or on a piece of paper in a secure location), that vector won’t exist.
But nothing here changes my point - that they all implement the same algorithm. So you should compare apps based on their features and costs. And some of Authy’s features (mandatory cloud storage, no export) are unacceptable to me.
2 Likes
FWIW, here’s PCMag’s recommendation for authenticators (dated July 2025): The Best Authenticator Apps for 2025 | PCMag
Their top-rated app is one I’ve never heard of before: 2FAS
Has anyone here used it? Opinions?
See AppBITS: Proton Authenticator Takes on 2FA Apps for lots of recommendations that work across iOS/Mac/Watch/Safari
I think your logic is sound, but as someone who (1) rarely uses Google products but (2) has been burned multiple times by Google seemingly arbitrarily killing off projects that they promoted, I think it’s important to remember that Google makes no guarantees.
3 Likes
I’ve reluctantly embraced Apple’s Passwords app. It’s frictionless if you use up-to-date Apple things, and, well, I use up-to-date Apple things at least to do all the things I use passwords on. And it supports TOTP and syncs the seeds via iCloud.
It’s as secure as your device and iCloud account, and I have gotten religion this year about keeping my devices and iCloud accounts well secured. If you’re more casual about your device security, you might want to use something else.
2 Likes
True. I’d just add from a risk management perspective, I think it’s much more likely an individual developer or a small company with a limited product range would be forced to stop supporting their authenticator app. In any case, I’d say keeping a “backup” of 2FA credentials in a second app—Apple Passwords is an obvious candidate for TBT people—and switching to passcodes where possible goes a long way in mitigating shut down risk for any authenticator.
1 Like
The solution for me, that I didn’t think about, is using Apple’s Passwords for the authentication app for 1Passwords, and it syncs to all of my Apple devices as does 1Passwords. I don’t use Passwords for anything else at this time.
Thank you everyone for your advice!!!
Rick
2 Likes
Somehow, I ended up with 6 authenticator apps on my phone.
Both Microsoft and Google, of course. My health provider website had me install its own app. I have Adobe’s branded authenticator, plus Authy.
Is it best practice to use only a single authenticator for everything?
1 Like
I use Microsoft Authenticator on my iPhone. I used to use Authy but moved off after the breach. I had used Google Authenticator but their continued policy of killing off all good things was enough to make me stop. I am currently interested in the new Proton Authenticator but there is a bug preventing me from testing it fully – Proton support claims it will be fixed in the next release.
I really think it doesn’t matter. I like having everything in one place, plus I prefer using an app that cannot be accessed without a separate/discrete passphrase or PIN (though can be unlocked with biometrics.) For a while I had Synology’s Secure Signin app set up to approve log ins until I reset my iPhone and could no longer approve them (my iPhone could no longer communicate that it received the code), so now I am using TOTP with my Synology accounts in my app of choice (OTP Auth). In the past I also used Microsoft Authenticator IIRC because they had a proprietary 2FA (
) but that changed somehow.
OTP Auth does have a Mac app but it is $5.99 (the last I checked) and I just don’t need TOTP on my Mac - I always have my phone or my watch (or my iPad) close by anyway.
But I do have a few 2FA codes in 1Password just because I need to access them each time I log in, 1Password makes it easy to paste them, and they aren’t critical accounts anyway, like banking/financial/cloud account apps.
FWIW I just received the app update on my phone that mentioned this bug this morning. (I have the app installed but no TOTP set up in it anymore because it lacks a separate passcode from the device passcode.)
Since they are all probably running the same TOTP algorithm, there’s no technical reason why you can’t use one app for them all. But that being said…
-
It may not be easy to export your tokens from one app to import them into another.
-
Some apps may have additional features that can’t be replicated by moving a token.
For example, my employer uses the Okta system for remote access. Okta does allow authentication via TOTP codes, and I have installed codes in my Google Authenticator app installations. But Okta also supports authentication via push notification - the server pushes something to your phone, which pops up an “is this request from you?” screen. You can then just tap the “Yes” button to complete the authentication. (Google’s web services also do this if you have an Android phone.)
If one of your services uses/requires such an app, then you obviously can’t replace it with a generic authenticator.